Armadilled apps

I'm tryining to find the versione of the armadillo used in the following app. I'm following some tuts for that but olly give me read errors and i'm pissed off.
Any suggestion is appreciated
Thanks you so much

hxxp://www.midiweb.de/downloads/XG-Wizard.zip

armVersion 3.70A
may be used nanomite feature...

push SHIFT+F9 3times, use Follow in dump,and find string "armVersion"

you can find "Armadillo_v3.xx_Version_location_Tut-MEPHiST0" on www
,woodmann or google.

It shows How to find armversion.

Hello!

Thanks for the help. I followed that tut..but to me the program just start or i'm able to press shift+f9 one time then start...sorry newbiw problems :P

Regards

[Hero]

Quote:

I'm tryining to find the versione of the armadillo used in the following app

Normaly the simplest way to find a program packers name and version is using
programs such as PEid or trId.This programs show you the packer name and its
version.

sincerely yours

thats not true for armadillo.... peid says armadillo 3.78 if it uses the layer from the adata section as ep (ep is a pushad then)

but if a author uses minimum protection it will have a push ebp at the ep and so peid will identify it as 1.x - 2.x also if its a newer version...

Hi again
Since in my case i was no able to step as the above tut, i just start the app and using the ram editor of winhex, i searched in the "child" memory space for the armVersion string and got it.
Thanks

I try to find armadillo version on a file Atrex.exe version 11.02, Nothing. But It seem to be version 4, I dump its child process from memory, But cannot find the real OEP, any help?

Check process task list when the program is running. Do you see two instances of the program? If so, it's protected with Copymem.

Now, run the app in Olly or another debugger, and put BPX on GetThreadContext. When it breaks, check the arguments to GetThreadContext (you will find them on the stack - get familiar with GetThreadContext function prototype so you can understand the arguments) one of the arguments will be the OEP. Reason is the code in a copymem protected app is "invalid" and causes an exception, then the arma debugger parent intercepts this. The first invalid code is of course the OEP code. Thus GetThreadContext gets the OEP address as the address where the exception happened.

If you don't understand this stuff about exception handlers, etc, you need to read up on it, search the web for Iczelion assembly, he has some good tutorials on exception handling in ASM which will help you understand how exception handlers look and work is assembly code.

This used to work at least....

-Lunar

[MEPHiST0]

seems that version location tutorial i wrote doesnt work with new armadillo.. chad removed the string armversion? :>

after armversion there just a x :P

[codeX]

1. Run app in olly with

Quote:

IsDebuggerPresent

plugin.

2. Pass all exceptions and add them to ?Ignore list untill you get the previleged instruction exception. Set

Quote:

bp CreateThread

.

3. Press Shift+F9. and olly breaks on

Quote:

CreateThread

.

4. Trace untill yo reach a

Quote:

CALL EDI

.

5. Press F7 and you are on OEP.


(c) DappA/ ICU



Not fully tested.Worked on some targets with Arma 4.x.

A program I'm trying to unpack has Arm v3.78

When I try to unpack it with olly and press shift+f9 I get:

010BFC3A F0: PREFIX LOCK: ; Superfluous prefix
010BFC3B F0:C7 ??? ; Unknown command


I have no Idea what this is, could someone please explain. Thanks in advance.

[codeX]

Try this in Ollyscript 0.92 =>

Quote:

/*
.:TEAM RESURRECTiON:.
Armadillo Standard Script by AvAtAr//stephenteh
Tested on WinXP Pro SP2, OllyDbg v1.10, OllyScript v0.92
NOTES:
- Remove all hardware breakpoints before run the script.
- Add the following custom exceptions on OllyDbg:
C0000005(ACCESS VIOLATION), C000001D(ILLEGAL INSTRUCTION)
C000001E(INVALID LOCK SEQUENCE), C0000096(PRIVILEGED INSTRUCTION)
*/

var OpenMutexA
var CreateMutexA
var GetModuleHandleA
var VirtualAlloc
var CreateThread
var JumpLocation
var JumpLength
var OEP

gpa "OpenMutexA", "kernel32.dll"
mov OpenMutexA, $RESULT
gpa "CreateMutexA", "kernel32.dll"
mov CreateMutexA, $RESULT
gpa "GetModuleHandleA", "kernel32.dll"
mov GetModuleHandleA, $RESULT
gpa "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT
gpa "CreateThread", "kernel32.dll"
mov CreateThread, $RESULT

bp OpenMutexA
esto
exec
PUSHAD
PUSHFD
PUSH EDX
XOR EAX,EAX
PUSH EAX
PUSH EAX
CALL CreateMutexA
POPFD
POPAD
JMP OpenMutexA
ende
bc OpenMutexA

bphws GetModuleHandleA, "x"
label1:
esto
cmp eax,VirtualAlloc
jne label1
esto
bphwc GetModuleHandleA
rtu

find eip, #0F84????????#
mov JumpLocation, $RESULT
mov JumpLength, JumpLocation
add JumpLength, 2
mov JumpLength, [JumpLength]
inc JumpLength
mov [JumpLocation], 0E9
inc JumpLocation
mov [JumpLocation], JumpLength

bp CreateThread
run
cob
bc CreateThread
rtu
rtr
sti

find eip, #2BF9FFD7#
mov OEP, $RESULT
add OEP, 2
bp OEP
run
bc OEP
sti
cmt eip, "<- OEP"
msg "You're at the OEP, now dump with LordPE and fix the IAT with ImpRec. =)"
ret