Hi all,
new tutorial and a new tool: ArmaGeddon 1.0
Not everyone likes to give away the tool and a tutorial on how it works. Thanks CondZero!

[Tutorial]
ArmaGeddon V1.0 Conceptual Overview Tool For Unpacking Armadillo
available at http://tutorials.accessroot.com
which explain underhood of the tool

[Tool]
Available here:
http://arteam.accessroot.com/releases.html

Supported Features
------------------
Standard Protection
Minimum Protection
Memory Patching
Debugblocker
CopyMemII
Import Elimination
Import Redirection (Emulation)
Strategic Code Splicing
Nanomites
..

BR,
Shub

Thanks Shub for the new tutioral. Maybe you could create a note and link to the new "tool" in the CRCETL for ArmaGeddon v1.0, before dELTA sneaks in there and does it for you.

Regards,

Extremely nice work as usual, thanks for the work and the heads up!

CRCETL:
http://www.woodmann.com/collaborative/tools/index.php/ArmaGeddon

See!!! I told you he would sneek in an create it for you.

Regards,

argh, too late. ^_^
Anyway I'm a little lazy so I was waiting for him.. ;-)

Shub-nigurrath, is there any chance that in the near future we will also see the ArTeam Import Reconstructor released? I am very curious to check it out Anyway, good job with this release!

Polaris,

That is a good question. Currently it comes in 2 flavors:

1. ARImpRec.dll - which if you do as I have done using DLL2LIB to convert to its equivalent ARImpRec.lib which allows for you to imbed into your program
2. ARTeamImportReconstructor.exe standalone, works pretty much like ImpRec only better for shuffled imports.

I'm sure our Nacho_dj (author) would be receptive. These tools are very new and still going through some growing pains, but I'm extremely excited and impressed with them.

cheers!

Well, when it's ready to "go public" we would be pleased to have it listed on the CRCELT and please remember that ANYONE can make additions to the collection when there are new "tools" available.

Regards,

Condzero, thanks for the quick (and positive) answer!

As condzero said, the import tool was designed exclusively for the issue of a fast and easy recovery in shuffled IAT. So, it is limited in functionality, but at least it saves you time when rebuilding from Armadiilo.

I'll try to improve it a little before its release. Thanks for your interest.

Btw, condzero, Armageddon rockz!

Cheers

Nacho_dj

Sweet. You actually reverse-engineered ArmInline to work out how to interface with my Nanolib.dll . You could have just asked, but I'm flattered nonetheless .

Excellent work though. It's so much more convenient to have this menial work done for you quickly and reliably than to manually pick Armadillo's shell off.

Admiral

when im tryng to open this programe its not opning wat the problem plz if u have any idea tell me

i got this error

http://xs224.xs.to/xs224/08082/bin824.jpg

From the tutorial:



Did you already try this?

ok i instal it but i get a problem when i click on load button and tryng to select a file for unpacking like dilodie its not showing any file in browser ?

http://xs224.xs.to/xs224/08082/desk617.jpg

lol at the last post.. even "clic and enjoy" unpackers aren't enough for some people.. grin.

Well as an ex author of Armadillo, i just wanted to say this is a nice unpacker, i respect nice reverse engineering work.

Nice little packer you made too

You should check the caption... You're opening a nanomities file, not the file for unpacking.

Hahhahahahahaha

cant get wat do u mean its not an unpacker?

You don't fit the minimum requierement "name."

- Brain Final Version (not a time limited one, with all features enabled)

Hey "name"...

Get a clue.
Stop writing like a stupid kiddie.
Stop bloating our database with your uploaded screenshots.
Read the FAQ.
Get lost.

Your current posts will be kept purely for their entertainment value, but further pollution of this and other threads with brain dead crap like that will be deleted without warning.

For cryin' out load...

name, you made my day, definitely !!! Right, now beam me up, Scotty !

Darn! The Prince is trying to steal my "Lame Poster" chastisement.

Regards,

nice sense of humour

ok thanks brothers i like your behaviour one more time thanks

Long time, no post around here. This dude has PMed me at ap0x's board, RES boards, ARTeam and some other places asking me for the same freaking thing - to unpack a crappy sniffer that uses y0da's protector. Even if he followed a damn tutorial, he would be able to do it. Not to mention their is effin' OllyDbg + ODbgScript + a script made by fly for this protector. What else can you want more?!

Sorry for the off-topic, heh. Anyway, back on track, don't know if it's been stated, any soon-to-be support for DLLs? Not much protection involved, but it would make a nice addition (compared to say dilloDIE )

Hi mate,
actually nacho and condzero solved some nasty bugs which prevented the program to correctly dump & rebuild some targets (details on our forum), the dll thing is the easiest part because several protections cannot be used.. it's somehow planned to add it before or later.

