Jump to content
Tuts 4 You

[unpackme]Armadillo Version 7.00


thisistest

Recommended Posts

hi.this is test

<------- 12-10-2009 23:39:49 ------->

\ArmadilloVersion 7.00 Beta-1.exe

!- Protected Armadillo

Protection system (Professional)

!- <Protection Options>

Standard protection or Minimum protection

!- <Backup Key Options>

Fixed Backup Keys

!- <Compression Options>

Better/Slower Compression

!- <Other Options>

4ABFFC80 Version 7.00Beta3 28-09-2009

!- Elapsed Time 00h 00m 02s 234ms

ArmadilloVersion 7.00 Beta-1.rar

  • Like 1
Link to comment

Ridicolous protection...


/>http://www.sendspace.com/file/mcisym

The original unpackme of this was 1000 times harder.

If it's really armadillo 7, i can say that it is equal to 6, 5 and 4.

Link to comment

Ridicolous protection...

If it's really armadillo 7, i can say that it is equal to 6, 5 and 4.

Ditto on that note. Here is my dump too. It took me longer to remember how to fix the imports (haven't reversed in quite sometime), than it did to fix the hardware id (I never even attempted arma's hwid before).

Link to comment

We appear to have taken the same approach to unpacking it then because I also did the VirtualProtect/RET method and changed the eax after a function. I had originally tried the GetModuleHandle way, but I couldn't remember how to do it, I couldn't remember the VirtualProtect way completely either. It took me a while to remember "push 100". I should have just reversed it to fix the imports, but since the developers didn't change anything, I didn't see the point of doing so.

Edited by What
Link to comment

@EvOlUtIoN: HWID is fixable with changing a DWORD if I recall. That DWORD is put in 2 buffers later on, one for sprintf-ing to screen and forgot what the other buffer does. But mainly, yes :-) As you said..

Link to comment
  • 7 months later...
  • 1 month later...

Loki: Keygenning is the same too - this one is V3 Short level 10 though.

SunBeam: Actually.. it's Beta 3 ;-) Don't ask how I know, a surprise is coming.. soon enough ;-)

Looking back on this now, who knew that this was such an omen for those keygenning Armadillo? Seems to have slowed the flow of keygens for a bit, nobody has claimed credit (yet) for breaking the latest incarnation of V3.

HR,

Ghandi

Edited by ghandi
Link to comment
  • 4 weeks later...

Hi. This is test only.

I do not need unpacked file.

I search people, how to unpack this file.

Version 7.40Beta1
/>http://rghost.ru/2184728

(769 КБ)

MD5 019a3dadfc804d1a610aa598537e745b

SHA1 afe718c9639855c207870a4dc7586058729fc54d

Link to comment

This section code of armadillo include in security DLL (extract whit armaraider) contains the secret of armadillo. i think that is fixed in last updates.

10011536 6A 04 PUSH 4

10011538 8D85 18FBFFFF LEA EAX,DWORD PTR SS:[EBP-4E8]

1001153E 50 PUSH EAX

1001153F 8D8D 20FBFFFF LEA ECX,DWORD PTR SS:[EBP-4E0]

10011545 51 PUSH ECX

10011546 E8 15A70400 CALL XXXXXXXXX.1005BC60 -> call to Sha algorithm

1001154B 83C4 0C ADD ESP,0C

1001154E 8B95 20FBFFFF MOV EDX,DWORD PTR SS:[EBP-4E0]

10011554 3395 24FBFFFF XOR EDX,DWORD PTR SS:[EBP-4DC]

1001155A 3395 28FBFFFF XOR EDX,DWORD PTR SS:[EBP-4D8]

10011560 3395 2CFBFFFF XOR EDX,DWORD PTR SS:[EBP-4D4]

10011566 3395 18FBFFFF XOR EDX,DWORD PTR SS:[EBP-4E8]

1001156C 8995 14FBFFFF MOV DWORD PTR SS:[EBP-4EC],EDX

10011572 8B85 B8F8FFFF MOV EAX,DWORD PTR SS:[EBP-748]

10011578 8B88 14050000 MOV ECX,DWORD PTR DS:[EAX+514]

1001157E 898D F8F8FFFF MOV DWORD PTR SS:[EBP-708],ECX

10011584 8B95 14FBFFFF MOV EDX,DWORD PTR SS:[EBP-4EC]

1001158A 3B95 F8F8FFFF CMP EDX,DWORD PTR SS:[EBP-708] if result of XOR of all DWORD = token implemented in certificate?

