Jump to content
Tuts 4 You

[unpackme] Armadillo 4.66


Teddy Rogers

Recommended Posts

Works fine here... :dunno:

Ted.

how to execute this kind of application sir...for what example....pls...upload the tutorial sir.... :yahoo:

Link to comment

me to also working.....

@loki

my question how to use this.....application and how it is important pls...give me idea....where to be use this :yahoo::yahoo:

Link to comment

Its an unpackme. Its a set of basic files packed with Armadillo 4.66.

You don't 'use' it, you try and remove the Armadillo protection from it.

Edited by Loki
Link to comment

Apakekdah, you might need to check your olly's settigns bro' there could be a problem there not in the UnPack Me's as i see you are trying to unpack them so i think they run fine without ollydbg true ?! try checking any configurations like AdvancedOlly's or Debugging Settings or any other plugin that hooks a few API's or something perhaps your last work needed configurations which are not needed for this file........!!

Link to comment

Don't know what are the differences with the previus versions and what is more DilloDIE unpack it successfully!

Does someone know which are the differences??! :S

Link to comment

@Ox87k

i think the version of course and Nanomites...

@Angel-55

its work now...

i dont know what happend with my PC i'm just reinstalling windows...

and everything work...

@All

Sorry for disturbing... :D

Link to comment
  • 4 weeks later...

I was working on this unpackme and I ran into a problem on copymemII + standard, i just cannot figure out where the problem is, magic jump. Can anyone give me a clue. BTW I tried reading other tutorials on this, but none were for version 4.66. Also I know version 4.66 has been out for a while, just testing AvAtAr's new armadetach v1.2.

Link to comment

Hello What,

you try to unpack the "UnPackMe_Armadillo 4.66.c.exe" right?Ok.

If you want to get the Magic Jump you must set BP on GetModuleHandleA

after you have attached the child process and changed the bytes.

After the third break on this API you can trace out and look down.

00AB64BD	FF15 C070AD00   CALL DWORD PTR DS:[AD70C0]; kernel32.GetModuleHandleA
00AB64C3 8B0D AC55AE00 MOV ECX,DWORD PTR DS:[AE55AC]
00AB64C9 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
00AB64CC A1 AC55AE00 MOV EAX,DWORD PTR DS:[AE55AC]
00AB64D1 391C06 CMP DWORD PTR DS:[ESI+EAX],EBX
00AB64D4 75 2E JNZ SHORT 00AB6504
00AB64D6 F647 04 02 TEST BYTE PTR DS:[EDI+4],2
00AB64DA 74 12 JE SHORT 00AB64EE
00AB64DC B9 980FAE00 MOV ECX,0AE0F98
00AB64E1 E8 C16BFFFF CALL 00AAD0A7
00AB64E6 84C0 TEST AL,AL
00AB64E8 0F84 53010000 JE 00AB6641
00AB64EE 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
00AB64F4 50 PUSH EAX
00AB64F5 FF15 E471AD00 CALL DWORD PTR DS:[AD71E4]; kernel32.LoadLibraryA
00AB64FB 8B0D AC55AE00 MOV ECX,DWORD PTR DS:[AE55AC]
00AB6501 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
00AB6504 A1 AC55AE00 MOV EAX,DWORD PTR DS:[AE55AC]
00AB6509 391C06 CMP DWORD PTR DS:[ESI+EAX],EBX
00AB650C 0F84 2F010000 JE 00AB6641 <-----------Magic Jump to JMP

Then you can go to the OEP.You know how,right.

If you reach the OEP you will see this.

004271B0	CD 5E		   INT 5E <---------OEP before
004271B2 64:3B67 BD CMP ESP,DWORD PTR FS:[EDI-43]
004271B6 E8 5FDDD5E0 CALL E1184F1A
004271BB 99 CDQ
004271BC 0A97 883539D5 OR DL,BYTE PTR DS:[EDI+D5393588]
004271C2 8851 98 MOV BYTE PTR DS:[ECX-68],DL
004271C5 85EC TEST ESP,EBP
004271C7 D8BD D5885198 FDIVR DWORD PTR SS:[EBP+985188D5]
004271CD 56 PUSH ESI
004271CE 4C DEC ESP
004271CF F9 STC
004271D0 CB RETF

Now you have to change the code section (.text) 401000/4A000 with the decrypted

section from that child process before (with a Injection & dump this section/First part).

You can do that with the copy and paste function and after that the OEP it looks so out.

004271B0	55			  PUSH EBP <--------OEP after
004271B1 8BEC MOV EBP,ESP
004271B3 6A FF PUSH -1
004271B5 68 600E4500 PUSH UnPackMe.00450E60
004271BA 68 C8924200 PUSH UnPackMe.004292C8
004271BF 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004271C5 50 PUSH EAX ; UnPackMe.004C3394
004271C6 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
004271CD 83C4 A8 ADD ESP,-58
004271D0 53 PUSH EBX ; UnPackMe.0049F86B
004271D1 56 PUSH ESI
004271D2 57 PUSH EDI ; UnPackMe.004CA0E0
004271D3 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004271D6 FF15 DC0A4600 CALL DWORD PTR DS:[460ADC] ; kernel32.GetVersion

Now you can dump and fix and you are done.

I have attached my Fix Dump and the decrypted section.

I hope i could you help.

unpackme_armadillo_4.66.c_LCF_AT.rar

Edited by LCF-AT
Link to comment
  • 12 years later...
CodeExplorer

Resurrecting an 2007 thread? Hah?

They don't work if you execute them directly from archive,
after extracting to an folder they work fine!
 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...