Jump to content
Tuts 4 You

[unpackme] Armadillo v6.0.0 Custom Build


acidflash

Recommended Posts

Here is the latest and 'greatest' Armadillo with all the toys used to protect my unpackme.

PM or Post valid dumps, I wish to know how hard this is over v5

-acid

Working key to unlock secure sections, only use if your skills can't handle them :)

TUTS4YOU
000016-DJFTC0-8C0BU3-Z7WHXX-P4WZC7-5KP8N5-VRZFNE-8C4JJR-1F7VNN-HKQUPK

UnPackMe_Armadillo_v6.rar

Edited by acidflash
Link to comment

ArmInLine nano handler no longer works on this.

CopyMemII/Nano handler is different.

Shouldn't be too hard to do, I unpacked it so far, but can't fix nano's cause I dunno how to do them by hand.

Link to comment

haven't look into the unpackme but I would say this v6 has no difference at all compared to v5...in term of difficulty of unpacking it...

Edited by stephenteh
Link to comment
haven't look into the unpackme but I would say this v6 has no difference at all compared to v5...in term difficulty of unpacking it...

yeah, stephenteh is right. Nothing is special in new version. ArmInline worked fine.

After Unpacked, just fix check key of Armadillo. (very simple, like as old version)

http://rapidshare.com/files/128951638/Dumped_fix5.rar
Link to comment

Hrm... ArmInLine just hangs forever here... weird.

:EDIT:

Ok, I had to kill the Parent Process first or it would hang, hehehe.

Unpacked.rar

Unpacked =]

Edited by Fungus
Link to comment
Hrm... ArmInLine just hangs forever here... weird.

:EDIT:

Ok, I had to kill the Parent Process first or it would hang, hehehe.

Unpacked.rar

Unpacked =]

unpacked and running in trial mode... Not defeated.. If you did it correctly you would have locked sections w/ code thats missing from your dump..

Please watch the movie I posted above to see how it should work.

-acid

Link to comment

Hello,

do you mean the trial mode in the unpacked file?There is no trial mode anymore.

It just checks some variables.Just need to patch this routine at SUB ESP,400

to

inc eax

ret

and all is running without nag and forever.

greetz

Link to comment

You mean it has secured sections?

There's no way I know of to defeat that without proper key.

If you give me valid key I will unpack it fully. =]

Edited by Fungus
Link to comment
You mean it has secured sections?

There's no way I know of to defeat that without proper key.

If you give me valid key I will unpack it fully. =]

Yes, SECURED_A & SECURED_B need to be unlocked, thats part of the challange. The msg box's are to prove the section is unlocked, not at all ment to be NAGS.... Think of them as "good job" pats

I'll also post a working key in a few days... I really wish people to own this.

-acid

Edited by acidflash
Link to comment

Well I have tried to defeat secured sections many times without a key, and just have not found any way to do it. If someone knows a way, I and many others would love to know how to do so.

Link to comment
Well I have tried to defeat secured sections many times without a key, and just have not found any way to do it. If someone knows a way, I and many others would love to know how to do so.

Might want to look at my first post for this unpackme, i just edited it :>

Link to comment
Well I have tried to defeat secured sections many times without a key, and just have not found any way to do it. If someone knows a way, I and many others would love to know how to do so.

Might want to look at my first post for this unpackme, i just edited it :>

I thinks the problem like as password of winrar. When you have password for extracting files, everything is simple. If don't have it, you must bruteforce. But it's impossible with complex password.

Link to comment

in http://reversengineering.wordpress.com/

say this

is a tutorial from rea for solve this armadillo 6

nice tut from Why not bar but the language of this tut is not en !

http://rapidshare.com/files/129417421/MUP_Armadillo_v600.rar

http://rapidshare.com/files/129420055/UnPa...rmadillo_v6.rar

http://rapidshare.com/files/129421376/File...ed_And_more.rar

maybe is better that others unpack because include the inyection of dll and key etc :S

is in vietnamiese ;)

Link to comment

hi!

i've unpacked it fully (including secured_a & secured_ B) with the key.

well, the protected exe doesnt work on my pc (it shows an error instead of the second "congratulations..."-messagebox and shuts down) but the deprotected one works fine. ;)

as i trace through the copymem-routine, i figured out that the secured code is already in the coded pages.

that means the secured parts are not inserted while decoding the single pages but when the child-process is fired up (i think)

i havent worked on armadillo for a long time and to be honest: since this unpackme ive never heared of secured code at all

:blush:

anyone knows where the protected code is injected or has a hint where to start searching for this part of protection?

