|
|
#1
10-21-2003, 10:01
|
||||
|
||||
|
Armadillo Unpacking Plugin...
Hi,
i need different Armadillo packed targets in order to test the unpacker i wrote. Version doesn't matter. If i success you will find the unpacking plugin in next retool release. thx in advance, OHPen |
|
#2
10-21-2003, 20:26
|
|||
|
|||
|
hey
dudu,can u unpack mybase
hxxp://www2.wjjsoft.com/download.htm its packed by Armadillo and also this a tricky one [Edit by JMI: It seems I have to keep posting over and over: NO CLICKABLE LINKS, ESPECIALLY TO SOFTWARE COMPANIES.] |
|
#3
10-22-2003, 07:52
|
||||
|
||||
|
Lo,
i will take a look at it, thx. But be sure, sooner or later i will add support for this version ;D But atm i concentrating on older armadillo versions. |
|
#4
10-22-2003, 10:50
|
|||
|
|||
|
Thanks Ohpen...heres one packed with dillo 2.5x - 2.6x
_http://etcai.com/digital4.exe I tried doing it myself with Ricardo's tut BUT..instead of dillo unpacking code blocks of 1,000 byte chunks when i break on write process memory i see that it only writes 2 bytes at a time..ALSO in Ricardo's tut if you break on WaitForDebugEvent you,ll get the address of dillo's REPORT so that when you break on writeprocessmemory after you get to see the OEP..this worked on another target but on this one you dont get to see the OEP...The OEP was found another way but just shows you that this program does things slightly differently?? Good luck and thanks again paul333 Last edited by bunion; 10-22-2003 at 10:53. |
|
#5
10-22-2003, 20:00
|
||||
|
||||
|
thx paul,
the more targets i get the better the plugin' will work in future. I will check it as soon as possible. regards, OHPen |
|
#6
10-27-2003, 17:12
|
|||
|
|||
|
THIS
hxxp://www.sunmoonsoft.com/download/newdown/ce2003zui.rar [Edit by JMI: I say AGAIN. NO CLICKABLE LINKS.] |
|
#8
10-30-2003, 23:11
|
|||
|
|||
|
hxxp://www.downme.com/down.php?nbr=16004&url=6
[Edit by JMI: eric yo:PAY ATTENTION!!!!! NO CLICKABLE LINKS!!!] |
|
#9
10-31-2003, 00:48
|
|||
|
|||
Would it help if I posted a link to a cracked version of Armadillo 3.10? It works like a charm, but I'm not sure if it's "against the rules"....
|
|
#10
10-31-2003, 09:25
|
|||
|
|||
|
The issue is CLICKABLE LINKS. Use "hxxp," "h**p," or "wxw" and TURN OFF THE CHECK MARK for "Automatically Parse URLs" at the bottom, BEFORE you save your post.
Regards.
__________________
JMI |
|
#11
11-04-2003, 12:19
|
|||
|
|||
|
Cracked version of Armadillo 3.10
http://www.x-mail.net/carlos2003/disk1.rar http://www.x-mail.net/carlos2003/disk2.rar http://www.x-mail.net/carlos2003/disk3.rar |
|
#12
11-05-2003, 00:10
|
|||
|
|||
|
here is may be 1 of yur another victim
hxxp://www.regngo.com/vbrezq/ its vb tool and named vbrezq download link hxxp://www.regngo.com/vbrezq/vbrdemo.zip [Edit by JMI: You still have to TURN OFF the check mark on "Automatically parse URLs."] Last edited by thematrix; 11-05-2003 at 00:12. |
|
#13
11-06-2003, 08:21
|
||||
|
||||
|
thx a lot for all your replies,
this will help me to improve and finish the unpacker sooner, more help is always welcome  regards, OH |
|
#14
11-07-2003, 16:45
|
|||
|
|||
|
For paul 3333
If you go to mi FTP or crackslatinos page (this tut today is not in the page but tomorrow will be posted), you will see the tut
150-ARMADILLO con COPYMEM2 sin truco de los 1000 bytes por FLIPI.rar is in spanish but is the case you mention The father not work with the 1000 bytes trick, only put a son to run and this selfunpack. Is very easy when you reach the second WriteMemoryProcess y you look in the buffer the 2 bytes will be copied are the bytes of the EP (not OEP), of the father (and the son too), well you can change this bytes to EB FE, and run, the father will be RUNNING and the son looping in your proper EP. In this moment you can pause the father and detach the son BUT DONT CLOSE THE OLLY WITH THE FATHER AND DONT CLOSE THE FATHER PROCESS, ONLY MINIMIZE. Open other ollydbg atach the son and quit the infinite loop of the oep, and if you dont close the father, the son run in rhe same form an armadillo without copymem2, and unpack in this form. ah mi FTP is ftp://curso:[email protected]/ user:curso pass:curso carpeta NUEVO CURSO-TEORIASand crackslatinos page is http://www.crackslatinos.hispadominio.net/ Ricardo |
|
#15
11-08-2003, 02:32
|
|||
|
|||
|
Mr Ricardo
Following the <<150-ARMADILLO .... > I reach here << In this moment you can pause the father and detach the son BUT DONT CLOSE THE OLLY WITH THE FATHER AND DONT CLOSE THE FATHER PROCESS, ONLY MINIMIZE. >> and how do you do to detach the son ? I don't see in OLLY cmd any detach option. And if I go on << Open other ollydbg atach the son and quit the infinite loop of the oep ... >> OLLY reject by "Unable to attach ... ". Thanks for reply |
 |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
