Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Dumping Armadillo protected DLL? (https://forum.exetools.com/showthread.php?t=6538)

FEARHQ 01-25-2005 02:56
Dumping Armadillo protected DLL?
 
This is the first time I have come across an armadillo protected dll. Is dumping the dll any different than dumping an executable? PEiD tells me it is "Armadillo 2.51 - 3.xx DLL Stub". I haven't come across any tutorials that show how to do this, and as a matter of fact never dumped armadillo, but if the process is the same I will read up on the subject. Has anyone done this in the past? Just need a little guidance

TmC 01-25-2005 09:42
I think that in this case the Lunar Dust Dll Unpacker should do his job...unless dll has nanomites.

Eggi 01-25-2005 14:25
i thought its its only possible to protect a dll with the protection options which require only one process?

MrAnonymous 01-25-2005 15:47
DLL's cannot have nanomites, DLL's are on the equivelent of Minimal Protection in Armadildo. They do however support Import Elimination and Code Splicing.

FEARHQ 01-26-2005 03:50
I've read two tutorials from Unpacking Gods, one about figuring out Armadillo version (turns out to be 3.75-alpha 1), and another about dumping armadillo with debug blocker. The dll does not have nanomites and I don't think it has code splicing, but the Import table seems to be messed up as Lunar Dust's dll dumper can't rebuild it. Can anyone point me a tutorial on dumping armadillo with Import Elimination? I guess similar concepts can be applied to the dll as to a standalone executable as I did with version recognition. I would love to break my first armadillo protection manually (without automatic dumpers that is...)

MrAnonymous 01-26-2005 04:34
What is your target ?
http:// www. absolutelock.de/construction/files/infobase/New/arma_debugblocker/tutorial.html
I believe covers import elimination....

FEARHQ 01-26-2005 05:43
1 Attachment(s)
MrAnonymous: That is the exact tutorial I went over. I guess I'm going to have to use it, even though it goes way into detail about Debug Blocker which is way over my head for now... I'm looking for a tutorial that would actually deal with import elimination with armadillo and not too much of the other fancy stuff (like debug blocker)

[UPDATE]
I put a little more effort into this and managed to follow MEPHiST0's tutorial, even though it's mostly about Debug Blocker. I manage to get "close to the oep" by patching IsDebuggerPresent and breaking on CreateThread (the first is where we need to break...), however the famous "call edi", which I gather should be the original OEP, is never reached. In this target I get to 009A891F, which is the pop/jmp just one below the "sweet spot" (call edi - 009A89CD) and wind up back in the target dll's code at 20040FF1. If anyone would be kind enough to take a look and tell me what I'm doing wrong on my first manual unpack attempt, I'd be thankfull

FEARHQ 01-28-2005 14:44
Could anyone give me a hand from where I'm stuck at? I've been using Lunar Dust's DLLLoad.exe to load the dll in OllyDbg, but I am stuck and cannot find OEP :(

fly [CUG] 02-04-2005 16:22
UnPacKed.target.By.heXer
 
1 Attachment(s)
:D

UnPacKed By heXer

Crk 02-04-2005 22:40
this don't help for knowledge! tutorial??

AdamD 02-09-2005 11:08
I'm also having problems unpacking v3.78 in an exe. It's a tough packer ;)


All times are GMT +8. The time now is 06:45.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX