Results 1 to 14 of 14

Thread: Armadillo 2.51 - 3.xx DLL unpacking - OEP?

  1. #1

    Armadillo 2.51 - 3.xx DLL unpacking - OEP?

    hi all..

    attempting to unpack a arma protected dll..

    the DLL is opened by Internet explorer.. blah blah, not a prob..
    attach explorer.exe and i get teh priviledged instrcution from arma.. and attemp to unpack from there..

    anywho im having trouble find the entry point...
    i usually bpx on SetProcessWorkingSetSize or GetCurrentthreadId to get to OEP..

    but this is not working? (or well it might take me to OEP.. but im sure its not hte right way.. maybe)

    any tips on getting to oep?
    Last edited by MEPHiST0; May 20th, 2004 at 22:55.

  2. #2
    o fine, i see how u all are :P

  3. #3

    You have been around here enough to know the process.

    I am sure you are not the first person to have this problem.

    Now, since I am a mind reader I can tell you that the OEP can be found at this address:0041000.

    If I am wrong, the psychic network has nothing to worry about


  4. #4
    Quote Originally Posted by Woodmann
    If I am wrong, the psychic network has nothing to worry about
    If the psychic network were right half as often as you we would all worry.

  5. #5
    o yea your a mind reader

    i was looking for tips on unpacking armadillo .dll's.. not psychic advice
    just never unpacked an arma dll before.. so hard to belive..?

    ive managed arma+debug blocker.. not copymem nor nanomites..

    and no that is not oep.. not close..

    i tried that .dll unwrapper for arma that Lunar made.. (nice tool btw..)
    but didnt unwrapp this .dll, nothing, no info at all.. unlike some .dll's that at least gave i said its opend by explorer.exe for a context menu..
    not sure if that makes a differnce..

    tried the api i knew about that arma uses.. but no luck.. maybe i should have tried it when i wasnt drinking?

    anyway ive read the thread below mine.. simular topic.. but i didnt read anything about getting oep.. so i created my own thread, just wondering how to get OEP out arma packed dlls

  6. #6
    I've actually done some arma dll unpacking. I attach my test files for it:
    - dllforarmadillo_nodillo.dll - a simple dll that shows message boxes from dllmain
    - dllforarmadillo.dll - the same dll packed with armadillo
    - etster.exe - does loadlibrary =)

    Now look at the original dll, se where the EP is - thats your OEP. Now try to find this same address in the packed one. =)
    A tip for when you get to resolving imports, there is a place where dildo destroys them, but it can be bypassed.

    Don't want to disclose more info on this, I'm sure Chad reads this board. Fi he does I'd like to tell him I think he's a moron with an inflated ego. :P
    Attached Files Attached Files

  7. #7
    Registered User
    Join Date
    Oct 2002
    Im not sure he is the only one with inflated ego if you ask me

    Anyway, the new import protection cannot be bypassed that easy, you are working on demo import protection.

    I recommend to read Ricardo's tutorial for this one. Nice work!



  8. #8
    There are many, many others with egos the size of hot air baloons... =)

    Well, yeah, this is made by a demo version, but I've actually worked with a dll from a retail soft that used exactly the same mechanism. Maybe that app was protected by a demo/pirated version of Arma?

    Concerning Ricardos tuts: they sure are great! Only problem is extracting all that knowledge using Babelfish. =)

  9. #9
    Registered User
    Join Date
    Oct 2002
    they did not use the good protection level, that's all

    its like when authors don't use pieces of code encryption in Asprotect etc.
    without a key, unpacking is useless..

    Oh well...

  10. #10
    Which is why i still find Asprotect a better protection compare to Armadillo... with the later using code encryption or not doesnt matter, unpacking always works :/...

  11. #11
    most unpacked aspr exe's ive done..
    either get an access violation in: 6138xx (xx is dif in every exe..)
    somtimes no access violation..
    but just search in hex for 61 38.. get ur name in there somewhere
    can bpx hw access > dword to check out where its coming from..
    its usually regged..


    thanks man for the help
    doesnt help me out much tho.. i can HW bp on that OEP and get to it..
    but the reason for this post is, because im all out of idea's to get OEP

    but im gonna download that and try it out right now, do it acouple times.. maybe ill notice somthing that can help me out.. thx again

  12. #12

    i got to the OEP of SHAG's nice little semi-tutorial thing he did..
    (thanks SHAG!!)

    but i have a question...
    first of all i know about nanomites and what they do.. well sorta.. same with copymem..

    and this seems to happen with ALOT OF arma packed EXE's / now Dll's since i can unpack em now..

    the CALL into Entry points:
    <-- i trace into this: and 'SOMETIMES' CODE is All f00ked up.. not executable
    <-- happens alot when protection is arma+debug blocker
    found a DLL that has done it too me too..

    now a buddy of mine says 'the appz i have trouble with'..
    they unpack perfectly normal for him, trace into the CALL EDI and code is fine.. dump.. fix iat and it runs..

    does anyone know what could be doing this? its almost like arma isnt decrypting the entry point.. but im not advanced enough to find out what the reason is.. has anyone ever have this kind of prob?


    SHAG's .dll however worked out fine..
    I didnt realize it, but i have got to the EP.. not knowing it was OEP (/me is drunk)
    the Entry point was in perfect condition unlike some other Dll's i have tried..
    pissin me off.. thinkin it was some anti viruss .dll's i had loaded that could be messin with the EP... but im stupid :P

    let me know if anyones experianced this problem.. because id like to unpack every arma there is
    Last edited by MEPHiST0; May 23rd, 2004 at 13:13.

  13. #13
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    A DLL will never have nanomites.


  14. #14
    NT20: That's what I was trying to get at but was afraid to say because I wasn't sure. As I see it, protecting DLLs just can't be done in quite the same way as protecting EXEs.

    MEPHiST0: I saw you tried to msg me on efnet (got it in my bnc log). Please try again. Nick is SHaG when I'm online and shag when I am not.

Similar Threads

  1. ARTeam: ArmaGeddon v1.0 Conceptual overview tool for unpacking Armadillo by CondZero
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 71
    Last Post: June 7th, 2008, 11:18
  2. Indentifing Armadillo version & unpacking
    By zambuka42 in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: November 23rd, 2004, 23:02
  3. Armadillo once again (wrong IAT after unpacking)
    By friedo in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: June 25th, 2004, 02:56
  4. Armadillo 2.x/3 DLL stub unpacking
    By SysCall in forum Malware Analysis and Unpacking Forum
    Replies: 14
    Last Post: May 12th, 2004, 15:19
  5. Armadillo unpacking: NetScanTools v4.30a
    By Solomon in forum Malware Analysis and Unpacking Forum
    Replies: 18
    Last Post: November 9th, 2002, 12:45


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts