Jump to content
Tuts 4 You

[unpackme] Armadillo 4.66

Teddy Rogers

By Teddy Rogers
in UnPackMe

 Share

Recommended Posts

Hasl

Hasl

Posted
Posted
Works fine here... :dunno:

Ted.

how to execute this kind of application sir...for what example....pls...upload the tutorial sir.... :yahoo:

Link to comment
Share on other sites
Hasl

Hasl

Posted
Posted

me to also working.....

@loki

my question how to use this.....application and how it is important pls...give me idea....where to be use this :yahoo::yahoo:

Link to comment
Share on other sites
Loki

Loki

Posted
Posted (edited)

Its an unpackme. Its a set of basic files packed with Armadillo 4.66.

You don't 'use' it, you try and remove the Armadillo protection from it.

Edited by Loki
Link to comment
Share on other sites
Angel-55

Angel-55

Posted
Posted

Apakekdah, you might need to check your olly's settigns bro' there could be a problem there not in the UnPack Me's as i see you are trying to unpack them so i think they run fine without ollydbg true ?! try checking any configurations like AdvancedOlly's or Debugging Settings or any other plugin that hooks a few API's or something perhaps your last work needed configurations which are not needed for this file........!!

Link to comment
Share on other sites
Ox87k

Ox87k

Posted
Posted

Don't know what are the differences with the previus versions and what is more DilloDIE unpack it successfully!

Does someone know which are the differences??! :S

Link to comment
Share on other sites
Apakekdah

Apakekdah

Posted
Posted

@Ox87k

i think the version of course and Nanomites...

@Angel-55

its work now...

i dont know what happend with my PC i'm just reinstalling windows...

and everything work...

@All

Sorry for disturbing... :D

Link to comment
Share on other sites
  • 4 weeks later...
What

What

Posted
Posted

I was working on this unpackme and I ran into a problem on copymemII + standard, i just cannot figure out where the problem is, magic jump. Can anyone give me a clue. BTW I tried reading other tutorials on this, but none were for version 4.66. Also I know version 4.66 has been out for a while, just testing AvAtAr's new armadetach v1.2.

Link to comment
Share on other sites
LCF-AT

LCF-AT

Posted
Posted (edited)

Hello What,

you try to unpack the "UnPackMe_Armadillo 4.66.c.exe" right?Ok.

If you want to get the Magic Jump you must set BP on GetModuleHandleA

after you have attached the child process and changed the bytes.

After the third break on this API you can trace out and look down.

00AB64BD	FF15 C070AD00   CALL DWORD PTR DS:[AD70C0]; kernel32.GetModuleHandleA
00AB64C3	8B0D AC55AE00   MOV ECX,DWORD PTR DS:[AE55AC]
00AB64C9	89040E		  MOV DWORD PTR DS:[ESI+ECX],EAX
00AB64CC	A1 AC55AE00	 MOV EAX,DWORD PTR DS:[AE55AC]
00AB64D1	391C06		  CMP DWORD PTR DS:[ESI+EAX],EBX
00AB64D4	75 2E		   JNZ SHORT 00AB6504
00AB64D6	F647 04 02	  TEST BYTE PTR DS:[EDI+4],2
00AB64DA	74 12		   JE SHORT 00AB64EE
00AB64DC	B9 980FAE00	 MOV ECX,0AE0F98
00AB64E1	E8 C16BFFFF	 CALL 00AAD0A7
00AB64E6	84C0			TEST AL,AL
00AB64E8	0F84 53010000   JE 00AB6641
00AB64EE	8D85 B4FEFFFF   LEA EAX,DWORD PTR SS:[EBP-14C]
00AB64F4	50			  PUSH EAX
00AB64F5	FF15 E471AD00   CALL DWORD PTR DS:[AD71E4]; kernel32.LoadLibraryA
00AB64FB	8B0D AC55AE00   MOV ECX,DWORD PTR DS:[AE55AC]
00AB6501	89040E		  MOV DWORD PTR DS:[ESI+ECX],EAX
00AB6504	A1 AC55AE00	 MOV EAX,DWORD PTR DS:[AE55AC]
00AB6509	391C06		  CMP DWORD PTR DS:[ESI+EAX],EBX
00AB650C	0F84 2F010000   JE 00AB6641  <-----------Magic Jump to JMP

Then you can go to the OEP.You know how,right.

If you reach the OEP you will see this.

004271B0	CD 5E		   INT 5E <---------OEP before
004271B2	64:3B67 BD	  CMP ESP,DWORD PTR FS:[EDI-43]
004271B6	E8 5FDDD5E0	 CALL E1184F1A
004271BB	99			  CDQ
004271BC	0A97 883539D5   OR DL,BYTE PTR DS:[EDI+D5393588]
004271C2	8851 98		 MOV BYTE PTR DS:[ECX-68],DL
004271C5	85EC			TEST ESP,EBP
004271C7	D8BD D5885198   FDIVR DWORD PTR SS:[EBP+985188D5]
004271CD	56			  PUSH ESI
004271CE	4C			  DEC ESP
004271CF	F9			  STC
004271D0	CB			  RETF

Now you have to change the code section (.text) 401000/4A000 with the decrypted

section from that child process before (with a Injection & dump this section/First part).

You can do that with the copy and paste function and after that the OEP it looks so out.

004271B0	55			  PUSH EBP <--------OEP after
004271B1	8BEC			MOV EBP,ESP
004271B3	6A FF		   PUSH -1
004271B5	68 600E4500	 PUSH UnPackMe.00450E60
004271BA	68 C8924200	 PUSH UnPackMe.004292C8
004271BF	64:A1 00000000  MOV EAX,DWORD PTR FS:[0]
004271C5	50			  PUSH EAX						  ; UnPackMe.004C3394
004271C6	64:8925 0000000>MOV DWORD PTR FS:[0],ESP
004271CD	83C4 A8		 ADD ESP,-58
004271D0	53			  PUSH EBX						  ; UnPackMe.0049F86B
004271D1	56			  PUSH ESI
004271D2	57			  PUSH EDI						  ; UnPackMe.004CA0E0
004271D3	8965 E8		 MOV DWORD PTR SS:[EBP-18],ESP
004271D6	FF15 DC0A4600   CALL DWORD PTR DS:[460ADC]		; kernel32.GetVersion

Now you can dump and fix and you are done.

I have attached my Fix Dump and the decrypted section.

I hope i could you help.

unpackme_armadillo_4.66.c_LCF_AT.rar

Edited by LCF-AT
Link to comment
Share on other sites
  • 12 years later...
CodeExplorer

CodeExplorer

Posted
Posted

Resurrecting an 2007 thread? Hah?

They don't work if you execute them directly from archive,
after extracting to an folder they work fine!
 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...