An ornery Armadillo

[mustanger]

Fellow Crackers:

I've been working on unpacking some armadilloed applications (the ones I mentioned before) and I've come across something else that has me stumped.
A series of programs from a certain site use the same security. Some of them work after unpacking and some don't. After unpacking the ones that dont'and trying to run them, I get the error message:



DIRECTOR PLAYER ERROR

Unable to load movie playlist. Does the .INI file exist? It must contain a section "[Movies]" with an entry 'Movie01=Pathname.dir'.


OK





For one of these programs, I've got a successfully cracked exe from one of the crack sites which works fine and I've been trying for a week to compare the two to see what the pro did right and I missed. The Memory section of the two programs is listed below:


The unsuccessfully cracked exe

20000000 00001000 Uncracked.exe PE header
20001000 00006000 Uncracked.exe .text code
20007000 00001000 Uncracked.exe .rdata code
20008000 00003000 Uncracked.exe .data code
2000B000 00040000 Uncracked.exe .text1 code
2004B000 00010000 Uncracked.exe .adata
2005B000 00020000 Uncracked.exe .data1 data
2007B000 003F0000 Uncracked.exe .pdata
2046B000 00007000 Uncracked.exe .rsrc resources
20472000 00002000 Uncracked.exe .idata imports

The successfully cracked exe

20000000 00001000 Cracked.exe PE header
20001000 00006000 Cracked.exe .text code
20007000 00001000 Cracked.exe .rdata imports
20008000 00003000 Cracked.exe .data data
2000B000 00007000 Cracked.exe .rsrc resources



The cracked file is simply an unpacked exe file which fits right into the program folder and uses the same dll files that my unpacked exe file refuses to use.
I tried pasting the 5 different sections into each of the programs and nothing changed: that is; the uncracked exe wouldn't work with any or all of the corresponding cracked sections and the cracked program worked fine with the correspsonding uncracked sections. So in my unpacked program there's nothing wrong the code that Olly displays and therefore no jump to patch or code to change.

I've traced the code with Olly to a point where I can binary paste a section

0012D000 00003000 Priv RW



from the cracked exe to the uncracked one and the uncracked one will then work. It happens in a Call to ReadFile. That is, before the ReadFile is executed I can substitute the data in that portion of memory and it doesn't work, whereas after the Call is executed then substituting the data in Memory does allow the program to work.


Does anybody have any idea what ReadFile is reading and where it's reading it from and what I can do about it? I'm assuming it has nothing to do with the unpacking protocol I've developed, because some of the programs run with this technique, yet others have this "movie" and the .INI file gets lost.

[SKiLLa]

The error-message sounds like an (ActiveMark ?) Flash/Shockwave overlay issue to me. The app is trying to read the overlay-data from it's own .exe into Memory and your version doesn't have it. This data is most-likely not a PE file-section but just binary data appended to the file (with a header-signature which the app is trying to find in your .exe).

Also the "Pro" version had the 3 Arma sections removed and the original IAT rebuild, while you left the 3 sections and added a new Import-section. Perhaps rebuilding your app the same way and doing a BinDiff afterwards makes things all clear ...

You might wanna read up on 'overlay' on the ARTeam website ... good luck !

[mustanger]

Thanks for you help.

I'm chasing down all the tutorials on overlay, but in the meantime, can you explain what 'BinDiff" is?

[SKiLLa]

Yeah ofcourse; with "BinDiff" I mean "do a binary file compare to see the differences between them", but it's actually also the name of a (cross OS) program doing just that, hence the expression. Personally I like to use WinHex for it, but there are a lot of (free) suitable tools which can do the job, i.e. diablo2oo2's Universal Patcher (dUP).

[mustanger]

Well I've been reading up on overlays and ActiveMark and I beginning to think that I'm up against something else. There's a discussion on a game from nick arcade where the cracker gets the same error message that I posted above about the .INI file. I downloaded and installed the game and ran a PEiD plugin that detects ActiveMark overlays and found it. There's no such overlay in my unpacked applicationusing this plugin nor in the packed one nor in the unpacked cracked one from the pro. There's another ActiveMark tutorial, which coincidentally is on the same game I'm trying to crack, only its from yahoo games. This version shows up with the PEiD plugin also. Additionally, there's a AMdumper that finds the version of ActiveMArk which isn't showing anything in my application and none of the code that you patch for browser or timer appears in the exes.

