From Collaborative RCE Tool Library
ArmaGeddon
| Tool name: | ArmaGeddon |
|
||
|---|---|---|---|---|
| Author: | CondZero | |||
| Website: | http://arteam.accessroot.com/releases.html | |||
| Current version: | 1.2g | |||
| Last updated: | March 9, 2008 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Armageddon is an Armadillo unpacking tool designed specifically to deal with the many protection features available in versions 3.78 thru 5.40 This Tool can strip Armadillo Protection from protected Exe's / Dll's Tested on --------- Various applications protected by versions 3.78 through 5.42 under Win2k, win2k3 Server, XP SP1 & SP2 and vista 32 bit. If you experience any problems running the program, you may need to download and install Microsoft Visual C++ 2005 Redistributable Package (x86) available here: http://www.microsoft.com/downloads/details.aspx?familyid= 32bc1bee-a3f9-4c13-9c99-220b62a191ee&displaylang=en Supported Features ------------------ Standard Protection Minimum Protection Memory Patching Debugblocker CopyMemII Import Elimination Import Redirection (Emulation) Strategic Code Splicing Nanomites DLL support ----------- Requires included dll loader.exe to load the target dll Open / Save dialogs updated for exe / dll. Full imports rebuilding ----------------------- ARTeam Import Reconstructor 1.0 (ARImpRec.dll) by Nacho_dj It performs the task of rebuilding the import table in a new section. Its main feature is it can rebuild shuffled IAT. Nanomites processing -------------------- Admiral's nanolib.dll, Rwb32.bin (handler), NanoView.exe (viewer) * Nanomites: Locates all of the Nanomites in a dump and uses the packed exe to analyse them, generating a Nanomite table containing all the necessary information to produce a working dump. Appends a small piece of vector exception handling code at the end of your dump which will deal with the Nanomites on the fly. NanoView.exe ------------ Admiral's tool to view a *.nan file. Shows entire nano table in listview that is appended to repaired dump file. Unsupported Features -------------------- Hardware locking Security/Temporary keys Expired Application (need to use Trial-Reset or TrashReg to delete expired key) Shockwave Flash overlays Secured Sections Overview -------- You will notice the absence of many options. This tool was designed and built to be very user friendly. The tool has built-in features that let it decide which path to take based on the target executable. Nanomites --------- This functionality was borrowed from Admiral's excellent Arminline tool (latest Final build) and integrated into this tool. Some of the words that follow are included from his Readme.txt file: A separate external dll (Nanolib.dll) does the work of analyzing the target process to determine valid vs invalid nanomites and generates an internal table of valid nanomites which can be saved for later use and/or loaded from a previous save. The repair dump function appends a small piece of vector exception handling code into your dump which will deal with the Nanomites on the fly as well as appending the internal nanomite table to produce a working dump. If you suspect nanomites or want to troubleshoot existing nanomites, check the log nanomites checkbox. This will log all actual nanomites as they are processed in a running target. If you know or aren't sure of nanomites, check the analyze nanomites checkbox which locates all of the Nanomites in a dump and uses the packed exe to analyse them on the fly (most accurate). Nanomite File Format (*.nan) ---------------------------- Each Nanomite is described by the following structure: struct Nanomite { long Address long Destination long Size long JumpType } The first dword in the file is the number of Nanomites described in the rest of the file. It is immediately followed by an array (with that number of elements) of the above structure. Once you've extracted this array you should be at EOF. Here are the details on the structure: Address: The virtual address of the Nanomite. Each one of these should point to a 0xCC in your dump. Destination: The virtual address to which the Jcc jumps (if the jump is taken). Size: The size of the instruction in bytes (including the Jcc opcode and the relative/absolute address). I'm not entirely sure how this made it into the structure, if it's useful or even valid. On examining a few .nan files, this field seems to contain some strange-looking values. You shouldn't need to use this field, but if you choose to, be careful. JumpType: An enumeration that describes what type of Jcc you're looking at. The values are: JUnknown = 0 NotNanomite = 1 JMP = 2 JNZ = 3 JZ = 4 JB = 5 JBE = 6 JA = 7 JNB = 8 JG = 9 JGE = 10 JL = 11 JLE = 12 JP = 13 JPE = 14 JNP = 15 JPO = 16 JS = 17 JNS = 18 JCXZ = 19 JNCXZ = 20 JC = 21 JNC = 22 JO = 23 JNO = 24 A word of warning: Don't be tempted to iterate through the array, assemble the jumps and patch them into the dump. Although this will fix all the Nanomites, it will also destroy some other instructions (namely 0xCCs that weren't put there by Armadillo). This is because the array contains information for every occurrence of the 0xCC byte, not only ones which are Nanomites. Unfortunately it is impossible to determine (from a dead-listing) which Nanomites are genuine, so you're gonna have to either use a loader or dabble in VEH (unless you can think of a better way). I'm aware that this file format could have been made a lot cleaner and smaller, but I had my reasons for sticking to unsigned longs. Other considerations -------------------- Make sure all supplied components reside in the same folder! For aesthetic reasons one might want to remove the unused Armadillo Sections from the PE Section header and its Data physically. This can be done quite comfortably with CFF Explorer or any similar PE Editor. The tool works fairly fast and efficiently, but should the target application hang, you can terminate it gracefully, since the GUI launches a separate thread to run the target process. Some Notes ---------- As with any tool that removes protection, the resultant dump may still not work properly. You may need to include the ArmAccess.dll in the target application's folder. This tool does not currently support Shockwave Flash type applications which make use of an overlay! Known Issues ------------ You are encouraged to use tools like ArmaDetach.v1.3 or ArmadilloFindProtected v1.6 to determine version / features/ protection options. Make sure Armadillo PE section names conform to standards, otherwise it may be necessary to rename before using this tool. Should the Import Reconstructor fail, i.e. return code > 0, a workaround is (Rerun the program, when the program asks you to dump / save, press "Cancel") to perform the dump and IAT yourself using a 3rd party dump tool (LordPE or similar) and ImpREC (or Magic_h2001's Universal Import fixer v1.0 - UIF) to rebuild the imports. Should the application appear to hang (do nothing) it could be that the process is taking some time to unpack, a resource conflict, a compatibility issue with your OS or, the version of Armadillo is not supported! In some cases, if you try again, it may work due to available resources (memory). Version History --------------- March 2008 - v1.2g [gabor edition] + add warning message for OEP call return VA not from Armadillo VM Note: Informational, not usually relevant for dll's or exe's with copymem2, but may be useful for troubleshooting invalid OEP's resulting from custom implementations and/or packing / compressing of a file prior to being protected by Armadillo + fix problem with copymem2 search string error + fix problem with createdump on error =========================================== March 2008 - v1.2 + improved PE section name resolution for internal use (thank's Ghandi) + improved ARTeam Import Reconstructor v1.2 =========================================== February 2008 - v1.1 + added dll support (dll loader.exe) + added option "Use OpenMutext trick" to force a single process. Use only if normal "debug blocker" processing fails. This would occur when a parent process launches the child process, but doesn't debug the child process (i.e. use the WaitForDebugEvent API) + improve IAT elimination functionality + includes updated ARTeam Import Reconstructor =========================================== February 2008 - v1.0 (initial release) |
|||
| Related URLs: | No related URLs have been submitted for this tool yet | |||
| Screenshot: |
|---|
 |
Feed containing all updates for this tool.
Here below you will find useful notes about this tool, left by other users.
You are welcome to add your own useful notes here, or edit any existing notes to improve or extend them.
(please also edit it if you think it fits well in some additional category, since this can also be controlled)
Problem starting program
When I'm trying to open this program, it's showing me an error saying something like:
"Failed to start because the application configuration is incorrect, reinstalling the application might fix this problem."
SOLUTION:
Yes, and if you read above in the description, it says: "If you experience any problems running the program, you may need to download and install Microsoft Visual C++ 2005 Redistributable Package (x86)"
It can be found here:
http://www.microsoft.com/downloads/details.aspx?familyid=32bc1bee-a3f9-4c13-9c99-220b62a191ee&displaylang=en