Page 1 of 4 1234 LastLast
Results 1 to 15 of 51

Thread: Armadillo Goblin

  1. #1

    Armadillo Goblin

    Hi !!

    This tool I made in several last days should remove Armadillo copy mem protection. It will do only that. IAT and OEP you must find by yourself. I tested this on versions 2.40 to 3.50 and worked with all of them.

    So this is only very beta version. Try this, test and replay if it works or not. Load your process with "Load button".
    If you got message "You can dump now", dont close this box (otherwise youll terminate process). After this message run LordPE, or PeTools and dump second process (younger of two of your started program).

    I expect some comments !!

    Zilot
    Attached Files Attached Files

  2. #2
    F*cking nice tool dupe

  3. #3
    Thigo
    Guest
    Code:
    ASProtect v.[0/1"AFPE%gsokc(81'8>]
    
    ExceptionFlags:   00000000
    ExceptionCode:    80000004
    Exception address:00000000
    StackCurrent:     0012FF28
    StackTop:         00130000
    ImageBase:        00C00000
    
    Registers:
     EBP: 0012FF58
     ESP: 0012FF28
     EAX: 00000000
     ECX: 00000000
     EDX: 00000000
     EBX: 00C1A684
     ESI: 00BD0000
     EDI: 00C00000
    
    Stack list:
     000C17C2Eh,00800C17Ch,07D0800C1h,0C17D0800h,000C17D08h
     06000C17Dh,0FF6000C1h,012FF6000h,00012FF60h,0F60012FFh
     07CF60012h,0C17CF600h,000C17CF6h,05800C17Ch,0FF5800C1h
     012FF5800h,00012FF58h,0000012FFh,000000012h,0C0000000h
    
    Stack (functions) list:
     00019684
     000170A1
     00019684
     00017754
     000185C4
     00017E8C
     00019770
     0000A5DC
    
    Code list:
    would you please not protect your app with crappy ASPR ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    would you please not protect your app with crappy ASPR ?
    Must complain to Alexey

    Seems you are win 98 user ? Sorry

    Try this one
    Attached Files Attached Files

  5. #5
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,480
    Blog Entries
    1
    >>ESP: 0012FF28

    Zilot, little exersize, is Thigo "win 98 user"!?

  6. #6
    I think you owe one anwer to me. Silently avoid to answer in PM

    Zilot, little exersize, is Thigo "win 98 user"!?
    Dunno, maybe is maybe not. Dont have win98 since 2 years ago, and then I didnt memorize.

  7. #7
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    is Thigo "win 98 user"!?
    No...

  8. #8
    Thigo
    Guest
    This one works better
    And no i'm not using Win98. I use win2k SP4, no debugger running.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Quote Originally Posted by Thigo
    This one works better
    And no i'm not using Win98. I use win2k SP4, no debugger running.
    Strange, I use win2k too, and it worked fine. Anyway I'm glad it works.

    Evaluator, I'm still waiting. I'm wondering what I have to do, to get answer.

  10. #10
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,480
    Blog Entries
    1
    ok, i unpacked it from Obsidium, as you want.
    What version of Obsidium you use?

    pending answer is +995
    Attached Files Attached Files

  11. #11
    Quote Originally Posted by evaluator
    ok, i unpacked it from Obsidium, as you want.
    What version of Obsidium you use?
    You did great job for Chad, now he can seat back and enjoy your work. Why do you think I packed this ??

    Quote Originally Posted by evaluator
    pending answer is +995
    Thanks for answer, exactly what I got in that crackmes on address 54AC34, after call to 43B256, I mean +995 was value in eax, after return from 43B256

  12. #12
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,480
    Blog Entries
    1
    yei!

    seems i wrongly translated your request(:
    >>Evaluator, I'm still waiting

    ok, by default: Unpacker forces protectors to be better.
    so You are helping author of arma, not i.(ask ni20 also)

    why you think, that author will unable unpack aspr or obsi?
    Have you true info, that hi is so lamer in unpacking?

    **
    that is realy answer! if you can't solve, ask Zairon;)
    maybe hi can solve!? but privately.

  13. #13
    Quote Originally Posted by evaluator
    yei!

    seems i wrongly translated your request(:
    >>Evaluator, I'm still waiting .
    Man !!!!
    You translated it well. And I understood your answer. But have I to say everytnhing literally . You didnt understand what I wanted to say with last sentence ? Does anybody else know our story from PM ? What would he conclude ?


    Quote Originally Posted by evaluator
    why you think, that author will unable unpack aspr or obsi?
    Have you true info, that hi is so lamer in unpacking?.
    Do you think they pack files, make protectors because they think we wont be able to defeat them??
    They are just stealing our time. Why to have fair play with them, when they play as more dirty as they can. They even (especailly Chad) threaten to some of us with law. Let them spend some time in thinking what we have done.

  14. #14
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,480
    Blog Entries
    1
    there is only 1 way, if you dON'T WANT help protecrots-authors:
    DO NOT publish your unpacking tools.

    keep your tools for you, yor friends.
    also don't sell, it's stupid. [seems for money will best- unpacking targets for 1-5$ etc.]

    if you want to make VENDETTA, unpack&spread protected targets widely,
    so this will mutch harder damage protector's honor.

  15. #15
    evaluator, my high skilled body, Zilot is absolutely right. If you are going to hide your knowledge - OK, be happy with it. For the rest of us it is garbage. There is NOTHING special in armadillo indeed! Indeed! The whole principal of this proggy is to use DebugAPI. If you know, how ANY Win32-tracer works - you can crack it. These rdtsc and other shit are shit indeed!
    Chad is not that cool, my friend. I myself know far more sophisticated software then the one Zilot did. That software is able to restore nanomities in automate mode, decrypt the code section and do a dump correctly. And this software is distributed absolutely freely with the tutorials! So in Russia almost everyone now can hack Arma.
    If you are going to play hide and seek - you lost from the very beginning. If you are going to share your knowledge (BTW, REALLY strong - I've read your posts) - we will all win.
    The principal of Arma is known long ago. For Chad to rewrite it completely from the sratch using another principal - he-he, he won't be able to do it. If he does, then we crack it again.

Similar Threads

  1. Armadillo 3.75C
    By MrLoGaN in forum OllyScript Plugin
    Replies: 3
    Last Post: January 17th, 2006, 09:06
  2. Armadillo :-)
    By HANDS in forum OllyDbg Support Forums
    Replies: 9
    Last Post: November 16th, 2005, 04:26
  3. Armadillo
    By Jiggy in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: March 23rd, 2004, 14:13
  4. Armadillo Tut Req. !
    By fifthelement in forum Malware Analysis and Unpacking Forum
    Replies: 32
    Last Post: February 19th, 2004, 09:09
  5. Armadillo 2.61 =(
    By Mega Desperate in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: November 4th, 2002, 08:37

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •