Armadilled apps
 

I'm tryining to find the versione of the armadillo used in the following app. I'm following some tuts for that but olly give me read errors and i'm pissed off.
Any suggestion is appreciated
Thanks you so much

hxxp://www.midiweb.de/downloads/XG-Wizard.zip

armVersion 3.70A
may be used nanomite feature...

push SHIFT+F9 3times, use Follow in dump,and find string "armVersion"

you can find "Armadillo_v3.xx_Version_location_Tut-MEPHiST0" on www
,woodmann or google.

It shows How to find armversion.

Hello!

Thanks for the help. I followed that tut..but to me the program just start or i'm able to press shift+f9 one time then start...sorry newbiw problems :P

Regards

Normaly the simplest way to find a program packers name and version is using
programs such as PEid or trId.This programs show you the packer name and its
version.

sincerely yours

thats not true for armadillo.... peid says armadillo 3.78 if it uses the layer from the adata section as ep (ep is a pushad then)

but if a author uses minimum protection it will have a push ebp at the ep and so peid will identify it as 1.x - 2.x also if its a newer version...

Hi again
Since in my case i was no able to step as the above tut, i just start the app and using the ram editor of winhex, i searched in the "child" memory space for the armVersion string and got it.
Thanks

I try to find armadillo version on a file Atrex.exe version 11.02, Nothing. But It seem to be version 4, I dump its child process from memory, But cannot find the real OEP, any help?

Check process task list when the program is running. Do you see two instances of the program? If so, it's protected with Copymem.

Now, run the app in Olly or another debugger, and put BPX on GetThreadContext. When it breaks, check the arguments to GetThreadContext (you will find them on the stack - get familiar with GetThreadContext function prototype so you can understand the arguments) one of the arguments will be the OEP. Reason is the code in a copymem protected app is "invalid" and causes an exception, then the arma debugger parent intercepts this. The first invalid code is of course the OEP code. :) Thus GetThreadContext gets the OEP address as the address where the exception happened.

If you don't understand this stuff about exception handlers, etc, you need to read up on it, search the web for Iczelion assembly, he has some good tutorials on exception handling in ASM which will help you understand how exception handlers look and work is assembly code.

This used to work at least....

-Lunar

seems that version location tutorial i wrote doesnt work with new armadillo.. chad removed the string armversion? :>

after armversion there just a x :P

1. Run app in olly with plugin.

2. Pass all exceptions and add them to ?Ignore list untill you get the previleged instruction exception. Set .

3. Press Shift+F9. and olly breaks on .

4. Trace untill yo reach a .

5. Press F7 and you are on OEP.


(c) DappA/ ICU



Not fully tested.Worked on some targets with Arma 4.x.

A program I'm trying to unpack has Arm v3.78

When I try to unpack it with olly and press shift+f9 I get:

010BFC3A F0: PREFIX LOCK: ; Superfluous prefix
010BFC3B F0:C7 ??? ; Unknown command


I have no Idea what this is, could someone please explain. Thanks in advance.

Try this in Ollyscript 0.92 =>