My previous question didnt get any reply.I guess it is due to it is so short and look likes crack request.So I will try to be more specific in this post hopefully
I am working on armadilo protected soft which I havent seen before.It doesnt create *.tmp file it just shows register dialog if you give wrong serial it just quits no trial option.So I couldnt managed to unpack it.Anyway, I have problems with it when I try to use SoftICE.Trw2k runs smoothly but SoftICE crashes all the time.Here is the snippet when I run my app with icedump 6.0.23(Protect on swich is activated)

0167:10005852 C685B4FDFFFF01 MOV BYTE PTR [EBP-024C],01
0167:10005859 C685A4FDFFFF01 MOV BYTE PTR [EBP-025C],01
0167:10005860 8365FC00 AND DWORD PTR [EBP-04],00
0167:10005864 0F018D8CFCFFFF SIDT FWORD PTR [EBP-0374]
0167:1000586B 8B858EFCFFFF MOV EAX,[EBP-0372]
0167:10005871 83C008 ADD EAX,08
0167:10005874 8B18 MOV EBX,[EAX] ;Here icedump stops
0167:10005876 83C010 ADD EAX,10
0167:10005879 8B00 MOV EAX,[EAX]
0167:1000587B 25FFFF0000 AND EAX,0000FFFF
0167:10005880 81E3FFFF0000 AND EBX,0000FFFF
0167:10005886 2BC3 SUB EAX,EBX
0167:10005888 83F81E CMP EAX,1E
0167:1000588B 7535 JNZ 100058C2
0167:1000588D 8B852CFCFFFF MOV EAX,[EBP-03D4]
0167:10005893 8B8D2CFCFFFF MOV ECX,[EBP-03D4]
0167:10005899 8B807C020000 MOV EAX,[EAX+0000027C]
0167:1000589F 338180020000 XOR EAX,[ECX+00000280]
0167:100058A5 8B8D2CFCFFFF MOV ECX,[EBP-03D4]
0167:100058AB 89817C020000 MOV [ECX+0000027C],EAX
0167:100058B1 834DFCFF OR DWORD PTR [EBP-04],-01
0167:100058B5 EB0B JMP 100058C2
0167:100058B7 6A01 PUSH 01
0167:100058B9 58 POP EAX
0167:100058BA C3 RET
0167:100058BB 8B65E8 MOV ESP,[EBP-18]
0167:100058BE 834DFCFF OR DWORD PTR [EBP-04],-01
0167:100058C2 0FB685A4FDFFFF MOVZX EAX,BYTE PTR [EBP-025C]
0167:100058C9 85C0 TEST EAX,EAX
0167:100058CB 0F853D010000 JNZ 10005A0E
0167:100058D1 83C8FF OR EAX,-01
0167:100058D4 83F8FF CMP EAX,-01
----will continue--------------------------

Icedump cant handle this and it results in bsod or sometimes total system crash.I have tried frogsice latest builds and two betas I got same result.It crashes.I have tried to change conditional jumps or to jump 100058B7 line but it gives same result.
This check as far as I know is IceCream check like below.As you have noticed they are different on (ADD EAX,10) line.I dont know what it points.Any help will be appreciated.

-------Snippet from CrackZ's Anti-Debugging & Software Protection Advice-------
ICECream detection (Windows 95).
Get the Interrupt Descriptor Table (IDT) with the SIDT command.
Get the address of Interrupt gate 1.
Move 16 bytes back.
Check if byte is 1Eh - if so SoftICE is running.

SIDT FWORD PTR opIDT <-- Store IDT.
MOV EAX, DWORD PTR [opIDT+2] <-- EAX=IDT.
ADD EAX, 8h <-- EAX has INT 1 vector.
MOV EBX, [EAX] <-- EBX=INT 1 vector.
ADD EAX, 16h <-- EAX points at INT 3 vector.
MOV EAX, [EAX] <-- Get EAX=INT 3 vector.
AND EAX, 0FFFFh
AND EBX, 0FFFFh <-- Remove selectors.
SUB EAX, EBX <-- Find displacement.
CMP EAX, 01Eh
JZ SoftICE_3.0_is_running
-------Snippet from CrackZ's Anti-Debugging & Software Protection Advice-------
ps:I have also tried to find magic values for keygenerartion.Duelist released source code for Armadillo 1.8 I have debugged demo version and its keygen algo is same as my app.However I couldnt saw the values he used in keygen.

[QUOTE]LaptoniC (05-02-2001 20:23):
My previous question didnt get any reply.I guess it is due to it is so short and look likes crack request.So I will try to be more specific in this post hopefully
I am working on armadilo protected soft which I havent seen before.It doesnt create *.tmp file it just shows register dialog if you give wrong serial it just quits no trial option.So I couldnt managed to unpack it.

hello

hmm as far as i know
if you get the register dialog, it is coz soft ice is detected..
i did study armadillo quite a lot but i didn't look the last version yet.
however , i'm pretty sure about the sice detection
try to run icedump and also put :
/protect ON
it should not be hard to bypass it and then unpack it.

last version changed a bit tho.
my unpacker doesn't work anymore .
there is something i have to study somedays, but it is pretty similar to previous armadilled version.

regards,

the analyst

Maybe you dont know but if programmer doesnt define default license there is no trial option.Try it with demo of armaillo if you want.So only way to run is to have good license.Reversing conditional jumps doesnt help because some of program code is crypted.I am confused.If anyone wants to try I have uploaded this file to h*tp://digital-avatar2.com/members/fikman/flasher.zip

"Maybe you dont know but if programmer doesnt define default license there is no trial option."
"Try it with demo of armaillo if you want"

;-) well i bet you didn't listen to me ..
every version of armadillo i tryed (last ones), i couldn't play with it coz it asked me to register...
with icedump ran of course..
but heck, there is another soft ice detection , that if you AVOID it, armadillo runs very well, without register shit..
How do you think that guy that wanna try armadillo will do if they can't try it but only buy ?
no sence ...

the analyst

I am working with 1.90 which was the newest version 3 weeks ago. It still creates the tmp file when you hit the nag. But when you click Ok and go into the program it also creates ANOTHER tmp file that was 16bytes and contained the text "‘”¼Ó•û*Q„—Ñ¡¤Ð" everytime i ran it. Around 2 secs more it created a tm0 file which disapeared pretty quick. Also Iv noticed the old methods of fixing the section that contained the X's didnt fully work now. The section that contains the X's also now contains code.

Does anyone have any more information they can share with me? THanks

I bet you dont listen me too Anyway just to inform you, I tried to run my target without installing softice I mean on fresh windows.So it is same again it says "this program needs security key to run.if you supply one you wont get this prompt again".If you click cancel program closes if you click ok reg dialog appears.I know it doesnt make any sense making software without trial option but if you dont define defaults license this is the way program runs.

the guys who protected it is just a fucking retard then
coz if you can't try it, there is no sence.
looks like he doesn't handle armadillo that good, or he is just completely fucked
dunno if there is still away, but i think you can bypass that dialog thingy
there is something to patch ..

later,

the analyst

what do u mean by 'The section that contains the X's also now contains code." ?
coz the section that contains X's is the code section.
so i guess it contains code
what did u mean ?