Page 3 of 5 FirstFirst 12345 LastLast
Results 31 to 45 of 72

Thread: ARTeam: ArmaGeddon v1.0 Conceptual overview tool for unpacking Armadillo by CondZero

  1. #31
    otherwise the unpacker will fail to fix any nanomites in targets that check their own filename (at least that's what i guess was happening).
    that's the only problem i've come across so far.
    This should not be the case. The sequence s/b unpack to saved dumped file>> ex: dumped.exe.

    The Import Reconstructor will then save to>>dumped_exe similar to imprec.

    For nanomites, the nanolib.dll will execute (via CreateProcess) the original target and scan for INT3 just as ArmInline tool does. When finished, you "Repair Dump" to a filename >>dumped_NanoFix.exe

    I'm not sure what your problem is?
    If at first you don't succeed, you're just about average

  2. #32
    ah, you're right. the target i tried seems to have some custom protection (which also checks the filename), for some reason it won't start when rebuilding nanomites (maybe because there are two instances of the program running?).
    as a result i'm getting somthing like this:
    Code:
    ------ Nanomites ------
    Initialising...
    6902 potential INT3 found.
    Process terminated

  3. #33
    @tofu-sensei: please pm me your target and I'll have a look at it.

    cheers
    If at first you don't succeed, you're just about average

  4. #34
    @tofu-sensei: had a chance to look at your target. What led you to believe it had nanomites?

    Seems like as good a time as any to state that, yes certain applications have a disdain for being renamed (i.e. dumped, then run new dumpname). So you are right about the filename.

    If you get an error such as yours (error while loading because app is checking itself and cannot be launched twice by the same process is my guess) with the nanomite analysis from the Armageddon tool, I would suggest that you keep the process open (don't terminate) then use ArmInline to locate and process the nanomites. This should solve your problem. Both tools are very compatible in this regard, the process should be fairly seemless, should it become necessary.

    cheers
    If at first you don't succeed, you're just about average

  5. #35
    Quote Originally Posted by condzero View Post
    @tofu-sensei: had a chance to look at your target. What led you to believe it had nanomites?
    the message "xxx potential INT3 found" - oh well, guess those were just padding bytes, then. sorry for wasting your time

  6. #36
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430
    Hi all,
    condzero just released the new version of his armageddon. He added and fixed several things. One on top of all the dll support..

    February 2008 - v1.1
    + added dll support (dll loader.exe)
    + added option "Use OpenMutext trick" to force a single process. Use only if normal "debug blocker" processing fails. This would occur when a parent process launches the child process, but doesn't debug the child process (i.e. use the WaitForDebugEvent API)
    + improve IAT elimination functionality
    + includes updated ARTeam Import Reconstructor

    You should already know where to take it. BTW I have already updated CRCEL, before dELTA jumps in doing it ^_^

    Have phun,
    Shub
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  7. #37
    Registered User
    Join Date
    Oct 2002
    Location
    UK
    Posts
    83
    When do you guys release the Import rebuilding dll ? Imprec.dll just suck, so it would be cool to have a new one to test

  8. #38
    name
    Guest
    great thanks to AR nice release now i understand i unpacked alot of files

    now i know how to use this lolz
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #39
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Thanks for updating the CRCETL entry Shub (and of course thanks ARteam for a great contribution).
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  10. #40
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430
    Attention,
    version 1.2 of the tool is out:

    March 2008 - v1.2
    + improved PE section name resolution for internal use (thank's Ghandi)
    + improved ARTeam Import Reconstructor v1.1

    again CRCETL is updated.
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  11. #41
    Shub:

    I added the most recent "Last Updated" listing to March 5, 2008, from the February listing, just to me as accurate as possible.

    Regards,
    JMI

  12. #42
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430
    Ding Ding.. guess what? New version!! condzero is restless ..

    March 2008 - v1.2g [gabor edition]
    + add warning message for OEP call return VA not from Armadillo VM
    Note: Informational, not usually relevant for dll's or exe's with copymem2,
    but may be useful for troubleshooting invalid OEP's resulting
    from custom implementations and/or packing / compressing of a file
    prior to being protected by Armadillo
    + fix problem with copymem2 search string error
    + fix problem with createdump on error

    dedicated to gabor who pointed condzero to a series of problems he only reported.. ^_^
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  13. #43
    Thanks Shub and condzero for the update and updating the CRCETL entry.

    Regards,
    JMI

  14. #44
    Just a quick report - doesn't work at all on BigFish Games' appz. They're Arma 4.66 and I get this:

    EXECryptor Add!ct

  15. #45
    Please, could you PM the target name, to me or any of the ARTeam members here?

    As far as I know, it has been working for many BFG targets, so this could be an exceptional case...

    Many thanks for your report

    Nacho_dj

Similar Threads

  1. ARTeam: SplashIt 1.0 by CondZero
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: March 14th, 2014, 07:08
  2. ARTeam PunchIt 1.1 from CondZero
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: October 2nd, 2008, 12:54
  3. ARTeam: AMDUMPV6.2 V2.0 by CondZero
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: September 20th, 2008, 06:37
  4. Armadillo 2.51 - 3.xx DLL unpacking - OEP?
    By MEPHiST0 in forum Malware Analysis and Unpacking Forum
    Replies: 13
    Last Post: May 24th, 2004, 02:28
  5. Armadillo unpacking: NetScanTools v4.30a
    By Solomon in forum Malware Analysis and Unpacking Forum
    Replies: 18
    Last Post: November 9th, 2002, 12:45

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •