There is much confusion on to successfully unpack Armadillo when its used as a protection for a driver.  Hopefully after reading this you will understand the idea's and concepts needed to meet this goal.  Today's target is Sothink DHTML Menu v6.  The only protection this application has is a driver named "DHTMLMenu.dll".  This is probably a really easy job.  Since its a driver we can conclude a few things...

1. Nanomites can not be present.

2. Debug Blocker/CM2 can not be present.

  I am unsure as of this writing if Code Splicing is available as a option for drivers.  But so the reader knows.. We wont have it here.  The only obstacles we will encounter is a "Standard" Armadillo protection.  This means the OEP will be found just like you would in a "Standard Protected" executable, plus the IAT will be redirected.  So our goals are the following:

1. Find OEP, dump.

2. Fix IAT, repair IAT.

3. Crack the Protection.

Now that we have the guidelines down.. lets begin....

But because we will pretend we are just starting this with no tutorial.. lets open up the main executable, and then we will determine that a driver is our protection issue.  So open up "DHTMLMenu.exe" in Olly....

Okay we can plainly see that this is not Armadillo at all... I mean look at this EP.. Usually we have a EP that would either be a PUSHAD, or PUSH EBP....Which is Armadillo's startup code, and not the real exe (simply because its wrapped around it).  Now so we can determine that the driver is the real problem lets run the application till we get our "trademark" nag....

Okay.. If you pay close attention you would have seen the "OutputDebugStringA"

  So this will almost certainly tell me that this exe is in some way commercially protected.  Now..  With our nag shown we will hit F12 in Olly then "ALT+K" and see what called it..

Well we can see that the base range "28xxxxxx" is not within our current executable.. If we were to see exactly what modules are loaded we would see this (hit ALT+E):

Now we can tell what exactly called this nag.... It came from that Driver named the same as the executable (well except the driver part ....duh!)... So now we will go ahead and load the Driver into Olly and see what we get...:

Now this looks more like a commercial protection...  Although at first you wouldn't agree.. I mean neither would I...  That is until you did a String Reference...  So right click - Search For - All Referenced text strings.

You should be taken into the string output like so:

But scroll up to the top....:

You see the "ARMSPLASHOFF" reference?  That's our indication what we got against us...

  Well I wont lie drivers are really easy to get to the OEP on....  So.. if you are still on the EP (and you should be), hit "ALT+M" (bring up memory map) and then set a BP on the .text section of the driver...:

Okay now simply hit "Shift+F9" and then we will break on the OEP.. (yeah its that easy)...

So yeah we are at the OEP.. :)

  That was really easy... Now our next goal is to fix the Imports as Armadillo does some mean nasty stuff to them...  So what we need to do first is find one so we can set some HW Breakpoints and then .. well I am sure you already read my other tutorials.. same drill... restart... find JNZ, restart.. patch it....  Anyways.. lets move on...

  We need to find the Import Table, or what's left of it...  So please scroll up the the top of the code section and then search for "FF25" and then once we find one valid entry we will look in our dump for our table...

Just hit "CRTL+B" to bring up this menu to search... then enter in "FF25" then hit "OK".

We found one.. so lets follow in dump...

And our dump will look like this below...

DAMN!.. the IAT looks pretty good.. doesn't it?

Scroll up a bit in dump and you will see some invalid entries..

Okay we have found one... Lets set a Hardware BP on Write DWORD on this invalid entry...

Now just so we know it.. lets scroll up till we find our beginning of the Import Table..

Okay so we know that "2810C000" is our RVA....

we can go ahead and restart the driver and run till we break on the HW BP...

And we break here right away... Why you ask?.. why didn't we break on the REP command that we usually do with a executable?  Well its really simple.. When Armadillo is used on a driver the encryption isn't the same..  We all know that a executable and a driver differ by many things... Since a driver is pretty much a extension of a executable...well hold on.. I am making this harder to understand... Simply said... when you double click a executable.. what happens..? yes it runs... when you double click a driver what happens..?  yes.. nothing... This is the reason its called a "executable".  In other words when Armadillo is used on a driver the decryption is different.  Therefore we wouldn't see the same things as we would in a executable.  Make sense?  Well I am sorry if it didn't.. Maybe you should read some other things first then.. :)

  Anyways.. like usual we are looking for the JNZ below the stricmp...  So scroll up a bit and you'll see this:

The JNZ that we need to modify is the one highlighted.  So we set a BP HW on Execution.. on the JNZ.. then restart again...

We change it to NOP.. then remove the HW BP on it...

