Results 1 to 14 of 14

Thread: Armadillo 2.51 - 3.xx DLL unpacking - OEP?

Hybrid View

  1. #1

    Armadillo 2.51 - 3.xx DLL unpacking - OEP?

    hi all..

    attempting to unpack a arma protected dll..

    the DLL is opened by Internet explorer.. blah blah, not a prob..
    attach explorer.exe and i get teh priviledged instrcution from arma.. and attemp to unpack from there..

    anywho im having trouble find the entry point...
    i usually bpx on SetProcessWorkingSetSize or GetCurrentthreadId to get to OEP..

    but this is not working? (or well it might take me to OEP.. but im sure its not hte right way.. maybe)

    any tips on getting to oep?
    Last edited by MEPHiST0; May 20th, 2004 at 22:55.

  2. #2
    o fine, i see how u all are :P

  3. #3

    You have been around here enough to know the process.

    I am sure you are not the first person to have this problem.

    Now, since I am a mind reader I can tell you that the OEP can be found at this address:0041000.

    If I am wrong, the psychic network has nothing to worry about


  4. #4
    Quote Originally Posted by Woodmann
    If I am wrong, the psychic network has nothing to worry about
    If the psychic network were right half as often as you we would all worry.

  5. #5
    o yea your a mind reader

    i was looking for tips on unpacking armadillo .dll's.. not psychic advice
    just never unpacked an arma dll before.. so hard to belive..?

    ive managed arma+debug blocker.. not copymem nor nanomites..

    and no that is not oep.. not close..

    i tried that .dll unwrapper for arma that Lunar made.. (nice tool btw..)
    but didnt unwrapp this .dll, nothing, no info at all.. unlike some .dll's that at least gave i said its opend by explorer.exe for a context menu..
    not sure if that makes a differnce..

    tried the api i knew about that arma uses.. but no luck.. maybe i should have tried it when i wasnt drinking?

    anyway ive read the thread below mine.. simular topic.. but i didnt read anything about getting oep.. so i created my own thread, just wondering how to get OEP out arma packed dlls

  6. #6
    I've actually done some arma dll unpacking. I attach my test files for it:
    - dllforarmadillo_nodillo.dll - a simple dll that shows message boxes from dllmain
    - dllforarmadillo.dll - the same dll packed with armadillo
    - etster.exe - does loadlibrary =)

    Now look at the original dll, se where the EP is - thats your OEP. Now try to find this same address in the packed one. =)
    A tip for when you get to resolving imports, there is a place where dildo destroys them, but it can be bypassed.

    Don't want to disclose more info on this, I'm sure Chad reads this board. Fi he does I'd like to tell him I think he's a moron with an inflated ego. :P
    Attached Files Attached Files

Similar Threads

  1. ARTeam: ArmaGeddon v1.0 Conceptual overview tool for unpacking Armadillo by CondZero
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 71
    Last Post: June 7th, 2008, 11:18
  2. Indentifing Armadillo version & unpacking
    By zambuka42 in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: November 23rd, 2004, 23:02
  3. Armadillo once again (wrong IAT after unpacking)
    By friedo in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: June 25th, 2004, 02:56
  4. Armadillo 2.x/3 DLL stub unpacking
    By SysCall in forum Malware Analysis and Unpacking Forum
    Replies: 14
    Last Post: May 12th, 2004, 15:19
  5. Armadillo unpacking: NetScanTools v4.30a
    By Solomon in forum Malware Analysis and Unpacking Forum
    Replies: 18
    Last Post: November 9th, 2002, 12:45


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts