DVD-ROM: eXeL@B DVD !
eXeL@B  !


12 !


>>
| | RAR-c | FAQ | | |
| | | | |

Armadillo 3.xx


, . .

: FEUERRADER <feuerrader@nm.ru>

: arma3.rar

, 3.10. , ( 3.6). 3.10.

, (crackme2.exe). .

:
  • PE Tools
  • OllyDbg 1.10 ( - SoftIce)
  • ImpRec 1.6
  • Hiew

1.

( OllyDbg). . OllyDbg View ->Memory. . (crackme2) .text (.. , PE Headera). Set Memory breakpoint on access .

!


F9 ( ). , Shift+F9 exceptions ( ), .




.. , , . 401000 .

( MozgC [TSRh]), . , bp SetProcessWorkingSetSize. Shift+F9. . Ctrl+F9. :


:


call 4096B2.

CALL EDI. ( F2). F9.


, CALL .

. - LordPE, PE Tools Hiew.


2.

. PE Editor PE Tools.
, PE Address* 0006FAA7. . PE .
, Pe Address 3C. Magic, 010B ( WORD ) D8h ( Hiew 010B. D7h. .. Magic 2 , +1. D7+1=D8). PE Address+18h=Magic. PE Address = Magic 18h. , PE Address = D8 18 = C0. C0 PE Address .
EntryPoint = 0001000.
Size Of Headers, ? .
Sections DumpFixer.
, .
. Rebuild PE !


3.

J. , OllyDbg =401000. ImpREC 1.6. crackme2.exe. =401000-400000=1000. IAT AutoSearch. Get Imports. 9 . ImpRECa. . .


:

  • . OllyDbg Ctrl+G .
  • CALL EDX
  • , EDX. CALL EDX, (.. RETN)
  • , EDX - D EDX. Disassemble
  • , . .
  • Ctrl+N. Address
  • ImpRec
    , , , ++.
    . unresolved 9C905E.
    1 2 :
     009C905E 55 PUSH EBP 
     009C905F 8BEC MOV EBP,ESP 
     009C9061 51PUSH ECX 
     009C9062 53PUSH EBX 
     009C9063 56 PUSH ESI 
     009C9064 57PUSH EDI 
     009C9065 60 PUSHAD 
     009C9066 8B15 50299F00 MOV EDX,DWORD PTR DS:[9F2950]  ; kernel32.77E774B6 
     009C906C 83C2 64 ADD EDX,64 
     009C906F FFD2 CALL EDX 
     009C9071 8B15 E4289F00 MOV EDX,DWORD PTR DS:[9F28E4]; kernel32.77E79F2F 
     009C9077 83C2 64ADD EDX,64 
     009C907A B9 05000000MOV ECX,5 
     009C907F 803A CCCMP BYTE PTR DS:[EDX],0CC 
     009C9082 74 07 JE SHORT 009C908B 
     009C9084 ^E2 F9 LOOPD SHORT 009C907F 
     009C9086 FF75 08PUSH DWORD PTR SS:[EBP+8] 
     009C9089 FFD2 CALL EDX 
     009C908B 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 
     009C908E 61 POPAD 
     009C908F 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 
     009C9092 5F POP EDI 
     009C9093 5E POP ESI 
     009C9094 5B POP EBX 
     009C9095 C9 LEAVE 
     009C9096 C2 0400 RETN 4 
     
    , 2 Calla. , , .. . , 77E79F2F, 64. .. D 77E79F2F+64. 77E79F93. 5-6 , .


    , GetModuleHandleA.
    . . - :
     009C9B08 A1 48299F00 MOV EAX,DWORD PTR DS:[9F2948] 
     009C9B0D C3 RETN
     

