Armadillo Unpacking Plugin...

OHPen · #1 10-21-2003, 10:01

Hi,

i need different Armadillo packed targets in order to test the unpacker i wrote.
Version doesn't matter. If i success you will find the unpacking plugin in next retool release.

thx in advance,

OHPen

#2 10-21-2003, 20:26

dudu,can u unpack mybase
hxxp://www2.wjjsoft.com/download.htm
its packed by Armadillo and also this a tricky one

[Edit by JMI: It seems I have to keep posting over and over: NO CLICKABLE LINKS, ESPECIALLY TO SOFTWARE COMPANIES.]

OHPen · #3 10-22-2003, 07:52

Lo,

i will take a look at it, thx.
But be sure, sooner or later i will add support for this version ;D

But atm i concentrating on older armadillo versions.

bunion · #4 10-22-2003, 10:50

Thanks Ohpen...heres one packed with dillo 2.5x - 2.6x

_http://etcai.com/digital4.exe

I tried doing it myself with Ricardo's tut BUT..instead of dillo unpacking code blocks of 1,000 byte chunks when i break on write process memory i see that it only writes 2 bytes at a time..ALSO in Ricardo's tut if you break on WaitForDebugEvent you,ll get the address of dillo's REPORT so that when you break on writeprocessmemory after you get to see the OEP..this worked on another target but on this one you dont get to see the OEP...The OEP was found another way but just shows you that this program does things slightly differently??

Good luck and thanks again

paul333

OHPen · #5 10-22-2003, 20:00

thx paul,

the more targets i get the better the plugin' will work in future.
I will check it as soon as possible.

regards,
OHPen

#6 10-27-2003, 17:12

THIS

hxxp://www.sunmoonsoft.com/download/newdown/ce2003zui.rar

[Edit by JMI: I say AGAIN. NO CLICKABLE LINKS.]

OHPen · #7 10-28-2003, 08:46

thx alot too

I nice that i get such support ;D

#8 10-30-2003, 23:11

hxxp://www.downme.com/down.php?nbr=16004&url=6

[Edit by JMI: eric yo:PAY ATTENTION!!!!! NO CLICKABLE LINKS!!!]

#9 10-31-2003, 00:48

Would it help if I posted a link to a cracked version of Armadillo 3.10? It works like a charm, but I'm not sure if it's "against the rules"....

JMI · #10 10-31-2003, 09:25

The issue is CLICKABLE LINKS. Use "hxxp," "h**p," or "wxw" and TURN OFF THE CHECK MARK for "Automatically Parse URLs" at the bottom, BEFORE you save your post.

Regards.

#11 11-04-2003, 12:19

Cracked version of Armadillo 3.10

http://www.x-mail.net/carlos2003/disk1.rar
http://www.x-mail.net/carlos2003/disk2.rar
http://www.x-mail.net/carlos2003/disk3.rar

#12 11-05-2003, 00:10

here is may be 1 of yur another victim
hxxp://www.regngo.com/vbrezq/
its vb tool and named
vbrezq
download link
hxxp://www.regngo.com/vbrezq/vbrdemo.zip

[Edit by JMI: You still have to TURN OFF the check mark on "Automatically parse URLs."]

OHPen · #13 11-06-2003, 08:21

thx a lot for all your replies,

this will help me to improve and finish the unpacker sooner,

more help is always welcome

regards,

OH

ricnar456 · #14 11-07-2003, 16:45

If you go to mi FTP or crackslatinos page (this tut today is not in the page but tomorrow will be posted), you will see the tut

150-ARMADILLO con COPYMEM2 sin truco de los 1000 bytes por FLIPI.rar

is in spanish but is the case you mention The father not work with the 1000 bytes trick, only put a son to run and this selfunpack.

Is very easy when you reach the second WriteMemoryProcess y you look in the buffer the 2 bytes will be copied are the bytes of the EP (not OEP), of the father (and the son too), well you can change this bytes to EB FE, and run, the father will be RUNNING and the son looping in your proper EP.
In this moment you can pause the father and detach the son BUT DONT CLOSE THE OLLY WITH THE FATHER AND DONT CLOSE THE FATHER PROCESS, ONLY MINIMIZE.
Open other ollydbg atach the son and quit the infinite loop of the oep, and if you dont close the father, the son run in rhe same form an armadillo without copymem2, and unpack in this form.

ah mi FTP is

ftp://curso:[email protected]/

user:curso
pass:curso

carpeta NUEVO CURSO-TEORIASand crackslatinos page is

http://www.crackslatinos.hispadominio.net/

Ricardo

#15 11-08-2003, 02:32

Mr Ricardo

Following the <<150-ARMADILLO .... >

I reach here
<<
In this moment you can pause the father and detach the son BUT DONT CLOSE THE OLLY WITH THE FATHER AND DONT CLOSE THE FATHER PROCESS, ONLY MINIMIZE.
>>
and how do you do to detach the son ? I don't see in OLLY cmd any detach option.

And if I go on << Open other ollydbg atach the son and quit the infinite loop of the oep ... >>
OLLY reject by "Unable to attach ... ".

Thanks for reply