XytroX

Link to comment

I have analyzed it before, so I take this from another post I made elsewhere.

This is from an Arma 5.xx protected app. Basic example of the code which writes the secured sections to the process memory. The table is left incomplete unless you have a valid key.

If you get anywhere with it , please share =]

Secured Section Table (incomplete)00 00 00 00 00 00 00 00
7B EC 03 00 C1 D1 C1 9A
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
F0 E8 03 00 C2 3E FD D1
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00Secured Section Struct {uLong Offset Destination Address; uLong Decrypt Key}003C6CEC C705 28413D00 A44B3D00 MOV DWORD PTR DS:[3D4128], 3D4BA4 ; start of secured sections
003C6CF6 A1 889F3D00 MOV EAX, DWORD PTR DS:[3D9F88]
003C6CFB 8B80 70050000 MOV EAX, DWORD PTR DS:[EAX+570]
003C6D01 8985 18DBFFFF MOV DWORD PTR SS:[EBP-24E8], EAX ; table pointer
003C6D07 83A5 44DBFFFF 00 AND DWORD PTR SS:[EBP-24BC], 0
003C6D0E EB 0D JMP SHORT 003C6D1D
003C6D10 8B85 44DBFFFF MOV EAX, DWORD PTR SS:[EBP-24BC] ; secured section number
003C6D16 40 INC EAX
003C6D17 8985 44DBFFFF MOV DWORD PTR SS:[EBP-24BC], EAX ; secured section number
003C6D1D A1 889F3D00 MOV EAX, DWORD PTR DS:[3D9F88]
003C6D22 66:8B80 6C050000 MOV AX, WORD PTR DS:[EAX+56C] ; number of secured sections
003C6D29 66:8985 D4ACFFFF MOV WORD PTR SS:[EBP+FFFFACD4], AX
003C6D30 0FB785 D4ACFFFF MOVZX EAX, WORD PTR SS:[EBP+FFFFACD4]
003C6D37 3985 44DBFFFF CMP DWORD PTR SS:[EBP-24BC], EAX ; check if all secured sections decrypted
003C6D3D 0F8D EC010000 JGE 003C6F2F
003C6D43 8B85 18DBFFFF MOV EAX, DWORD PTR SS:[EBP-24E8] ; destination of secured section
003C6D49 8B00 MOV EAX, DWORD PTR DS:[EAX]
003C6D4B 8985 ECC3FFFF MOV DWORD PTR SS:[EBP-3C14], EAX
003C6D51 8B85 18DBFFFF MOV EAX, DWORD PTR SS:[EBP-24E8]
003C6D57 83C0 04 ADD EAX, 4
003C6D5A 8985 18DBFFFF MOV DWORD PTR SS:[EBP-24E8], EAX ; decryption key
003C6D60 8B85 18DBFFFF MOV EAX, DWORD PTR SS:[EBP-24E8]
003C6D66 8B00 MOV EAX, DWORD PTR DS:[EAX]
003C6D68 8985 F0C3FFFF MOV DWORD PTR SS:[EBP-3C10], EAX
003C6D6E 8B85 18DBFFFF MOV EAX, DWORD PTR SS:[EBP-24E8]
003C6D74 83C0 04 ADD EAX, 4
003C6D77 8985 18DBFFFF MOV DWORD PTR SS:[EBP-24E8], EAX ; address of secured section (fetch)
003C6D7D A1 94203E00 MOV EAX, DWORD PTR DS:[3E2094]
003C6D82 66:8B00 MOV AX, WORD PTR DS:[EAX]
003C6D85 66:8985 F4C3FFFF MOV WORD PTR SS:[EBP-3C0C], AX
003C6D8C A1 94203E00 MOV EAX, DWORD PTR DS:[3E2094]
003C6D91 40 INC EAX
003C6D92 40 INC EAX
003C6D93 A3 94203E00 MOV DWORD PTR DS:[3E2094], EAX ; length of secured section
003C6D98 0FB785 F4C3FFFF MOVZX EAX, WORD PTR SS:[EBP-3C0C]