    , [9F2948]. 141EE0, . GetCommandLineA.
    :
     009C61D6 55 PUSH EBP 
     009C61D7 8BEC    MOV EBP,ESP 
     009C61D9 83EC 14      SUB ESP,14 
     009C61DC 53 PUSH EBX 
     009C61DD 56 PUSH ESI 
     009C61DE 57 PUSH EDI 
     009C61DF 6A 00 PUSH 0 
     009C61E1 E8 A88B0100 CALL 009DED8E 
     009C61E6 59 POP ECX 
     009C61E7 8945 FCMOV DWORD PTR SS:[EBP-4],EAX 
     009C61EA 6A 04PUSH 4 
     009C61EC 8D75 ECLEA ESI,DWORD PTR SS:[EBP-14] 
     009C61EF 5FPOP EDI 
     009C61F0 8D4D FCLEA ECX,DWORD PTR SS:[EBP-4] 
     009C61F3 E8 08AEFFFFCALL 009C1000 
     009C61F8 8906MOV DWORD PTR DS:[ESI],EAX 
     009C61FA 83C6 04ADD ESI,4 
     009C61FD 4FDEC EDI 
     009C61FE ^75 F0JNZ SHORT 009C61F0 
     009C6200 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 
     009C6203 8B5D ED MOV EBX,DWORD PTR SS:[EBP-13] 
     009C6206 8B4D EE MOV ECX,DWORD PTR SS:[EBP-12] 
     009C6209 8B55 EF MOV EDX,DWORD PTR SS:[EBP-11] 
     009C620C CD 2E INT 2E 
     009C620E 5F POP EDI 
     009C620F 5E POP ESI 
     009C6210 5B POP EBX 
     009C6211 C9 LEAVE 
     009C6212 C3 RETN
     

    CALL EDX, -. ImpRec , .. Cut Thunk(s).
    :
     009C9FC7 55PUSH EBP 
     009C9FC8 8BECMOV EBP,ESP 
     009C9FCA FF75 18 PUSH DWORD PTR SS:[EBP+18] 
     009C9FCD FF75 14 PUSH DWORD PTR SS:[EBP+14] 
     009C9FD0 FF75 10 PUSH DWORD PTR SS:[EBP+10] 
     009C9FD3 FF75 0C PUSH DWORD PTR SS:[EBP+C] 
     009C9FD6 FF75 08 PUSH DWORD PTR SS:[EBP+8] 
     009C9FD9 FF15 D8529E00 CALL DWORD PTR DS:[9E52D8]   ; USER32.DialogBoxParamA 
     009C9FDF 5DPOP EBP 
     009C9FE0 C2 1400RETN 14
     

    CALL EDX, DialogBoxParamA. , DialogBoxParamA.
    - ( ):
     009C6213 E9 00000000 JMP 009C6218 
     009C6218 E9 00000000 JMP 009C621D 
     009C621D  E9 F1FFFFFF  JMP 009C6213
     

    JMP J. ? .
    CALL EDX :
     009C9F63 55 PUSH EBP 
     009C9F64 8BEC MOV EBP,ESP 
     009C9F66 6A 00 PUSH 0 
     009C9F68 FF15 18519E00 CALL DWORD PTR DS:[9E5118] ; ntdll.RtlSetLastWin32Error 
     009C9F6E FF75 18 PUSH DWORD PTR SS:[EBP+18] 
     009C9F71 FF75 14 PUSH DWORD PTR SS:[EBP+14] 
     009C9F74 FF75 10 PUSH DWORD PTR SS:[EBP+10] 
     009C9F77 FF75 0C PUSH DWORD PTR SS:[EBP+C] 
     009C9F7A FF75 08 PUSH DWORD PTR SS:[EBP+8] 
     009C9F7D FF15 CC529E00 CALL DWORD PTR DS:[9E52CC]; USER32.CreateDialogParamA 
     009C9F83 5D POP EBP 
     009C9F84 C2 1400 RETN 14
     

    2 , . .. CreateDialogParamA. , ImpRece Tracer 1 (Disasm), ntdll.RtlSetLastWin32Error. , ? J
    , .

    feuerrader@nm.ru


    : Armadillo 3.xx >>>


    : Armadillo 3.xx

    Kerghan 18.05.2004 20:25:22
    CopyMEM?! , . , ( ? ;) ) .
    ---
    MozgC 24.05.2004 08:08:21
    , SoftIce\ . olly , , . .
    PS. .
    PPS. Feuerrader.
    ---
    FEUERRADER 24.05.2004 06:11:49
    Bad_Guy, - - . Mario555 - !
    !
    ---
    Mario555 26.05.2004 11:02:59
    - ... , :)
    ---
    Godness 27.05.2004 23:33:20
    FEUERRADER, - ... AHT - 0... :-)
    ---

    https://exelab.ru



     DVD-ROM: eXeL@B DVD !


  • EXELAB.rU
     ReactOS