Thanks for the info, Shub. Will keep a look out for updates Read the newest ones on ARTeam board

We are currently testing v1.1 as you(we) speak. It will offer the following:

February 2008 - v1.1
+ added dll support (dll loader.exe)
+ added option "Use OpenMutext trick" to force a single process. Use only if normal "debug blocker" processing fails. This would occur when a parent process launches the child process, but doesn't debug the child process (i.e. use the WaitForDebugEvent API)
+ improve IAT elimination functionality
+ includes updated ARTeam Import Reconstructor

I think these changes will address many issues to date. Should be released fairly soon. stay tuned.

cheers! and thx for the comments...

Lovely!

condzero, could you also change the way you name the dumped executables? instead of appending an underscore to the name of the second file, you could append it to the first one.
otherwise the unpacker will fail to fix any nanomites in targets that check their own filename (at least that's what i guess was happening).
that's the only problem i've come across so far.

This should not be the case. The sequence s/b unpack to saved dumped file>> ex: dumped.exe.

The Import Reconstructor will then save to>>dumped_exe similar to imprec.

For nanomites, the nanolib.dll will execute (via CreateProcess) the original target and scan for INT3 just as ArmInline tool does. When finished, you "Repair Dump" to a filename >>dumped_NanoFix.exe

I'm not sure what your problem is?

ah, you're right. the target i tried seems to have some custom protection (which also checks the filename), for some reason it won't start when rebuilding nanomites (maybe because there are two instances of the program running?).
as a result i'm getting somthing like this:

@tofu-sensei: please pm me your target and I'll have a look at it.

cheers

@tofu-sensei: had a chance to look at your target. What led you to believe it had nanomites?

Seems like as good a time as any to state that, yes certain applications have a disdain for being renamed (i.e. dumped, then run new dumpname). So you are right about the filename.

If you get an error such as yours (error while loading because app is checking itself and cannot be launched twice by the same process is my guess) with the nanomite analysis from the Armageddon tool, I would suggest that you keep the process open (don't terminate) then use ArmInline to locate and process the nanomites. This should solve your problem. Both tools are very compatible in this regard, the process should be fairly seemless, should it become necessary.

cheers

the message "xxx potential INT3 found" - oh well, guess those were just padding bytes, then. sorry for wasting your time

Hi all,
condzero just released the new version of his armageddon. He added and fixed several things. One on top of all the dll support..

February 2008 - v1.1
+ added dll support (dll loader.exe)
+ added option "Use OpenMutext trick" to force a single process. Use only if normal "debug blocker" processing fails. This would occur when a parent process launches the child process, but doesn't debug the child process (i.e. use the WaitForDebugEvent API)
+ improve IAT elimination functionality
+ includes updated ARTeam Import Reconstructor

You should already know where to take it. BTW I have already updated CRCEL, before dELTA jumps in doing it ^_^

Have phun,
Shub

When do you guys release the Import rebuilding dll ? Imprec.dll just suck, so it would be cool to have a new one to test

great thanks to AR nice release now i understand i unpacked alot of files

now i know how to use this lolz

Thanks for updating the CRCETL entry Shub (and of course thanks ARteam for a great contribution).

Attention,
version 1.2 of the tool is out:

March 2008 - v1.2
+ improved PE section name resolution for internal use (thank's Ghandi)
+ improved ARTeam Import Reconstructor v1.1

again CRCETL is updated.

Shub:

I added the most recent "Last Updated" listing to March 5, 2008, from the February listing, just to me as accurate as possible.

Regards,

Ding Ding.. guess what? New version!! condzero is restless ..

March 2008 - v1.2g [gabor edition]
+ add warning message for OEP call return VA not from Armadillo VM
Note: Informational, not usually relevant for dll's or exe's with copymem2,
but may be useful for troubleshooting invalid OEP's resulting
from custom implementations and/or packing / compressing of a file
prior to being protected by Armadillo
+ fix problem with copymem2 search string error
+ fix problem with createdump on error

dedicated to gabor who pointed condzero to a series of problems he only reported.. ^_^

Thanks Shub and condzero for the update and updating the CRCETL entry.

Regards,

Just a quick report - doesn't work at all on BigFish Games' appz. They're Arma 4.66 and I get this:

http://i25.tinypic.com/2la34ah.png

Please, could you PM the target name, to me or any of the ARTeam members here?

As far as I know, it has been working for many BFG targets, so this could be an exceptional case...

Many thanks for your report

Nacho_dj

Can I ask what method you're using to remove the IAT elimination? That error message suggests you're using something version-specific, but as far as I understand, it can be fixed deterministically in a general manner with a very high probability of success.

ArmInline's method was to create a list of addresses of every function in every loaded module, then scour the code segment for any DWORD PTR instructions, enumerating all the respective addresses and their referees. From here, it's a painstaking exercise in integer sorting and module cross-referencing to describe all imported modules, their functions and the locations that reference them (using the assumption that any literal pointer to a DLL function is an import). With this information it is straightforward to construct an entirely new import table, without worrying about any of Armadillo's version-specific implementation details. This may sound like overkill, but it makes the algorithm nearly foolproof and as far as I know it works flawlessly around the clock.