003C6D9F 50 PUSH EAX
003C6DA0 FF35 94203E00 PUSH DWORD PTR DS:[3E2094] ; start of data
003C6DA6 8D85 ECB3FFFF LEA EAX, DWORD PTR SS:[EBP+FFFFB3EC] ; buffer (stack)
003C6DAC 50 PUSH EAX
003C6DAD E8 DE660000 CALL 003CD490 ; JMP to msvcrt.memcpy
003C6DB2 83C4 0C ADD ESP, 0C
003C6DB5 0FB785 F4C3FFFF MOVZX EAX, WORD PTR SS:[EBP-3C0C] ; length of secured section
003C6DBC 8B0D 94203E00 MOV ECX, DWORD PTR DS:[3E2094] ; start of data
003C6DC2 03C8 ADD ECX, EAX
003C6DC4 890D 94203E00 MOV DWORD PTR DS:[3E2094], ECX ; end of data to copy
003C6DCA 83BD ECC3FFFF 00 CMP DWORD PTR SS:[EBP-3C14], 0 ; decrypt or not | 1 = decrypt
003C6DD1 0F84 53010000 JE 003C6F2A
003C6DD7 8B85 F0C3FFFF MOV EAX, DWORD PTR SS:[EBP-3C10] ; decryption key
003C6DDD 8985 E0B3FFFF MOV DWORD PTR SS:[EBP+FFFFB3E0], EAX
003C6DE3 8D85 ECB3FFFF LEA EAX, DWORD PTR SS:[EBP+FFFFB3EC] ; start of buffer (stack)
003C6DE9 8985 E8B3FFFF MOV DWORD PTR SS:[EBP+FFFFB3E8], EAX ; pointer to buffer
003C6DEF 0FB785 F4C3FFFF MOVZX EAX, WORD PTR SS:[EBP-3C0C] ; length of secured section
003C6DF6 8B8D E8B3FFFF MOV ECX, DWORD PTR SS:[EBP+FFFFB3E8] ; start of buffer (stack)
003C6DFC 03C8 ADD ECX, EAX
003C6DFE 898D E4B3FFFF MOV DWORD PTR SS:[EBP+FFFFB3E4], ECX ; end of buffer (stack)
003C6E04 EB 0D JMP SHORT 003C6E13 ; jump into decrypt loop
003C6E06 8B85 E8B3FFFF MOV EAX, DWORD PTR SS:[EBP+FFFFB3E8] ; start of buffer
003C6E0C 40 INC EAX ; increment buffer pointer
003C6E0D 8985 E8B3FFFF MOV DWORD PTR SS:[EBP+FFFFB3E8], EAX ; save buffer pointer
003C6E13 8B85 E8B3FFFF MOV EAX, DWORD PTR SS:[EBP+FFFFB3E8] ; start of buffer (stack)
003C6E19 3B85 E4B3FFFF CMP EAX, DWORD PTR SS:[EBP+FFFFB3E4] ; end of buffer stack
003C6E1F 73 1F JNB SHORT 003C6E40 ; branch if complete
003C6E21 8D8D E0B3FFFF LEA ECX, DWORD PTR SS:[EBP+FFFFB3E0] ; address of decryption key
003C6E27 E8 14A2FDFF CALL 003A1040 ; decrypt buffer
003C6E2C 8B8D E8B3FFFF MOV ECX, DWORD PTR SS:[EBP+FFFFB3E8] ; start of buffer (stack)
003C6E32 8A09 MOV CL, BYTE PTR DS:[ECX] ; get encrypted byte
003C6E34 32C8 XOR CL, AL ; decrypt it
003C6E36 8B85 E8B3FFFF MOV EAX, DWORD PTR SS:[EBP+FFFFB3E8] ; destination in buffer (stack)
003C6E3C 8808 MOV BYTE PTR DS:[EAX], CL ; store decrypted byte in buffer
003C6E3E ^ EB C6 JMP SHORT 003C6E06 ; loop
003C6E40 8D85 DCB3FFFF LEA EAX, DWORD PTR SS:[EBP+FFFFB3DC] ; old protect
003C6E46 50 PUSH EAX
003C6E47 6A 04 PUSH 4 ; new protect
003C6E49 0FB785 F4C3FFFF MOVZX EAX, WORD PTR SS:[EBP-3C0C] ; number of bytes
003C6E50 50 PUSH EAX
003C6E51 8B85 10DAFFFF MOV EAX, DWORD PTR SS:[EBP-25F0] ; image base
