Armadillo Unpacking Plugin...
 

Hi,

i need different Armadillo packed targets in order to test the unpacker i wrote.
Version doesn't matter. If i success you will find the unpacking plugin in next retool release.

thx in advance,

OHPen

hey
 

dudu,can u unpack mybase
hxxp://www2.wjjsoft.com/download.htm
its packed by Armadillo and also this a tricky one

[Edit by JMI: It seems I have to keep posting over and over: NO CLICKABLE LINKS, ESPECIALLY TO SOFTWARE COMPANIES.]

Lo,

i will take a look at it, thx.
But be sure, sooner or later i will add support for this version ;D

But atm i concentrating on older armadillo versions.

Thanks Ohpen...heres one packed with dillo 2.5x - 2.6x

_http://etcai.com/digital4.exe

I tried doing it myself with Ricardo's tut BUT..instead of dillo unpacking code blocks of 1,000 byte chunks when i break on write process memory i see that it only writes 2 bytes at a time..ALSO in Ricardo's tut if you break on WaitForDebugEvent you,ll get the address of dillo's REPORT so that when you break on writeprocessmemory after you get to see the OEP..this worked on another target but on this one you dont get to see the OEP...The OEP was found another way but just shows you that this program does things slightly differently??

Good luck and thanks again

paul333

thx paul,

the more targets i get the better the plugin' will work in future.
I will check it as soon as possible.

regards,
OHPen

THIS

hxxp://www.sunmoonsoft.com/download/newdown/ce2003zui.rar

[Edit by JMI: I say AGAIN. NO CLICKABLE LINKS.]

thx alot too ;)

I nice that i get such support ;D

hxxp://www.downme.com/down.php?nbr=16004&url=6

[Edit by JMI: eric yo:PAY ATTENTION!!!!! NO CLICKABLE LINKS!!!]

Would it help if I posted a link to a cracked version of Armadillo 3.10? It works like a charm, but I'm not sure if it's "against the rules"....

The issue is CLICKABLE LINKS. Use "hxxp," "h**p," or "wxw" and TURN OFF THE CHECK MARK for "Automatically Parse URLs" at the bottom, BEFORE you save your post.

Regards.

Cracked version of Armadillo 3.10

http://www.x-mail.net/carlos2003/disk1.rar
http://www.x-mail.net/carlos2003/disk2.rar
http://www.x-mail.net/carlos2003/disk3.rar

here is may be 1 of yur another victim
hxxp://www.regngo.com/vbrezq/
its vb tool and named
vbrezq
download link
hxxp://www.regngo.com/vbrezq/vbrdemo.zip

[Edit by JMI: You still have to TURN OFF the check mark on "Automatically parse URLs."]

thx a lot for all your replies,

this will help me to improve and finish the unpacker sooner,

more help is always welcome ;)

regards,

OH

For paul 3333
 

If you go to mi FTP or crackslatinos page (this tut today is not in the page but tomorrow will be posted), you will see the tut

150-ARMADILLO con COPYMEM2 sin truco de los 1000 bytes por FLIPI.rar

is in spanish but is the case you mention The father not work with the 1000 bytes trick, only put a son to run and this selfunpack.

Is very easy when you reach the second WriteMemoryProcess y you look in the buffer the 2 bytes will be copied are the bytes of the EP (not OEP), of the father (and the son too), well you can change this bytes to EB FE, and run, the father will be RUNNING and the son looping in your proper EP.
In this moment you can pause the father and detach the son BUT DONT CLOSE THE OLLY WITH THE FATHER AND DONT CLOSE THE FATHER PROCESS, ONLY MINIMIZE.
Open other ollydbg atach the son and quit the infinite loop of the oep, and if you dont close the father, the son run in rhe same form an armadillo without copymem2, and unpack in this form.

ah mi FTP is


ftp://curso:[email protected]/


user:curso
pass:curso

carpeta NUEVO CURSO-TEORIASand crackslatinos page is

http://www.crackslatinos.hispadominio.net/

Ricardo

Mr Ricardo

Following the <<150-ARMADILLO .... >

I reach here
<<
In this moment you can pause the father and detach the son BUT DONT CLOSE THE OLLY WITH THE FATHER AND DONT CLOSE THE FATHER PROCESS, ONLY MINIMIZE.
>>
and how do you do to detach the son ? I don't see in OLLY cmd any detach option.

And if I go on << Open other ollydbg atach the son and quit the infinite loop of the oep ... >>
OLLY reject by "Unable to attach ... ".

Thanks for reply

detach
 

The tut 150 is a variant of tuts base

65-66-67-68-69-70-71-72-74-77-78-79-80-81-82-83-84-86-88


of armadillos, i can repeat the same in every tut, for this reason for how detach son

69-ARMADILLO FOR DUMMIES GETRIGHT 5 (vol I) ENGLISH.rar

and

70-ARMADILLO FOR DUMMIES GETRIGHT 5 (vol 2) ENGLISH.rar

in this tuts (english version) are the basic method, and explain how detach son, with thos knowledge, if you are trying a copymem2 armadillo without 1000 bytes trick, in this case use the variant of tut 150.

Ricardo

BIG THANKS Ricardo...Ill have a go at your other tut / method see if i fare any better :)

To the readers newish to Exetools / Ricardo's Arma tut's..YOU GOTTA TRY THEM..There the biz for us newbies and very professionally done and easy to undersytand!!!

paul333

Re: Armadillo Unpacking Plugin...
 

How about file with Armadillo v3.05? I hope it is in your current plan.

Hi,

sorry for my late answer but, you know always busy.... ;DD

@Tigerme

Sure this version will be supported too. I will first release the plugin if the plugin works for all version i expect it to work...

First time it wont support full protected exe but this will change as soon as possible.

Atm im tryin' to fix severel problems. It's not easy to handle the difference between 2.x && 3.x

But i think im going to make good process ;)

We will see,

regards,

OHPen

suggestion
 

if you add a plug-in of unpacking svkp1.3x,it will be best.

can you unpack this
 

hxxp://www.exetools.com/forum/showthread.php?s=&threadid=2741&highlight=armadillo

hxxp://dl.filekicker.com/send/file/140564-LXGI/jcpro300.zip

[Edit by JMI: NO CLICKABLE LINKS. Always turn off the "Automatically parse URLs button" when you post a link, and substitute "hxxp" or some such for "http".]

Here is a list of copanies that use Armadillo protection:

hxxp://www.med.uk.com
hxxp://www.processcontrolsolutions.com
hxxp://www.imserv.com
hxxp://www.nzguide.co.nz
hxxp://www.atalasoft.com
hxxp://www.skidmonk.com
hxxp://www.acusolv.com
hxxp://www.insight-concepts.com
hxxp://www.silicmdr.com
hxxp://www.cablecalc.com
hxxp://www.123loganalyzer.com
hxxp://www.tradingpatterns.com
hxxp://www.hard-code.com
hxxp://www.cherrywoodsystems.com
hxxp://www.autoimager.com
hxxp://www.imptec.com
hxxp://www.moonlight-software.com
hxxp://www.lincolnbeach.com
hxxp://www.mystikmedia.com
hxxp://www.dvdidle.com/
hxxp://www.collectorz.com
hxxp://www.icetips.com
hxxp://www.thethinktanksoftware.com
hxxp://www.netscantools.com
hxxp://www.demmel.com/cellular/english/
hxxp://www.logipole.com
hxxp://www.wealth-lab.com
hxxp://www.dynastorelight.com
hxxp://www.tickermymail.com
hxxp://www.logiware.de/
hxxp://www.mtcpro.com/
hxxp://www.iopus.com/download.htm
hxxp://www.lonewolf-software.com
hxxp://www.longfine.com/
hxxp://www.bradsoft.com/topstyle/download/index.asp
hxxp://thelearningpit.com/lp/logixpro.html
hxxp://www.bearshare.com/

I'm trying to unpack this and it's really hard. I cannot bypass the debug blocker.
It detect Softice using the meltice technique (it looks for \\.\SICE, \\.\NTICE, \\.\SIWDEBUG, \\.\SIWVID and \\.\SUPERBPMDEV0 !), and it also open a conection with service control manager (OpenSCManager) !!

[Edit by JMI: Even though you changed the "http" to "xxx", if you do not turn off the "Automatically parse URLs" the link is clickable.]

This is pretty retarded, I feel bad for JMI, poor guy has to change everyones diaper...how hard is it to not post a "clickable" link?
My god there is something about it in nearly every thread of this entire forum.

My personal opinion is that there is no need to put "http://" before any address. There is no normal need to define the protocol unless it is an uncommon one (i.e. ftp, gopher, telnet...etc).

Using synonyms may be an easy solution:
www(dot)exetools(dot)com

While I would post one suggestion to the webmaster.
It might be a good idea to modify the reply and post thread templates of vbullentin so that the "Automatically parse URLs " option is not checked by default.
Maybe even writing a small plugin to parse the posted threads/replies and change any instance of "http://" to "h__p://"
This might help out the admins...

I know I am not an admin, nor am I senior member. I just wanted to add my two cents.

More ARMs...

hxxp://www.gregorybraun.com

www.jcreator.com (JCreator v3 pro)

uses armadillo v3.x

another nasty thing is, that i booted up with bios clock set to year 2005, i switched back to 2004 and now jcreator.exe says, that i set back the system clock to defeat the security system... now i cant use jcreator anylonger perhaps u have a solution for that ???

[Edit by JMI: After reading the preceeding posts and two previous statements about NOT posting clickable links you went ahead and posted one anyone. What were you thinking? Or were you simply NOT thinking?]

D-Jester:

I have posted in several threads that I've had the code for more than a year to prevent clickable links to any URL outside the forum, but I do not have admin access to install the changes for this board.

Regards,

UltraEdit 10.20
 

another target for OHPen

UltraEdit 10.20
f*p://ultraedit.com/uedit32.zip
h**p://www.ultraedit.com/

...hope it helps :)

Also try this one:

_ftp_://ftp.worldofspectrum.org/pub/sinclair/emulators/pc/windows/Spectaculator625.exe

here are other target... MT is protected with Armadillo...

hxxp://www.hippo.ru/%7Esorgelig/files/

public cracks are already released so I see no harm done :)

hi Ohpen

U finished this yet?..I been looking forward to this for months now any luck?

paul333