Jump to content
Tuts 4 You

Unpackme Armadillo 5.0 (latest Version)


SHKODRAN

Recommended Posts

Try to unpack this UnpackMe protected with armadillo 5 (latest version). Good luck!

http://downtown.vc/index.php?page=main&id=5bb1a2202&name=UnpackMe.rar
Link to comment
Did you pack it, can you unpack it?

Of course I packed it and can unpack it too but I want to see if someone else can do it !

Link to comment

Of course I packed it and can unpack it too but I want to see if someone else can do it !

Calm down whats with the bold text?. I wanted to know so I didn't waste my time d/l some **** crack request, **** it anyway.

Link to comment

Ohhhh sorry

Is it better this way?

If I wanted to unpack an application protected with armadillo 5 I could have asked for help,

thing I can do, and not to post an unpackme to see how others does it!!!

What's in your head??

Link to comment

yeah it is armadillo 5.0 :D looks nice

i tried unpacking it but i didnt' know used options so i had to figure them out till now i passed CopyMemII + Debug-Blocker but damit i got bored of it......it's a pain in the *** to do all manual XD !

Link to comment

it's 5.0 but no nanomites, no import table elimination, no code splicing...anyone has 5.0 unpackme with all protections enabled please pm me

Link to comment
it's 5.0 but no nanomites, no import table elimination, no code splicing...anyone has 5.0 unpackme with all protections enabled please pm me

Unpak this not you enough this like difficulty?

CoppyMEMII+DebuggBlocker.

Link to comment
This is Armadillo 5?? Are you sure?

Sign by fly!

[Armadillo 5.00 Dll -> Silicon Realms Toolworks]
signature = 83 7C 24 08 01 75 05 E8 DE 4B 00 00 FF 74 24 04 8B 4C 24 10 8B 54 24 0C E8 ED FE FF FF 59 C2 0C 00 6A 0C 68 ?? ?? ?? ?? E8 E5 24 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 8F 15 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 20 15 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 D7 23 00 00 59 89 7D FC FF 75 08 E8 EC 53 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 2B C5 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 19 ED FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 7D 22 00 00 59 C3
ep_only = true
[Armadillo 5.00 -> Silicon Realms Toolworks]
signature = E8 E3 40 00 00 E9 16 FE FF FF 6A 0C 68 ?? ?? ?? ?? E8 44 15 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 36 13 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 C7 12 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 48 11 00 00 59 89 7D FC FF 75 08 E8 01 49 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 66 D3 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 AF F9 FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 EE 0F 00 00 59 C3
ep_only = true
Link to comment
it's 5.0 but no nanomites, no import table elimination, no code splicing...anyone has 5.0 unpackme with all protections enabled please pm me

Unpak this not you enough this like difficulty?

CoppyMEMII+DebuggBlocker.

huh? what exactly you wanted to say? :unsure:

Link to comment

I have intentional to say exactly that in the public version it is

not possible to have all! You would have to know it alone!! Otherwise

it buys the full version and you make one unpackme!!!

Here all!!

Link to comment
I have intentional to say exactly that in the public version it is

not possible to have all! You would have to know it alone!! Otherwise

it buys the full version and you make one unpackme!!!

Here all!!

calm down...what's wrong with those exclamation mark.... ;)

your post stated "All protection enabled" and never mention it's protected with public version....

Link to comment
the unpack scripts by Ricardo 1000 Bytes Method & Tenketsu 1000 Bytes Method

seem do not function here to get a right decrypted code section.

These scripts works fine if you use SnD's Olly

Here my manual unpacked (the clock) fix_dump.

Nice work!!

Link to comment
MadOldschool

One more question....I'm doing this on diffent app...

When I arrive at

7C801AD0 > 8BFF MOV EDI,EDI ; wl_hook.1004BB68

7C801AD2 55 PUSH EBP

7C801AD3 8BEC MOV EBP,ESP

7C801AD5 FF75 14 PUSH DWORD PTR SS:[EBP+14]

7C801AD8 FF75 10 PUSH DWORD PTR SS:[EBP+10]

7C801ADB FF75 0C PUSH DWORD PTR SS:[EBP+C]

7C801ADE FF75 08 PUSH DWORD PTR SS:[EBP+8]

7C801AE1 6A FF PUSH -1

7C801AE3 E8 75FFFFFF CALL VirtualProtectEx

about half way through the video

the stack looks like this:

0012F750 10004194 /CALL to VirtualProtect from wl_hook.1000418E

0012F754 1004BB68 |Address = wl_hook.1004BB68

0012F758 0000000E |Size = E (14.)

0012F75C 00000040 |NewProtect = PAGE_EXECUTE_READWRITE

0012F760 0012F768 \pOldProtect = 0012F768

when i do Ctrl+F9 and F8 it puts me back to

7C801AD0 > 8BFF MOV EDI,EDI ; wl_hook.1004BB68

7C801AD2 55 PUSH EBP

7C801AD3 8BEC MOV EBP,ESP

7C801AD5 FF75 14 PUSH DWORD PTR SS:[EBP+14]

7C801AD8 FF75 10 PUSH DWORD PTR SS:[EBP+10]

7C801ADB FF75 0C PUSH DWORD PTR SS:[EBP+C]

7C801ADE FF75 08 PUSH DWORD PTR SS:[EBP+8]

7C801AE1 6A FF PUSH -1

7C801AE3 E8 75FFFFFF CALL VirtualProtectEx

I dont get to PUSH 14

What could this mean? I messed it up somewhere?