003C6E57 0385 ECC3FFFF ADD EAX, DWORD PTR SS:[EBP-3C14] ; offset of destination
003C6E5D 50 PUSH EAX ; address of detination
003C6E5E FF15 24E13C00 CALL NEAR DWORD PTR DS:[3CE124] ; kernel32.VirtualProtect
003C6E64 A0 64813D00 MOV AL, BYTE PTR DS:[3D8164]
003C6E69 8885 BCACFFFF MOV BYTE PTR SS:[EBP+FFFFACBC], AL
003C6E6F 0FB685 BCACFFFF MOVZX EAX, BYTE PTR SS:[EBP+FFFFACBC]
003C6E76 85C0 TEST EAX, EAX
003C6E78 74 64 JE SHORT 003C6EDE ; seems to branch always003C6E7A 6A 00 PUSH 0 ; no idea what this does
003C6E7C 0FB785 F4C3FFFF MOVZX EAX, WORD PTR SS:[EBP-3C0C]
003C6E83 50 PUSH EAX
003C6E84 8B85 10DAFFFF MOV EAX, DWORD PTR SS:[EBP-25F0]
003C6E8A 0385 ECC3FFFF ADD EAX, DWORD PTR SS:[EBP-3C14]
003C6E90 50 PUSH EAX
003C6E91 E8 03110000 CALL 003C7F99
003C6E96 83C4 0C ADD ESP, 0C
003C6E99 0FB785 F4C3FFFF MOVZX EAX, WORD PTR SS:[EBP-3C0C]
003C6EA0 50 PUSH EAX
003C6EA1 8D85 ECB3FFFF LEA EAX, DWORD PTR SS:[EBP+FFFFB3EC]
003C6EA7 50 PUSH EAX
003C6EA8 8B85 10DAFFFF MOV EAX, DWORD PTR SS:[EBP-25F0]
003C6EAE 0385 ECC3FFFF ADD EAX, DWORD PTR SS:[EBP-3C14]
003C6EB4 50 PUSH EAX
003C6EB5 E8 D6650000 CALL 003CD490 ; JMP to msvcrt.memcpy
003C6EBA 83C4 0C ADD ESP, 0C
003C6EBD 6A 01 PUSH 1
003C6EBF 0FB785 F4C3FFFF MOVZX EAX, WORD PTR SS:[EBP-3C0C]
003C6EC6 50 PUSH EAX
003C6EC7 8B85 10DAFFFF MOV EAX, DWORD PTR SS:[EBP-25F0]
003C6ECD 0385 ECC3FFFF ADD EAX, DWORD PTR SS:[EBP-3C14]
003C6ED3 50 PUSH EAX
003C6ED4 E8 C0100000 CALL 003C7F99
003C6ED9 83C4 0C ADD ESP, 0C
003C6EDC EB 24 JMP SHORT 003C6F02003C6EDE 0FB785 F4C3FFFF MOVZX EAX, WORD PTR SS:[EBP-3C0C] ; length of secured section
003C6EE5 50 PUSH EAX
003C6EE6 8D85 ECB3FFFF LEA EAX, DWORD PTR SS:[EBP+FFFFB3EC] ; start of buffer (stack)
003C6EEC 50 PUSH EAX
003C6EED 8B85 10DAFFFF MOV EAX, DWORD PTR SS:[EBP-25F0] ; image base
003C6EF3 0385 ECC3FFFF ADD EAX, DWORD PTR SS:[EBP-3C14] ; offset of destination
003C6EF9 50 PUSH EAX ; address of destination
003C6EFA E8 91650000 CALL 003CD490 ; JMP to msvcrt.memcpy
003C6EFF 83C4 0C ADD ESP, 0C
003C6F02 8D85 DCB3FFFF LEA EAX, DWORD PTR SS:[EBP+FFFFB3DC] ; old protect
003C6F08 50 PUSH EAX
003C6F09 FFB5 DCB3FFFF PUSH DWORD PTR SS:[EBP+FFFFB3DC] ; new protect
003C6F0F 0FB785 F4C3FFFF MOVZX EAX, WORD PTR SS:[EBP-3C0C] ; length of secured section
003C6F16 50 PUSH EAX
003C6F17 8B85 10DAFFFF MOV EAX, DWORD PTR SS:[EBP-25F0] ; image base
003C6F1D 0385 ECC3FFFF ADD EAX, DWORD PTR SS:[EBP-3C14] ; offset of destination
003C6F23 50 PUSH EAX ; address of destination
003C6F24 FF15 24E13C00 CALL NEAR DWORD PTR DS:[3CE124] ; kernel32.VirtualProtect
003C6F2A ^ E9 E1FDFFFF JMP 003C6D10 ; end of secured sections (loop)