I am using a fairly simple and straightforward technique whereby I search for a given hex string within the function to set a pointer.



The search string references the above code at address 0055277C. I then search backwards for the DWORD PTR SS:[EBP-2834] which actually contains the "suggested" new memory VM for IAT elimination. Using the referenced hex string at this address "CCD7FFFF", I can then find the first occurrence of this and set my SWBP. When we hit the BP, we interrogate the variable for a value > 0, if found, we can simply change it to point to an address of our choosing within the range of the module's code. Basically, by tweaking the search strings, we can effectively manage a wide range of Armadillo releases. Maybe not the most scientific or best way perhaps, but simple and fairly reliable to date.

BTW, the use of search strings (+ wildcards) was to anticipate future growth. By incorporating Try / except type blocks of code, we can search multiple interations if necessary or so my thinking is / was.

cheers

ArmaGeddon 1.3 is out, this is a major release

from the internal readme:



BR,
Shubby

Shubby...

Anyway, thanks as usual for the heads-up and the CRCETL update (and to CondZero of course, for keeping this great tool updated).

I have found something curious regarding Armageddon.

I had some little sudoku game that was packed with Arma 5.2. ArmaGeddon unpacked it seamlessly and it worked fine. However, a couple of weeks back, I think since I installed Windows XP SP3, the unpacked application refused to run, and Armageddon does not unpack it correctly anymore. It seems to "escape" the tool and run instead of stopping at the entry point. . .
I confess I have not really looked into it carefully, but other people that have installed SP3 may want to check if this is a widespread issue with ArmaGeddon.

I have SP3 and works flawlessly on other targets either dll or exe, but not arma 5.2

I would be most interested in any findings on this as well as any potential problems with Arma 5.2.

I have winxp sp2 installed on my machine and this
is the environment that it was created in.

cheers

I'm sure that naides can send you his exact target condzero. It would be very nice to see if SP3 breaks something debugging/reversing related...

Naides?

I am shocked, shocked I tell you, to even contemplate that a Mircosoft update might break some reversing tools. I believe this latest one was, at least in part, attempting to make the system more "secure" and might be expected to have some effects on previous methods of doing some things.

Regards,

Hi all,
two hotfixes in two days. rce lib updated of course ;-)

May 2008 - v1.3.2
+ hotfix to resolve nanomites
+ relocate base address of Nanolib.dll
===========================================
May 2008 - v1.3.1
+ hotfix to resolve CreateProcess API problem
in Nanolib.dll for target work directory

not still addressing the SP3 issue.

Thanks for the quick updates Shub. Let us know if the issue with SP3 solved.

Regards,

Just to let anyone know. I have been PM with condzero, regarding SP3. He provided me with an (I think) manually unpacked version of the app in question, which suddenly required ArmAccess.dll to run (????) I know for a fact that the packed version does not need this dll ( I found out that the .dll file is created on the fly by the unpacking code, but it seems it is not happening or not staying in SP3), nor do the packed or unpacked versions on SP2 asked for ArmaAccess.dll

Any comments??

Not having unpacked this app before, I can't offer too much. It is not uncommon for progs to ask for ArmAccess.dll after unpacking due to non existance of Virtual ArmAccess.dll also for external environment variables (i.e. ALTUSERNAME) for progs that use them.

As soon as I get SP3 up and running, I will revisit this app for the problem you stated.

I unpacked using automated Armageddon tool. I did need to resolve nanomites a few times (which
you can do by "Log" option) because they were cute in imbedding the damn things in most of the
main functions off the menu. This way we can avoid the use of VEH for those that don't like this.

cheers

- armadillo 4.66 (according to Arma intruder). Armaggedon does NOTHING.

Send any target names by PM to condzero, they are not allowed in the public forums.

Which ANYONE who has actually READ THE FAQ should already know!

Regards,

an update has been released by condzero

Thanks Shub. I removed the double post which was apparently made by an extra click of the mouse.

Regards,

download link is not avaible when u gonna put a download link for Armageddon

Try this link, then search the tool in the index:
http://arteam.accessroot.com/releases.html

Link not working

Fatal error: Call to a member function on a non-object in /home/access/public_html/forums/sources/classes/class_display.php on line 90

The problem appears to be at your end. The link works perfectly from the U.S. Did you copy and paste into your browser??

Regards,

Yes i did the same thing copied link to browser but same problem and this link is working but download link is not avaible?

http://www.woodmann.com/collaborative/tools/index.php/ArmaGeddon

would u like to upload it somewhere else

www.2shared.com
www.rapidshare.com
www.megashare.com

Does the following direct download link work?

http://arteam.accessroot.com/releases.html?fid=35

The "problem" still appears to be on your end. The links both get me to the AR Team Tools page and the download link for ArmaGeddon 1.3.3 works just fine from here. Have you tried a different browser??

Regards,