Either I'm getting the .INI error message for a different reason than the overlay issue or it has something to do with my program being packed with Armadillo at the start. Neither of the ActiveMark games above had been packed with armadillo. On the other hand, I read something in The ActiveMark discussions that indicated that some information was retrieved with an _lread Call and _lread is where the pro cracked version gets its info that goes into the 12D000 memory space that I mentioned in my post. (_lread leads to the ReadFile command and then to something else and evetually there's a sysenter step where changes actually appear in the memory location. This is all within Kernel32, not the application or any of it's dlls). Anyway, The pro cracked exe is getting it's information from somewhere and I can't figure out where. The symptoms fit in with the overlay theory but I can't find any evidence that it's ActiveMark. Are there other protections that use this overlay crap? Has ActiveMark been updated recently? Does the Armadillo part change the way you handle the overlay? Any other idea?

[haggar]

Armadillo apps can have some small custom "protection". Like, it checks is ArmAccess.dll in memory, etc. Judging your file by sections, it is armadillo. What app it is? Is it big? What protection Armadillo uses?

[SKiLLa]

ActiveMark is a well known for it's overlay, but any program can use overlays and actually many Shockwave/Flash games use overlays for game-data. Not as part of a copy-protection but for other reasons. The .exe simply has a loader-part which loads the overlay-data in memory before handing over the execution to the (Shockwave/Flash) engine.

So it's my guess that you're dealing with an overlay, but not part of any Arma nor AM protection. I've unpacked several of those games in the past and I got similar errors while trying; always overlay-related.

Also some of those games are distributed by several different publishers, all using their own protection, while being the same game. And some publisher just swapped from AM to Arma and/or the other way around ... so don't get confused

Did you do the 'BinDiff' yet ? You probably (accidentally) stripped the overlay-data while unpacking Arma ...

[mustanger]

Hi Haggar,

From your question I guess it's OK to divulge the identity of the program which is Ancient_Tripeaks from GameFiesta. Gamefiesta uses the same protection scheme for all its games. It's Armadillo with the "new" Magic Jump" that I posted on in this section a few days earlier. The protection is just standard protection-no DeBug or copymem, splicing or nanomites. Incidentally, the newest version of DilloDie (1.6) will unpack them so I guess the magic jump isnt' that new like I thought. Anyway, some of the games unpack and run fine with the protocol I've developed or with DilloDie1.6, but some of them give this error message about the .INI file. This message is supposed to tell you when the game path is more than 125 letters, but this isn't in this case. The path to the game file appears in memory after the _lread command is executed, so I guess it has something to do with that I just can't find where. I've found this game in 3 or 4 diferent sites and they sites use different protection schemes as Skilla mentions. From the looks of it the pro cracked version came from the Armadilloed one that I'm working on, so you would think with the two copies I could figure out how the pro did it!

This brings me to Skilla's question. I did a hex compare with the HexCmp program, which flags differences in files. I'm still unclear if this is the same as a BinDiff or not. Anyway there are a lot of differences in my unpacked file and the one that works off the crack site, but when I substitute any sections between them, I can't switch the way they work. The cracked on always works with my code and my unpacked exe never works with anything I paste from the cracked one----except the memory at 12D000 after the _lread command.

So here I am still scratching my head and wondering what to try next.

[haggar]

As I remember , _lread is old API for 16 apps. It is obsolete and replaced with ReadFile, but it is still valid.

I think that you need to fix some API's that your "magic jump" didn't fix them. That will need some manually work. Hm, I have latest Armadillo on my machine. maybe I could check did it changed import protection.

[bengunn]

@mustanger
Someone just posted a tutorial on ARTeam forum, I think shows how to solve this problem.

[mustanger]

Bengunn
The link you gave leads to a site that lists 2 places to get a rar file. Both sites deliver a file that asks for a password and gives a CRC error message resulting in no file. Can you post whatever solution the tutorial gives to this .INI file error message?

Haggar,
For what its worth, the unpacked program exe leads to a program dll file in the program folder. Both the dysfunctional exe unpacked by me and the pro version which works use this same dll file. Within the dll file, the code leads to a _lread Call, which in turn leads to a ReadFile which, in turn, leads to a ntdll.ZwReadFile. As you trace along, you get to a sysenter command where the necessary info is written to the memory location 12E000 that I keep mentioning. It must get there with info that's in the exe file because both the working and non working exes use the same dlls.


As to BinDifffing, I figured out what that is. I found a program called BinDiff which is run from the command prompt. It wouldn't open my unpacked exe nor the Dillodie exe (the 2 that don't work). That's got to be significant although I have no idea why. I've got another program called easy patch which is designed to make updates to programs. It does this by calculating a bindiff file. This program reads my non-working file. However there is no output file to examine, only a patch which does indeed turn my exe into the pro exe which works, but this does me no good.

[mustanger]

PS

I eventually figured out how to unrar the file:

The password that it's looking for is : www.reaonline.net

Anyway,when you study teh tutorial, it looks like this might be related to my problem. It notes there are other overlays besides ActiveMark. The author indicates he doesn't know how to spot the overlay and the method he gives to create an .ini file doesn't seem to work.