View Full Version : armadillo

October 10th, 2001, 13:06
I was playing with the latest armadillo and succesfully unpacked the files which i armadillo-ed (like notepad).
But when i tried to unarmadillo the "armadillo.exe" .........It keeps
I think it has to do someting with the manner of dumping (with the other files i dumped the .tmp0 -files and made an valid iat.

Tracing to the oep (latest jump is :jmp eax in some kernel ?? routine and here i can't give an jmp eip because dumping prog's
won,t work anymore) give at the oep :41d0dc jmp 41d0dc ?????
Maybe the prog is in an other way protected.

Any ideas ???

Greetz SpeKKeL..........

October 10th, 2001, 14:32
Hiya SpeKKel,
Sorry can't help you out here but I sent you a pm re something else.

October 10th, 2001, 16:53
hi SpeKKel,
since version 2.1 i think, the code Section -splitted in 4kByte Parts- is a second time encrypted and will be decrypted only if code in a Part is used. Notebooks Codesection is under 4kByte and therefore its constantly decrypted.
Set a Breakpoint an 'WriteProcessMemory' and you will find it.


October 10th, 2001, 17:07
<EDIT> a little correction, the Parts arent 4kByte they are 16kByte.

October 11th, 2001, 04:07
h'mmm ,

I see that a lot of fuctions of the prog. are calling the writeprocessmemory..but how must i now go on ??
Tried several dumps after these calls but that leads to nothing.


October 12th, 2001, 18:36
my english is not so good,but i will try to explain.
choose VirtualProtectEx as breakpoint. On the first break you will find the CopyMemII runtimeEncryption Routine, there are two jmps to bypass it:
test ecx,ecx
jz ...

On the twelfth Break you will find the CopyMemII Decrypt Routine and a second decrypt Routine (simple xor) . This second you can't bypass or better you should'nt, because the whole codesection is encrypted from start (thats new in this version) , but CopyMem you must (also two jmps) .
One way to decrypt and dump the whole Code is to change the parameters 'Size' for the MemoryAllocation Function (DestinationBuffer for ReadProcessMem, find this first!) , and 'Size' / 'SourceMemory' for ReadProcessMemory. Look in the .tmp0 file for this Infos, Size must be the Size of the 'XXX...' Area and SourceMem the StartAddress of this Area (eg. 401000) . You must change the 'counter' for the decrypt Loop, so that all the code is decrypted. If its decrypted dump it and change the dumped code with the XXX's.
The OEP that you have found is right.

good luck :-)


October 13th, 2001, 02:15
Hello SpeKKel !

I've debugged Armadillo some time, too. It debugs it's own process. So when there is a call to some encrypted code, Armadillo knows it, since it's the debugger, and decrypts it. Just writing a proc which reads all memory occupied by the protected application doesn't work. The code must be executed (correct me if I'm wrong, but I placed my memory-reading proc in a unused part of the code segment and it didn't work)
If you want to have a BPX: try DebugBreak or DebugActiveProcess

I haven't looked at the decryption loop in any way, but it could be Blowfish or an other block cipher (I don't know )

I haven't much time to look at it at the moment since I'm just back from holidays and my computer cries for a "format c:"

October 13th, 2001, 03:52
Whow lot's of info , thanks.
Going to work on it these day's I'll keep you informed...