Unpackme Armadillo 5.0 (latest Version)

[SHKODRAN]

Try to unpack this UnpackMe protected with armadillo 5 (latest version). Good luck!

http://downtown.vc/index.php?page=main&id=5bb1a2202&name=UnpackMe.rar

[zako]

Did you pack it, can you unpack it?

[SHKODRAN]

Did you pack it, can you unpack it?

Of course I packed it and can unpack it too but I want to see if someone else can do it !

[zako]

Of course I packed it and can unpack it too but I want to see if someone else can do it !

Calm down whats with the bold text?. I wanted to know so I didn't waste my time d/l some **** crack request, **** it anyway.

[SHKODRAN]

Ohhhh sorry

Is it better this way?

If I wanted to unpack an application protected with armadillo 5 I could have asked for help,

thing I can do, and not to post an unpackme to see how others does it!!!

What's in your head??

[Ox87k]

This is Armadillo 5?? Are you sure?

[Angel-55]

yeah it is armadillo 5.0 looks nice

i tried unpacking it but i didnt' know used options so i had to figure them out till now i passed CopyMemII + Debug-Blocker but damit i got bored of it......it's a pain in the *** to do all manual XD !

[stephenteh]

it's 5.0 but no nanomites, no import table elimination, no code splicing...anyone has 5.0 unpackme with all protections enabled please pm me

[SHKODRAN]

it's 5.0 but no nanomites, no import table elimination, no code splicing...anyone has 5.0 unpackme with all protections enabled please pm me

Unpak this not you enough this like difficulty?

CoppyMEMII+DebuggBlocker.

[SHKODRAN]

This is Armadillo 5?? Are you sure?

Sign by fly!

[Armadillo 5.00 Dll -> Silicon Realms Toolworks]
signature = 83 7C 24 08 01 75 05 E8 DE 4B 00 00 FF 74 24 04 8B 4C 24 10 8B 54 24 0C E8 ED FE FF FF 59 C2 0C 00 6A 0C 68 ?? ?? ?? ?? E8 E5 24 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 8F 15 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 20 15 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 D7 23 00 00 59 89 7D FC FF 75 08 E8 EC 53 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 2B C5 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 19 ED FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 7D 22 00 00 59 C3
ep_only = true

[Armadillo 5.00 -> Silicon Realms Toolworks]
signature = E8 E3 40 00 00 E9 16 FE FF FF 6A 0C 68 ?? ?? ?? ?? E8 44 15 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 36 13 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 C7 12 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 48 11 00 00 59 89 7D FC FF 75 08 E8 01 49 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 66 D3 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 AF F9 FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 EE 0F 00 00 59 C3
ep_only = true

[stephenteh]

it's 5.0 but no nanomites, no import table elimination, no code splicing...anyone has 5.0 unpackme with all protections enabled please pm me

Unpak this not you enough this like difficulty?

CoppyMEMII+DebuggBlocker.

huh? what exactly you wanted to say?

[SHKODRAN]

I have intentional to say exactly that in the public version it is

not possible to have all! You would have to know it alone!! Otherwise

it buys the full version and you make one unpackme!!!

Here all!!

[stephenteh]

I have intentional to say exactly that in the public version it is

not possible to have all! You would have to know it alone!! Otherwise

it buys the full version and you make one unpackme!!!

Here all!!

calm down...what's wrong with those exclamation mark....

your post stated "All protection enabled" and never mention it's protected with public version....

[Teddy Rogers]

Here is a tutorial on it by the topic author

http://tuts4you.com/download.php?view.1745

Ted.

[LCF-AT]

Hello @ All,

the unpack scripts by Ricardo 1000 Bytes Method & Tenketsu 1000 Bytes Method

seem do not function here to get a right decrypted code section.

Here my manual unpacked (the clock) fix_dump.

UnpackMe_LCF_AT_Fix.rar

[SHKODRAN]

the unpack scripts by Ricardo 1000 Bytes Method & Tenketsu 1000 Bytes Method

seem do not function here to get a right decrypted code section.

