Armadillo 1.XX-2.XX
Armadillo protect 一共有四种保护选项,如果四种保护选项都使用的话,它的保护强度是很大的。很多软件都使用了四种中的三项,保护强度只是弱了那么一点点,所以对于Armadillo的破解是比较复杂的,下面我们来看看这四种保护保护选项:
1、Nanomites Processing
The Nanomites provide additional protection against memory-dumping for your programs. They will protect your program even if it is somehow stripped out of the SoftwarePassport/Armadillo shell. If your program can use the Debugger-Blocker or CopyMem-II, it should be able to use Nanomites as well. Besides enabling this option, you must mark sections within your program where Nanomites are permitted to reside and won’t cause any speed problems, and use a custom build of the Armadillo engine. This option can only be used with the Debugger-Blocker or CopyMem-II protections.
Nanomites Processing就是通常所谓的CC,Armadillo最让人头痛的保护措施。
2、Import Table Elimination
Import Table Elimination is another anti-dumping defense. It removes the import table of the program, making it much more difficult to reconstruct the unprotected program file. Unlike CopyMem-II and the Nanomites, this defense does not require the Debugger-Blocker, but it is only available in custom builds.
Import Table Elimination一般是把输入表放在壳申请的内存处并且乱序处理。
对于输入表乱序,以前有两种解法:①、写代码重新排序;②、直接用ImportRec“创建新的IAT”功能来构造新的输入表。
3、Code Splicing
Strategic Code Splicing is another anti-dumping defense. It removes portions of your code and places them randomly in memory, changing them so that they still operate the same but are coded differently. Unlike CopyMem-II and the Nanomites, this defense does not require the Debugger-Blocker, but it is only available in custom builds.
Code Splicing通常称为远程地址,Armadillo会把程序中的部分代码挪移到壳申请的内存段运行,普通dump会导致此部分代码丢失。以前有两种解法:①、修改VirtualAlloc返回地址,使其把挪移的代码放到无用的壳区段;②、Dmp后补上那个包含挪移代码的壳申请的内存段。
4、Memory-Patching Protections
He Memory-Patching Protections prevent an attacker from using a loader to change your program’s code in memory, once it’s loaded. If you handle any part of the expiration logic in your program’s code, or use environment variables to control features that are only allowed in the paid-for version, then your program might be vulnerable to a memory-patching attack.
If you use this option, you MUST use either CopyMem-II or the monitoring thread (or both), or it won’t be able to do anything.
The only time this option can cause a problem is if your program uses self-modifying code — this option would consider that an attack, and would deliberately crash your program to stop it.
内存校验。
