Page 1 of 5 12345 LastLast
Results 1 to 15 of 70

Thread: Armadillo unpacker

  1. #1

    Armadillo unpacker

    I do not want knowledge to be lost into oblivion. But rather than simply releasing my unpacker source code, i will start this mini project to write an unpacker for armadillo, whoever interested can just participate and hopefully in the end u will have an armadillo skinner of your own; hopefully u wont spread it to everyone though cos unpackers itself doesnt teach ppl much.

    anyway, it is not exactly a simple task so be prepared for some Dumping hard work , i would estimate if u know arma well to take 2 wks of hard work to code an unpacker, if not will be a month or more... i coded mine fully in masm but u can code in anything u wish...

    we will start off with
    1. Dumping ArmAccess.dll
    2. Dumping protected PE files
    3. Fix & rebuild IAT
    4. Fix strategic splice code
    5. Then fix nanomite
    6. Finally bruteforce secure sections.
    7. clean up & other misc tasks like handling dll, ocx, exe etc

    yep it all can be done and has been done... so no fear or dead end as long as u have the will to do it, i will provide helps where required etc, my unpacker is not complete either so we can work & improve each other... so whoever is interested start as u wish

    have fun...

  2. #2
    hah.. now that Zairon mentioning i should use crackme etc instead of real target (which i will do Zairon, so dont worry abt me breaking the forum rule)...

    of course the unpacker will have to be able to handle custom built version of armadillo, yes it can be overcome rather easily if anyone still has doubt.

  3. #3

    Talking Dillo Unpacker

    I found the trick in nanomites, code splicing & IAT scrambler.

    in this moment i have no time to post [in addition my english is very poor].

    I'll post or PM in 2 or 3 hours.

  4. #4
    Registered User
    Join Date
    Oct 2002
    Location
    UK
    Posts
    83
    Hello

    Interesting!
    Iam up for the challenge

    I was going to write a couple unpackers for other protectors, those can wait a litle.

    your unpacker isn't complete, what is needed ?

    Can it unpack Armadillo.exe from their site ?
    The real challenge for an unpacker i think. customers , like for any protectors,
    apply protections like morons.

    Also.. brute forcing secured sections.. this is impossible without a key.
    Strong crypto is used i believe.

    Cheers,

    Hopcode

    warming up MASM

  5. #5
    hi Hopcode,

    glad you are interested, if unpacking armadillo itself is no problem... my unpacker is incomplete cos it is not fully automatic, some manual work is still required (aka not user friendly but it was never designed to be

    just get started anyway u want, depends on how much u have worked with arma... well well, trust me, whatever i listed there can be done and has been done so just go ahead

    just post anything related here, then we can discuss possible solutions to it. Guess u r using masm ?

    anyway, like my first post said, your first task will be dumping the ArmAccess.dll & decrypt it!!!
    Last edited by crUsAdEr; September 13th, 2004 at 15:29.

  6. #6
    Registered User
    Join Date
    Oct 2002
    Location
    UK
    Posts
    83
    Hello

    >glad you are interested, if unpacking armadillo itself is no problem... my >unpacker is incomplete cos it is not fully automatic, some manual work is still >required (aka not user friendly but it was never designed to be

    but then, it does handle nanomites completely on latest Armadillo ?
    and Import Elimination ? who cares if it is not 100% auto

    >just get started anyway u want, depends on how much u have worked with >arma... well well, trust me, whatever i listed there can be done and has been >done so just go ahead

    I have studied it. not too much in depth, but enough to understand wtf is going

    >just post anything related here, then we can discuss possible solutions to it. >Guess u r using masm ?

    yes, im using MASM. or TASM. depends of my mood

    >anyway, like my first post said, your first task will be dumping the >ArmAccess.dll & decrypt it!!!

    Via the unpacker you mean ?
    What do you recommand for that?
    Acting like a debugger of some sort ? hooking API ? injecting code inside Packed Process ? since you have done some work on it, which ways do you recommand to handle the protector ?

    The fundation is the base of the unpacker, so better start on the good path, rather than realising it is fucked up, and doing it all later.

    Hopcode.

  7. #7
    but then, it does handle nanomites completely on latest Armadillo ?
    and Import Elimination ? who cares if it is not 100% auto
    lol of course it handles everything completely ... noone can sit down and manually fix hundreds of nano each time...