These scripts works fine if you use SnD's Olly

Here my manual unpacked (the clock) fix_dump.

Nice work!!

[ruyi7952]

thanks! nice tuts!

[MadOldschool]

Here is a tutorial on it by the topic author

http://tuts4you.com/download.php?view.1745

Ted.

Total noob question...

In the tutorial you are referencing here, the author is using an Olly plugin to set the breakpoints.

Which plugin is that?

[LCF-AT]

Hello MadOldschool,

here the plugin for olly.

_BP_OLLY_eng.rar

[MadOldschool]

Hello MadOldschool,

here the plugin for olly.

[MadOldschool]

One more question....I'm doing this on diffent app...

When I arrive at

7C801AD0 > 8BFF MOV EDI,EDI ; wl_hook.1004BB68

7C801AD2 55 PUSH EBP

7C801AD3 8BEC MOV EBP,ESP

7C801AD5 FF75 14 PUSH DWORD PTR SS:[EBP+14]

7C801AD8 FF75 10 PUSH DWORD PTR SS:[EBP+10]

7C801ADB FF75 0C PUSH DWORD PTR SS:[EBP+C]

7C801ADE FF75 08 PUSH DWORD PTR SS:[EBP+8]

7C801AE1 6A FF PUSH -1

7C801AE3 E8 75FFFFFF CALL VirtualProtectEx

about half way through the video

the stack looks like this:

0012F750 10004194 /CALL to VirtualProtect from wl_hook.1000418E

0012F754 1004BB68 |Address = wl_hook.1004BB68

0012F758 0000000E |Size = E (14.)

0012F75C 00000040 |NewProtect = PAGE_EXECUTE_READWRITE

0012F760 0012F768 \pOldProtect = 0012F768

when i do Ctrl+F9 and F8 it puts me back to

7C801AD0 > 8BFF MOV EDI,EDI ; wl_hook.1004BB68

7C801AD2 55 PUSH EBP

7C801AD3 8BEC MOV EBP,ESP

7C801AD5 FF75 14 PUSH DWORD PTR SS:[EBP+14]

7C801AD8 FF75 10 PUSH DWORD PTR SS:[EBP+10]

7C801ADB FF75 0C PUSH DWORD PTR SS:[EBP+C]

7C801ADE FF75 08 PUSH DWORD PTR SS:[EBP+8]

7C801AE1 6A FF PUSH -1

7C801AE3 E8 75FFFFFF CALL VirtualProtectEx

I dont get to PUSH 14

What could this mean? I messed it up somewhere?

Edited July 7, 2007 by MadOldschool

[MadOldschool]

I made it to the OEP....

No CAll NEAR ECX there...what do I do??

I got 2 "TEST ECX, ECX" Is the second one what I need?

