Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Saturday, September 22 2018 @ 01:45 AM CEST
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

How to Unpack Armadillo 3.xx-4.xx with FingerPrint

 
Post new topic   Reply to topic    www.reversing.be Forum Index -> Unpacking
View previous topic :: View next topic  
Author Message
arox
New to the board
New to the board


Joined: 09 Dec 2006
Posts: 1

PostPosted: Sat Dec 23, 2006 6:23 am    Post subject: How to Unpack Armadillo 3.xx-4.xx with FingerPrint Reply with quote

i have read tut from Newbie Cracker

when i load exe to olly

00840457 |. E8 12030000 CALL SMSClub9.0084076E
0084045C |. 59 POP ECX
0084045D |. 59 POP ECX
0084045E |> 8BC6 MOV EAX,ESI
00840460 |. 5E POP ESI
00840461 |. C9 LEAVE
00840462 \. C3 RETN
00840463 >/$ 55 PUSH EBP
00840464 |. 8BEC MOV EBP,ESP
00840466 |. 6A FF PUSH -1
00840468 |. 68 20AB8600 PUSH SMSClub9.0086AB20
0084046D |. 68 A0018400 PUSH SMSClub9.008401A0 ; SE handler installation
00840472 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00840478 |. 50 PUSH EAX
00840479 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00840480 |. 83EC 58 SUB ESP,58
00840483 |. 53 PUSH EBX
00840484 |. 56 PUSH ESI
00840485 |. 57 PUSH EDI
00840486 |. 8965 E8 MOV [LOCAL.6],ESP
00840489 |. FF15 88518600 CALL NEAR DWORD PTR DS:[<&KERNEL32.GetVe>; kernel32.GetVersion


Searching for ENHFINGERPRINT

References in 003B0000..003FAFFF to 003E83B4, item 0
Address=003D1822
Disassembly=PUSH 3E83B4
Comment=ASCII "ENHFINGERPRINTV1"


follow this address and got this

003D16AD 68 18843E00 PUSH 3E8418 ; ASCII "DATELASTRUN"
003D16B2 E8 806EFEFF CALL 003B8537
003D16B7 8B0D B0233F00 MOV ECX,DWORD PTR DS:[3F23B0]
003D16BD 83C4 0C ADD ESP,0C
003D16C0 53 PUSH EBX
003D16C1 E8 7862FFFF CALL 003C793E
003D16C6 50 PUSH EAX
003D16C7 68 0C843E00 PUSH 3E840C ; ASCII "USERNAME"
003D16CC E8 9764FEFF CALL 003B7B68
003D16D1 8B0D B0233F00 MOV ECX,DWORD PTR DS:[3F23B0]
003D16D7 83C4 0C ADD ESP,0C
003D16DA 53 PUSH EBX
003D16DB E8 5E62FFFF CALL 003C793E
003D16E0 50 PUSH EAX
003D16E1 68 00843E00 PUSH 3E8400 ; ASCII "ALTUSERNAME"
003D16E6 E8 7D64FEFF CALL 003B7B68
003D16EB 8B0D B0233F00 MOV ECX,DWORD PTR DS:[3F23B0]
003D16F1 83C4 0C ADD ESP,0C
003D16F4 3899 533D0000 CMP BYTE PTR DS:[ECX+3D53],BL
003D16FA 74 08 JE SHORT 003D1704
003D16FC 53 PUSH EBX
003D16FD 68 88753E00 PUSH 3E7588 ; ASCII "CLIENT"
003D1702 EB 39 JMP SHORT 003D173D
003D1704 3919 CMP DWORD PTR DS:[ECX],EBX
003D1706 53 PUSH EBX
003D1707 74 33 JE SHORT 003D173C
003D1709 6A 01 PUSH 1
003D170B E8 3A62FFFF CALL 003C794A
003D1710 50 PUSH EAX
003D1711 68 90753E00 PUSH 3E7590 ; ASCII "USERKEY"
003D1716 E8 4D64FEFF CALL 003B7B68
003D171B 8B0D B0233F00 MOV ECX,DWORD PTR DS:[3F23B0]
003D1721 83C4 0C ADD ESP,0C
003D1724 3899 523D0000 CMP BYTE PTR DS:[ECX+3D52],BL
003D172A 74 1E JE SHORT 003D174A
003D172C 53 PUSH EBX
003D172D 6A 01 PUSH 1
003D172F E8 1662FFFF CALL 003C794A
003D1734 50 PUSH EAX
003D1735 68 F4833E00 PUSH 3E83F4 ; ASCII "SERVERKEY"
003D173A EB 06 JMP SHORT 003D1742
003D173C 53 PUSH EBX
003D173D 68 90753E00 PUSH 3E7590 ; ASCII "USERKEY"
003D1742 E8 2164FEFF CALL 003B7B68
003D1747 83C4 0C ADD ESP,0C
003D174A 8B0D B0233F00 MOV ECX,DWORD PTR DS:[3F23B0]
003D1750 53 PUSH EBX
003D1751 E8 A091FFFF CALL 003CA8F6
003D1756 8BC8 MOV ECX,EAX
003D1758 BF DC803E00 MOV EDI,3E80DC ; ASCII "%04X-%04X"
003D175D 81E1 FFFF0000 AND ECX,0FFFF
003D1763 C1E8 10 SHR EAX,10
003D1766 51 PUSH ECX
003D1767 50 PUSH EAX
003D1768 8D85 B8FDFFFF LEA EAX,DWORD PTR SS:[EBP-248]
003D176E 57 PUSH EDI
003D176F 50 PUSH EAX
003D1770 FFD6 CALL NEAR ESI
003D1772 8D85 B8FDFFFF LEA EAX,DWORD PTR SS:[EBP-248]
003D1778 53 PUSH EBX
003D1779 50 PUSH EAX
003D177A 68 E8833E00 PUSH 3E83E8 ; ASCII "FINGERPRINT"
003D177F E8 E463FEFF CALL 003B7B68
003D1784 8B0D B0233F00 MOV ECX,DWORD PTR DS:[3F23B0]
003D178A 83C4 1C ADD ESP,1C
003D178D 53 PUSH EBX
003D178E E8 7A91FFFF CALL 003CA90D


And i found the EAX at FPU has the same value with my FingerPrint exe


From here, i don't know

Try set BP on VirtualProtect and follow the EDX value
i found two XOR EAX value with ESP+4

and course, sonfuse to make a loader for exe Smile

Need help
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.reversing.be Forum Index -> Unpacking All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
 Copyright © 2018 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.10 seconds