Edited by MadOldschool
Link to comment
MadOldschool

I made it to the OEP....

No CAll NEAR ECX there...what do I do??

I got 2 "TEST ECX, ECX" Is the second one what I need?

0094BF4B	83C4 14		 ADD ESP,14
0094BF4E B0 01 MOV AL,1
0094BF50 EB 02 JMP SHORT 0094BF54
0094BF52 32C0 XOR AL,AL
0094BF54 8BE5 MOV ESP,EBP
0094BF56 5D POP EBP
0094BF57 C3 RET
0094BF58 55 PUSH EBP
0094BF59 8BEC MOV EBP,ESP
0094BF5B 81EC 48010000 SUB ESP,148
0094BF61 C785 F8FEFFFF 2>MOV DWORD PTR SS:[EBP-108],00982824 ; ASCII "ArBase Bitmap Window"
0094BF6B C745 FC 0828980>MOV DWORD PTR SS:[EBP-4],00982808 ; ASCII "ArBase Test Bitmap Window"
0094BF72 8A45 14 MOV AL,BYTE PTR SS:[EBP+14]
0094BF75 A2 A4949800 MOV BYTE PTR DS:[9894A4],AL
0094BF7A 8A4D 10 MOV CL,BYTE PTR SS:[EBP+10]
0094BF7D 880D A5949800 MOV BYTE PTR DS:[9894A5],CL
0094BF83 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
0094BF86 8915 90949800 MOV DWORD PTR DS:[989490],EDX
0094BF8C 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0094BF8F A3 8C949800 MOV DWORD PTR DS:[98948C],EAX
0094BF94 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18]
0094BF97 81E1 FF000000 AND ECX,0FF
0094BF9D 85C9 TEST ECX,ECX
0094BF9F 74 71 JE SHORT 0094C012
0094BFA1 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]
0094BFA4 81E2 FF000000 AND EDX,0FF
0094BFAA 85D2 TEST EDX,EDX
0094BFAC 75 64 JNZ SHORT 0094C012
0094BFAE C605 B1949800 0>MOV BYTE PTR DS:[9894B1],1
0094BFB5 FF15 3C209800 CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; kernel32.GetTickCount
0094BFBB 05 FA000000 ADD EAX,0FA
0094BFC0 8985 ECFEFFFF MOV DWORD PTR SS:[EBP-114],EAX
0094BFC6 68 A8949800 PUSH 009894A8
0094BFCB 6A 00 PUSH 0
0094BFCD 6A 00 PUSH 0
0094BFCF 68 A0C49400 PUSH 0094C4A0
0094BFD4 6A 00 PUSH 0
0094BFD6 6A 00 PUSH 0
0094BFD8 FF15 2C209800 CALL DWORD PTR DS:[<&KERNEL32.CreateThre>; kernel32.CreateThread
0094BFDE 50 PUSH EAX
0094BFDF FF15 E8209800 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; kernel32.CloseHandle
0094BFE5 33C0 XOR EAX,EAX
0094BFE7 A0 B1949800 MOV AL,BYTE PTR DS:[9894B1]
0094BFEC 85C0 TEST EAX,EAX
0094BFEE 74 18 JE SHORT 0094C008
0094BFF0 FF15 3C209800 CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; kernel32.GetTickCount
0094BFF6 3B85 ECFEFFFF CMP EAX,DWORD PTR SS:[EBP-114]
0094BFFC 73 0A JNB SHORT 0094C008
0094BFFE 6A 01 PUSH 1
0094C000 FF15 A4219800 CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; kernel32.Sleep
0094C006 ^ EB DD JMP SHORT 0094BFE5
0094C008 B8 01000000 MOV EAX,1
0094C00D E9 4E020000 JMP 0094C260
0094C012 FF15 AC209800 CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; kernel32.GetCurrentThreadId
0094C018 A3 A8949800 MOV DWORD PTR DS:[9894A8],EAX
0094C01D 33C9 XOR ECX,ECX
0094C01F 8A0D B0949800 MOV CL,BYTE PTR DS:[9894B0]
[b]0094C025 85C9 TEST ECX,ECX[/b]
0094C027 0F85 B7000000 JNZ 0094C0E4
0094C02D C785 C4FEFFFF 0>MOV DWORD PTR SS:[EBP-13C],0
0094C037 C785 C8FEFFFF 6>MOV DWORD PTR SS:[EBP-138],0094C264
0094C041 C785 CCFEFFFF 0>MOV DWORD PTR SS:[EBP-134],0
0094C04B C785 D0FEFFFF 0>MOV DWORD PTR SS:[EBP-130],0
Edited by MadOldschool
Link to comment
MadOldschool

OK, I'm at the OEP...

Can someone tell me how to convert the Olly OEP address to Import REConstructor 1.6 OEP address

I'm a total noob :help

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...