0094BF4B	83C4 14		 ADD ESP,14
0094BF4E	B0 01		   MOV AL,1
0094BF50	EB 02		   JMP SHORT 0094BF54
0094BF52	32C0			XOR AL,AL
0094BF54	8BE5			MOV ESP,EBP
0094BF56	5D			  POP EBP
0094BF57	C3			  RET
0094BF58	55			  PUSH EBP
0094BF59	8BEC			MOV EBP,ESP
0094BF5B	81EC 48010000   SUB ESP,148
0094BF61	C785 F8FEFFFF 2>MOV DWORD PTR SS:[EBP-108],00982824	 ; ASCII "ArBase Bitmap Window"
0094BF6B	C745 FC 0828980>MOV DWORD PTR SS:[EBP-4],00982808	   ; ASCII "ArBase Test Bitmap Window"
0094BF72	8A45 14		 MOV AL,BYTE PTR SS:[EBP+14]
0094BF75	A2 A4949800	 MOV BYTE PTR DS:[9894A4],AL
0094BF7A	8A4D 10		 MOV CL,BYTE PTR SS:[EBP+10]
0094BF7D	880D A5949800   MOV BYTE PTR DS:[9894A5],CL
0094BF83	8B55 08		 MOV EDX,DWORD PTR SS:[EBP+8]
0094BF86	8915 90949800   MOV DWORD PTR DS:[989490],EDX
0094BF8C	8B45 0C		 MOV EAX,DWORD PTR SS:[EBP+C]
0094BF8F	A3 8C949800	 MOV DWORD PTR DS:[98948C],EAX
0094BF94	8B4D 18		 MOV ECX,DWORD PTR SS:[EBP+18]
0094BF97	81E1 FF000000   AND ECX,0FF
0094BF9D	85C9			TEST ECX,ECX
0094BF9F	74 71		   JE SHORT 0094C012
0094BFA1	8B55 14		 MOV EDX,DWORD PTR SS:[EBP+14]
0094BFA4	81E2 FF000000   AND EDX,0FF
0094BFAA	85D2			TEST EDX,EDX
0094BFAC	75 64		   JNZ SHORT 0094C012
0094BFAE	C605 B1949800 0>MOV BYTE PTR DS:[9894B1],1
0094BFB5	FF15 3C209800   CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; kernel32.GetTickCount
0094BFBB	05 FA000000	 ADD EAX,0FA
0094BFC0	8985 ECFEFFFF   MOV DWORD PTR SS:[EBP-114],EAX
0094BFC6	68 A8949800	 PUSH 009894A8
0094BFCB	6A 00		   PUSH 0
0094BFCD	6A 00		   PUSH 0
0094BFCF	68 A0C49400	 PUSH 0094C4A0
0094BFD4	6A 00		   PUSH 0
0094BFD6	6A 00		   PUSH 0
0094BFD8	FF15 2C209800   CALL DWORD PTR DS:[<&KERNEL32.CreateThre>; kernel32.CreateThread
0094BFDE	50			  PUSH EAX
0094BFDF	FF15 E8209800   CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; kernel32.CloseHandle
0094BFE5	33C0			XOR EAX,EAX
0094BFE7	A0 B1949800	 MOV AL,BYTE PTR DS:[9894B1]
0094BFEC	85C0			TEST EAX,EAX
0094BFEE	74 18		   JE SHORT 0094C008
0094BFF0	FF15 3C209800   CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; kernel32.GetTickCount
0094BFF6	3B85 ECFEFFFF   CMP EAX,DWORD PTR SS:[EBP-114]
0094BFFC	73 0A		   JNB SHORT 0094C008
0094BFFE	6A 01		   PUSH 1
0094C000	FF15 A4219800   CALL DWORD PTR DS:[<&KERNEL32.Sleep>]   ; kernel32.Sleep
0094C006  ^ EB DD		   JMP SHORT 0094BFE5
0094C008	B8 01000000	 MOV EAX,1
0094C00D	E9 4E020000	 JMP 0094C260
0094C012	FF15 AC209800   CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; kernel32.GetCurrentThreadId
0094C018	A3 A8949800	 MOV DWORD PTR DS:[9894A8],EAX
0094C01D	33C9			XOR ECX,ECX
0094C01F	8A0D B0949800   MOV CL,BYTE PTR DS:[9894B0]
[b]0094C025	85C9			TEST ECX,ECX[/b]
0094C027	0F85 B7000000   JNZ 0094C0E4
0094C02D	C785 C4FEFFFF 0>MOV DWORD PTR SS:[EBP-13C],0
0094C037	C785 C8FEFFFF 6>MOV DWORD PTR SS:[EBP-138],0094C264
0094C041	C785 CCFEFFFF 0>MOV DWORD PTR SS:[EBP-134],0
0094C04B	C785 D0FEFFFF 0>MOV DWORD PTR SS:[EBP-130],0

Edited July 7, 2007 by MadOldschool

[MadOldschool]

OK, I'm at the OEP...

Can someone tell me how to convert the Olly OEP address to Import REConstructor 1.6 OEP address

I'm a total noob

[LCF-AT]

Hello MadOldschool,

it

[MadOldschool]

Hello MadOldschool,

it

Edited July 7, 2007 by MadOldschool