From Collaborative RCE Tool Library

Jump to: navigation, search

dilloDIE

Tool name: dilloDIE
Rating: 0.0 (0 votes)
Author: mr_magic                        
Website: http://cip-re.6x.to
Current version: 1.6
Last updated: July 26, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: This Tool can strip Armadillo Protection from protected Exes/Dlls.

Supports 3.xx and 4.xx versions.


Supported features:
-------------------

Standard Features
Debugblocker
CopyMemII
Nanomites
Import Elimination
Strategic Code Splicing


Known Issues:
-------------

VB Applications protected with the Import Elimination feature are not
supported.


Rebuilding:
-----------

Dumps are 100% working, but for aesthetic reasons one might want to remove
Armadillo Sections from Section header and its Data physically. This can
be done quite comfortable with the CFF Explorer or any simmilar PE Editor.

Armadillo Sections are usually called:

.text1
.adata
.data1
.pdata


Nanomites:
----------

Some things about Nanomites: dilloDIE will resolve all Nanomites correctly
for most Applications. There _might_ be apps though, which are somehow
obfuscated in some parts and dilloDIE will fail in properly detecting all
Nanomarkers, which are used to except Fake Nanomites. In this case one
should use the "Emulate" Option, which will cause dilloDIE not to resolve
Nanomites at unpacking time, but to inject a handler which resolves them at
execution time. Dumps using this handler will work on Windows XP and above
only though.

If Nanomites arent processed correcty, try to activate "Unpack in high
priority class". This should fix some windows internal timing issues.


Options:
--------

If a Dump ain't working correctly, you can try to change some Options.

Deactivate the Disassembler for any protection part if not everything gets
fixed properly (e.g. there are not all import references/nanomites/spliced
jumps fixed/resolved due to code obfuscation which will make the disassmbler
fuck things up).
Decrease or set the Max. Size for Spliced Code sections to 0 if a section
gets wrongly detected as spliced (just in case... or increase it to make
a bigger Spliced Code section to be detected properly.
Related URLs: No related URLs have been submitted for this tool yet


RSS feed Feed containing all updates for this tool.

Retrieved from "http://www.woodmann.com/collaborative/tools/index.php/DilloDIE"


If you find that any information for the tool above is missing, outdated or incorrect, please edit it!
(please also edit it if you think it fits well in some additional category, since this can also be controlled)

Views
Category Navigation Tree
RCE Tools
   Categorized by Target Type  (98)
   Categorized by Tool Type  (625)
   Anti Anti Test Tools  (8)
   Assemblers  (14)
   Code Coverage Tools  (9)
   Code Injection Tools  (17)
   Code Ripping Tools  (1)
   Crypto Tools  (2)
   Data Extraction Tools  (14)
   Debuggers  (26)
   Decompilers  (13)
   Deobfuscation Tools  (5)
   Dependency Analyzer Tools  (3)
   Diff Tools  (26)
   Disassemblers  (25)
   Dongle Tools  (8)
   Exe Analyzers  (22)
   Firefox Extensions  (1)
   GUI Manipulation Tools  (9)
   Hex Editors  (10)
   Kernel Tools  (5)
   Memory Data Tracing Tools  (6)
   Memory Patchers  (3)
   Memory Search Tools  (6)
   Monitoring Tools  (68)
   Network Tools  (12)
   PE Executable Editors  (42)
   Packers  (10)
   Patch Packaging Tools  (6)
   Profiler Tools  (9)
   Programming Libraries  (23)
   Regular Expression Tools  (3)
   Resource Editors  (7)
   Reverse Engineering Frameworks  (7)
   Source Code Tools  (11)
   String Finders  (5)
   Symbol Tools  (5)
   System Information Extraction Tools  (4)
   Technical PoC Tools  (3)
   Test and Sandbox Environments  (12)
   Tool Extensions  (102)
   Tool Hiding Tools  (1)
   Tool Signatures  (19)
   Tracers  (10)
   Unpacking Tools  (33)
   Automated Unpackers  (12)
   Dump Fixers  (2)
   IAT Restore Tools  (3)
   Memory Dumpers  (8)
   OEP Finders  (4)
   Process Dumpers  (4)
   Needs New Category