You can reach this code very easy, after breaking on VirtualProtect as normal to fix Import Redirection, scroll down and look for the call to VirtualProtect with the jmp immediately after; 003C6F2A in this example.

Link to comment

thanks Fungus!

i've found it in the unpackme although it's slightly different ( XOR EAX,ECX instead of XOR CL,AL and so on...)

and i agree with you - i cant see a way to beat it without a valid key since brute-forcing can take a while... or two...

but it was interesting to have a look at it.

regards...

XytroX

Link to comment
thanks Fungus!

i've found it in the unpackme although it's slightly different ( XOR EAX,ECX instead of XOR CL,AL and so on...)

and i agree with you - i cant see a way to beat it without a valid key since brute-forcing can take a while... or two...

but it was interesting to have a look at it.

regards...

XytroX

a valid key is now in edited into the first post. It's for TUTS4YOU. Read my first post.

-acid

Link to comment
Secured Section Table (incomplete)

It has been stated on a post on the Arteam site regarding

this unpackme from *EvOlUtIoN* that by:

Notice that in this unpackme the only necessary thing is to inject 3 environment variables:

ArmServer

ALTUSERNAME

USERKEY

If you put something in those variables before EP, all go well, even if data are not correct.

any comments?

one question for you, acidflash, on the "Armadillo not detected" nag screen. Is this only

generated if the ALTUSERNAME variable is not found?

cheers

Edited by CondZero
Link to comment

That is incorrect, and that tut by whynotbar is also incorrect...

As in his little video, Secured_A and Secured_B nag boxes should show up. These are contained in secured sections, which will only be written to the process memory if you enter the key he provided =]

Link to comment

Hrm that is interesting indeed!

and which point do these EV's need to be injected? wonder how to do that, if so, then secured sections are defeatable without valid key, and that would be very very cool. :D

Link to comment
Secured Section Table (incomplete)

It has been stated on a post on the Arteam site regarding

this unpackme from *EvOlUtIoN* that by:

Notice that in this unpackme the only necessary thing is to inject 3 environment variables:

ArmServer

ALTUSERNAME

USERKEY

If you put something in those variables before EP, all go well, even if data are not correct.

any comments?

one question for you, acidflash, on the "Armadillo not detected" nag screen. Is this only

generated if the ALTUSERNAME variable is not found?

cheers

Correct! nice job btw! A true artist with Armidillo :P

	
if (!GetEnvironmentVariable("ALTUSERNAME", name, 255)) { MessageBox(0, "Armadillo not detected!", "ERROR!", MB_OK|MB_ICONERROR);
return false; };
Link to comment
and which point do these EV's need to be injected?

Preferably before the OEP using JMP (code cave) JMP back, although I'm sure it can be at any point

before they are referenced by GetEnvironmentVariableA ...

cheers

Link to comment

I don't think you can decrypt the secure section by setting ArmServer, ALTUSERNAME, USERKEY variables... My guess will be "EvOlUtIoN" register the unpackme using the key and unpacked it.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...