    1. Via unpacker i mean a software that can run and remove armadillo from the protected target and produce a working target exe ...
    2. Well since armadillo uses a Debugger approach, i decided to do the same, my unpacker acts as a debugger so i can control armadillo execution flow etc... which is a lot easier... with that approach u can inject code, hook API and do anything you wish to the protected exe... though that means u have to emulate arma-debugger process to pass copymem session hashkey to the child process etc (which u will soon discover what a JOKE armadillo is

  8. #8
    Registered User
    Join Date
    Oct 2002
    Location
    UK
    Posts
    83
    Ok thanks for infos

    Well, Armadillo might be a joke, but its harder than Asprotect, which IS a bad joke coz it sucks pond water..

    Sd protector, as interesting as it might be, is a lot easier too.
    SVKP also stinks, so does ACProtect..

    Basically, all protectors are jokes then

    i will start coding this week.

    Cheers

  9. #9
    SL0rd
    Guest
    Ive studing manual unpacking stuff and this project is all that I was looking for. Unpacking from the very beginning!
    I will follow all the steps from 1 to 7, I hope and of course use masm
    I will learn a lot this time, lets rock!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    MrAnonymous
    Guest
    Out of curiosity what kinda crypto is used on Arma secured sections? Obviously if its bruteforce-able its not very strong. Protectors are more/less all about implementation remember, so Protectors are usually as good as the authors of the protected programs :P
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    I have to comment, I don't know why many people insist on using MASM - unless perhaps they don't have access to a C compiler. In MS VC you can just as easily write a good unpacker that is very small, and you can even put inline ASM if you want (which basically IS MASM then).

    Don't get me wrong, MASM is great, and I love using it too, but for more complex unpackers it is not a crime to use C. Straight C will usually compile just as tight as MASM would. And with C you get the benifit of the runtime libraries. For example, in all of my unpackers I use vectors and maps (STL classes). It makes everything so much better and easier to read/maintain.

    Just stating, don't be afraid of C.

    -nt20

  12. #12
    armaski8
    Guest
    i agree... i like using turbo c 2.01...

    br
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    sl0rd, welcome onboard... just in case u r waiting for smth to happen, nothing aint gonna happen till u do smth ... yeah so start downloading the lastest Armadillo3.77 on their website and perhaps look at it, play with it...

    The first simple task would be removing the first decryption layer which apparently Chad & co have added lots more seh etc but the job should be easy since that layer doesnt do anything beside confusing u and stopping u from applying IDA on it... once you get rid of that layer you can use IDA to study how arma decompress the dll, how debug-blocker works, and how nanomites are handled...

    Hopcode : whenever u start coding, try to keep things organised, it is gonna be a fairly big project so try to break the codes into small files etc, u know the usual coding practise, keeping constants in one place etc... just get the debugger framework up and running and u r good to explore arma

  14. #14
    SL0rd
    Guest
    There is a lot to do, I think, for a beginner like me. But my goal is to learn not make a unpacker at all
    About using MASM, I will use it just because I want increase my asm skills, I will use templates almost all time when doing GUI stuffs!
    I thinking not use IDA, firstly I have just the trial version, after Im playing with olly debugger and I found it very intersting, I thinking seriously in using olly
    I will download armadillo right now! lets go gang!!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    A disassembler and a debugger are two very different things, and one does not exclude the other. People might have a more dead-listing or live debugging directed approach though, but for analyzing advanced stuff there's nothing like a good disassembler (e.g. IDA)...

Similar Threads

  1. write unpacker
    By Behdadsoft in forum The Newbie Forum
    Replies: 2
    Last Post: July 16th, 2012, 01:14
  2. .NET generic unpacker
    By pnluck in forum Tools of Our Trade (TOT) Messageboard
    Replies: 17
    Last Post: September 30th, 2006, 09:01
  3. UNMEW 1.2 mew automatic unpacker
    By pnluck in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: September 27th, 2006, 02:24
  4. DilloDIE 1.4 - Armadillo 4.xx unpacker
    By Bra!NSHiT in forum Tools of Our Trade (TOT) Messageboard
    Replies: 11
    Last Post: July 26th, 2006, 11:18
  5. Is there any unpacker for Asprotect 1.2 ??
    By TrixMan in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: December 12th, 2001, 01:24

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •