View Full Version : DilloDIE 1.4 - Armadillo 4.xx unpacker
Bra!NSHiT
05-06-2006, 05:52 AM
Quote:
DilloDIE 1.4 - Armadillo 4.xx unpacker
######################################
This Tool can strip Armadillo Protection from protected Exes/Dlls.
supported features:
-------------------
Standard Features
Debugblocker
CopyMemII
Nanomites
Import Elimination
Strategic Code Splicing
Known Issues:
-------------
Applications protected with Armadillo 3.xx or prior will simply start up
when being loaded into dilloDIE. dilloDIE supports 4.xx Versions only.
VB Applications protected with the Import Elimination feature are not
supported either.
Rebuilding:
-----------
Dumps are 100% working, but for aesthetic reasons one might want to remove
Armadillo Sections from Section header and its Data physically. This can
be done quite comfortable with the CFF Explorer or any simmilar PE Editor.
Armadillo Sections are usually called:
.text1
.adata
.data1
.pdata
Nanomites:
----------
Some things about Nanomites: dilloDIE will resolve all Nanomites correctly
for most Applications. There _might_ be apps though, which are somehow
obfuscated in some parts and dilloDIE will fail in properly detecting all
Nanomarkers, which are used to except Fake Nanomites. In this case one
should use the "Emulate" Option, which will cause dilloDIE not to resolve
Nanomites at unpacking time, but to inject a handler which resolves them at
execution time. Dumps using this handler will work on Windows XP and above
only though.
If Nanomites arent processed correcty, try to activate "Unpack in high
priority class". This should fix some windows internal timing issues.
Options:
--------
If a Dump ain't working correctly, you can try to change some Options.
Deactivate the Disassembler for any protection part if not everything gets
fixed properly (e.g. there are not all import references/nanomites/spliced
jumps fixed/resolved due to code obfuscation which will make the disassmbler
fuck things up).
Decrease or set the Max. Size for Spliced Code sections to 0 if a section
gets wrongly detected as spliced (just in case... or increase it to make
a bigger Spliced Code section to be detected properly.
"Give a man a fish, he'll eat for a day. Teach a man how to fish, he'll eat
for a lifetime."
Think about it
© 2005-2006 mr_magic
|
Download it from CIP [Crack in Progress]
http://cip.prag165.server4you.de/index.php?page=tools_list&cat=owncoded&order=tutdate&rev=true ("http://cip.prag165.server4you.de/index.php?page=tools_list&cat=owncoded&order=tutdate&rev=true")
Bye
Upon depressing "Unpack" button it becomes disabled and nothing else happens. All I can do is exit the program. Does this even work?
SiGiNT
05-07-2006, 01:55 AM
Works here, WINXP SP2 - I haven't got a working dump yet but I'm throwing extremely difficult targrts at it - and I haven't tried all the options yet - the only problems have been nanomite related SUPRISE! - no one has got this one automatically 100% yet - looks like a really nice tool so far! - but (not a complaint just to inform - it's slow).
SiGiNT
EXCELLENT TOOL! - @LLXX - I found out it appears to hang-up and then can restart.
@Admiral - That target I had you look at - high priority and nanomite disassemby checked - working dump in about 10 minutes.
SiGiNT
g3nuin3
05-07-2006, 08:33 PM
works for some targets, and some others it doesnt, but very good work nonetheless mr.magic!
SiGiNT
05-08-2006, 02:00 AM
Well, It's still a pretty good tool, I've had 2 out of 3 failures - spent most of the day patching one dump to make it registered only to find out the original dump is not working correctly, I believe there are problems in both strategic code splicing and nanomites, the other wouldn't unpack no matter what I did - the good news is one very proiblematic target appears ok so far - keep in mind that all 3 were very difficult targets. Still an admirable accomplishment - I hope the author continues to refine this fine utility,
SiGiNT
OHPen
05-11-2006, 08:41 AM
Actually i wonder why he did release it. He told me he won't....
Armadillo will change now again i think
Extremist
05-11-2006, 02:29 PM
I suggest KillDill.
Nobody watches Tarantino?
SiGiNT
05-11-2006, 02:55 PM
Yeah,
That's a possibility, but didn't I read here that Nico had left - I can't imagine a predecessor that would equal his work.
SiGiNT
disavowed
05-12-2006, 12:16 AM
Yep, Nico's no longer working on Armadillo. He's now at Websense (see his Bio at http://recon.cx/en/t/rev2.html ("http://recon.cx/en/t/rev2.html")).
SiGiNT
05-12-2006, 12:32 AM
Then Arma has probably gotten as good as it will ever be, kind of reminds me of Macrovision buying FlexLM from Globetrotter, everything they've done so far has made things easier, well............ FlexNet can be a little trickier but still pretty vulnerable.
SiGiNT
SKiLLa
05-28-2006, 06:11 PM
I also tried some very difficult Arma targets and although the tool doesn't like virtual machines or multi-proc's (set affinity to 1 CPU) when tracing it did a good job.
I had to play around with the options and the nanomites part sometimes misses some 'patches' (calls to highmem) but the 'emulate' options works great. The dump was correct, although it still needed some manual patching before it actually 'worked', but I was quite impressed
@disavowed: thanx for the info, quite explains why Arma hasn't changed that much since v4.0 ...
Bra!NSHiT
07-26-2006, 12:18 PM
UPDATE: DilloDie 1.6
Now supports Armadillo 3.xx ! Checkout the Release Page
http://cip-re.6x.to/
Bye
vBulletin® v3.8.2, Copyright ©2000-2009, Jelsoft Enterprises Ltd.