  Now we need to fix one more thing here.. the GetTickCount JBE.... or else our dumped dll will not run properly...

  So scroll down now till we see the code..:

Now make the JBE -> JMP

Okay now we can safely set a BP on the ".text" section again (to get to the OEP)...  SO hit "ALT+M" and then set a BP on the .text section...

Now hit "Shift+F9" and then we will break on the OEP:

Easy huh?  SO now startup IMPREC and then lets grab our IAT and then Attach it...  Oh yeah lets also dump it... So lets dump it first ...

Using Lord-PE...... Make sure your options are like so:

Now lets proceed.

Okay we see that since we are using the "loaddll.exe" as part of Olly we will look for our driver in there.. so highlight the loaddll.exe like i have shown.. then in the list at the bottom.. scroll down till we see our driver..

Now right click it (the driver) then "dump full"

Okay now we have a nicely dumped driver, now lets startup IMPREC and then fix our IAT.  But first make sure your options are set like mine:

And we move on:

Okay like the other tutorial I wrote dealing with the IAT and dll's ... we will select the "loaddll.exe" and then click the "Pick DLL" button....

Then juts click the "OK" button.. then we can start with our imports...

So.. exactly what is our OEP?.... Well first things first... We need to remember our OEP.. which is "280CABAA".. but this will not work in IMPREC... remember our image base.. we need to subtract it.. so our image base is 28000000.. so we subtract that from our OEP..

280CABAA - 28000000 = 000CABAA

So enter that in the OEP box.. then remember our RVA?

2810C000.. well there is no need to edit that as IMPREC has correctly identified it.. So now all we hit is the "Get Imports" button...

SO hit "Get Imports" then click the "Show Invalid" button then right click the invalid then cut them from the table...

Now we have a working dumped/repaired driver.. (of course after you've attached the IAT to the dumped driver, by clicking the Fix Dump button) So all that's left is to crack the driver because since this is a driver.. the protection isn't executed by itself.. its triggered by the main executable..

So go ahead and take a 5 minute break.. be back.. go smoke... whatever...

Now.. our goal is to make the program think its registered (DUH!).. but exactly how?  Well since we are dealing with Armadillo we can say that it will use the API GetEnvironmentVariableA to check against the "key"  being in the registry...  So while we are at the OEP lets set a BP on GetEnvironmentVariableA.
 

And now we will run the app using "Shift+F9" till we break..

Now hit "ALT+F9" to return to main code...

Now the answer is quite clear to me... I see a very easy way out of this.. do you?

Well.. only 2 bytes need to be changed and then our driver will tell our main exe that we are in fact registered.. and can use all the features of the program... Any idea's?

Well the way I came up with was to just make the "XOR EAX, EAX" at the bottom of the picture.. and turn it into a "MOV AL, 1".....

so go ahead and do this...

Now hit Shift_F9 till we see our great accomplishment.. (also don't forget to remove the BP on GetEnvironmentVariableA)...

Now in order to fully know for sure that it does in fact run correctly.. you will need to make at least 4 menu's and then assign links to them.. i did this in the following pictures.. including the "untouched" version so we can see that it does in fact work correctly...

First we will be shown the untouched/unpatched version.. so you will see the limitations.. (besides the nag)

also we will see this if we are unregistered when we try to enter in any link:

Okay a pretty shitty picture.. I made 4 menu's then assigned other links to them so that they would point to them.. if we are unregistered.. we see the "#" instead of the real link...

So now we will look at the patched version..

So there you have it folks.. another app another crack....  Make sure you save the changes and enjoy!

Until next time.. I remain....................

MaDMAn_H3rCuL3s

1. Unpacking dll's again.. and even a nice way to patch it...

2. ARTeam.... need I say more.. :)

3. Oh and one last thing.... This is to all you sceners.. who read my shit and try to duplicate it.. I know who you are.. Its pretty pathetic that you must stoop to this level of stealing.. I do this for fun.. not so you can increase your Team's releases.  At the very least you can include me in your nfo.  If it goes on I will stop writing... I can guarantee you that...

[MAIN TEAM]
[Nilrem] [Shub - Nigurrath] [MaDMAn_H3rCuL3s] [Ferrari] [Kruger] [Teerayoot] [R@dier] [ThunderPwr] [Eggi] [EJ12N] [JohnWho] [Condzero][Stickman 373] [Bone Enterprise] [Release Team]

[TSRH] [Exetools] [RCE Forums] [CUG] [Ricardo] [SnD] [fly] [PEdiy forums] [MEPHiST0] [C0n3r0n3] [ILCH] [And any others I missed]