Unpackme Armadillo 5.0 (latest Version)

[LCF-AT]

I think it looks very wrong.

I dont know exactly what you are trying to unpack.Which protection?

You can download a very good arma tool by MOID that can analyze

with which you have to do it.

http://anonym.to/?http://www.tuts4you.com/...amp;hl=intruder

greetz

[MadOldschool]

I think it looks very wrong.

I dont know exactly what you are trying to unpack.Which protection?

You can download a very good arma tool by MOID that can analyze

with which you have to do it.

http://anonym.to/?http://www.tuts4you.com/...amp;hl=intruder

greetz

Thx....

this is what it said:

Armadillo version: 4.66

Build date: 2007-03-12

OEP VA: 004E7E22

Raw options: 00E3AA52

-=Protection=-

Strategic Code Splicing enabled.

Import Elimination enabled.

Debug Blocker enabled.

Nanomites enabled.

[LCF-AT]

Hi MadOldschool,

are you trying to unpack a UnpackMe or a app?

I could see a better overview if you say the name of it.

Only for the unpack part,so i can help you better.

[MadOldschool]

Hi MadOldschool,

are you trying to unpack a UnpackMe or a app?

I could see a better overview if you say the name of it.

Only for the unpack part,so i can help you better.

I'm trying to unpack an app

http://stream.ifolder.ru/2600038

press next-->enter the capcha code-->press next

thx in advance

----------------------------------------------------------------

Just as a brief overview of what I'm trying to do:

1. get past the debug blocker

2. Find 2 IATs and RETN on them

3. Get to the OEP

4. Unpack with ImpRec to defeat code splicing

Correct?

[LCF-AT]

Hello MadOldschool,

i have unpacked now this app.I explain you now a little bit but not all how to unpack all

by hand.

1.DebugBlocker

Set BP on OpenMutexA/Second Break (back to usercode)

00951E67	 85C0					TEST EAX,EAX
00951E69	 0F85 7A020000		   JNZ HoldemIn.009520E9 <----Change to JE
00951E6F	 6A 01				   PUSH 1

2.Set BP on GetModuleHandleA for MagicJump/I have you explain before.

013F6855	 FF15 E4714101		   CALL DWORD PTR DS:[14171E4]   ; kernel32.LoadLibraryA
013F685B	 8B0D AC554201		   MOV ECX,DWORD PTR DS:[14255AC]
013F6861	 89040E				  MOV DWORD PTR DS:[ESI+ECX],EAX		  ; kernel32.77E40000
013F6864	 A1 AC554201			 MOV EAX,DWORD PTR DS:[14255AC]
013F6869	 391C06				  CMP DWORD PTR DS:[ESI+EAX],EBX
013F686C	 0F84 2F010000		   JE 013F69A1 <----Magic Jump to JMP

3.Set BP on CreateThread on the ret 18 of this API

After the break trace til you reach the Call ECX and step in.

004EC9A2	 E8 0F040000			 CALL HoldemIn.004ECDB6 <----OEP
004EC9A7   ^ E9 35FDFFFF			 JMP HoldemIn.004EC6E1
004EC9AC	 68 F8C54E00			 PUSH HoldemIn.004EC5F8
004EC9B1	 64:FF35 00000000		PUSH DWORD PTR FS:[0]
004EC9B8	 8B4424 10			   MOV EAX,DWORD PTR SS:[ESP+10]

Now just look into a Call and search a Iat pointer or Call.

004ECDF1	 8B75 FC		  MOV ESI,DWORD PTR SS:[EBP-4]
004ECDF4	 3375 F8		  XOR ESI,DWORD PTR SS:[EBP-8]
004ECDF7	 FF15 34176B01	CALL DWORD PTR DS:[16B1734]  ;kernel32.GetCurrentProcessId

Follow a Iat Call in Dump/memory and find the start of the Iat

016B105C  00080102
016B1060  7820921B  MFC80.7820921B <---IAT start
016B1064  781FE238  MFC80.781FE238
016B1068  7821C352  MFC80.7821C352016B206C  00000000  <---IAT end016B206C - 016B1060 = 100C (size)

Now find the Code Splicing.Scroll above to the start in Olly and you will see this.(always other address)

0040105E	 CC			   INT3
0040105F	 CC			   INT3
00401060	 83EC 14		  SUB ESP,14
00401063   - E9 98EF7F01	  JMP 01C00000 <--Jump into Code splicing section
00401068	 66:87FE		  XCHG SI,DI
0040106B	 66:87C9		  XCHG CX,CX
0040106E	 57			   PUSH EDI				  ; HoldemIn.00990130
0040106F	 5F			   POP EDI					  ; 01410ECC
00401070	 66:87FE		  XCHG SI,DI
00401073	 FF15 D4196B01	CALL DWORD PTR DS:[16B19D4]   ; OLEAUT32.VariantInit
00401079   - E9 9DEF7F01	  JMP 01C0001B <--Jump into Code splicing section
0040107E	 51			   PUSH ECX							; HoldemIn.004EC9A2
0040107F	 66:96			XCHG AX,SI

Now you can look into the Memory Map to find this section 01C00000 (Important-the section is dynamic

and is changing)Now this time the section is 01C00000 size 20000.Look down and Note the R E by Access)

Now you can fix by yourself or you use a tool called Arminline 0.96 to Repair all.

I have used this tool in this case.I dont explain now how to do it manual to fix the protections manual.

I explain you how to use this tool.

You should be able to solve some tutorials to read around this protection manually.

The Nano_Fix Dump is 8.6 MB big and is working fine.

greetz

[MadOldschool]

WOW LCF...I'm speachless.

:wub:

Thank You.

Edited July 9, 2007 by MadOldschool