10011590 0F85 41010000 JNZ 100116D7 IMpORTANT: if equal then the token key xor with HF = valid token key for check key routine

And!..where is the checsum of certificate?... IN MEMORY

02827E79 4C 00 2B 50 52 4F 4A 2E 44 4C 4C 00 2B 4D 53 4A L.+PROJ.DLL.+MSJ

02827E89 41 56 41 2E 44 4C 4C 00 2B 4F 4C 45 33 32 2E 44 AVA.DLL.+OLE32.D

02827E99 4C 4C 00 2B 56 44 46 56 4D 38 2E 44 4C 4C 00 2B LL.+VDFVM8.DLL.+

02827EA9 4D 46 43 37 31 2E 44 4C 4C 00 2D 2A 00 00 1B 0B MFC71.DLL.-*.. type of level key

02827EB9 D0 20 49 CF A3 B3 25 CA 92 E9 BD B8 A6 63 27 00 Ð IÏ£³%ʒ齸¦c'. cheksum for sha algorithm.

02827EC9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ...............@

02827ED9 01 00 00 04 DE 64 54 C3 80 55 A4 7E F3 2C A5 30 ..ÞdTÀU¤~ó,¥0

02827EE9 47 E3 DA DE 4C 82 27 53 AE 15 55 70 FE EC AE F9 GãÚÞL‚'S®Upþì®ù

02827EF9 E8 38 CC 1F DA 14 F8 C1 73 80 04 85 D3 C7 5C FF è8ÌÚøÁs€…ÓÇ\ÿ

02827F09 81 D3 77 60 DE 55 A3 C5 5B 3E EC ED A2 5F 72 E8 Ów`ÞU£Å[>ìí¢_rè

02827F19 69 26 91 87 92 59 D3 B0 E5 10 AC 19 79 71 A6 F7 i&‘‡’YÓ°å¬yq¦÷

02827F29 57 FB B5 9F 58 99 62 DE 73 30 70 E6 59 8E E9 7B WûµŸX™bÞs0pæYŽé{

02827F39 4B 45 F9 80 98 C1 9F 7A D3 0F 52 A2 62 8E 50 EC KEù€˜ÁŸzÓR¢bŽPì

02827F49 C6 7D F4 5C E6 31 7E B3 E7 F7 8B D5 13 1E FE 0C Æ}ô\æ1~³ç÷‹Õþ.

02827F59 42 84 39 77 AF 53 C1 17 80 9F 68 04 0E 00 A2 E6 B„9w¯SÁ€Ÿh.¢æ

02827F69 DF CC 76 F9 6D 6C FF 38 5A 24 FC B5 10 88 9C F9 ßÌvùmlÿ8Z$üµˆœù

02827F79 AC 13 88 15 30 49 1A EC 1D 13 32 49 31 CB A1 1C ¬ˆ0Iì2I1Ë¡

02827F89 3B AD DC DA 88 FC 72 4A D2 EA 8E 61 67 DD F0 EF ;­ÜÚˆürJÒêŽagÝðï

02827F99 6F 78 07 9D A3 A9 4F 60 C1 7E F2 D7 78 B9 01 66 ox£©O`Á~ò×x¹f

02827FA9 18 1F 44 1A 4A FC 1E 2D 6B 0C 8A 2E 57 2B 94 8C DJü-k.Š.W+”Œ

02827FB9 82 1C BC E4 9F 60 58 04 CD A2 F7 7F 4C 41 6D BB ‚¼äŸ`XÍ¢÷LAm»

02827FC9 67 DF 9F F1 97 19 1A C1 39 13 0E 67 98 C1 9F 7A gߟñ—Á9g˜ÁŸz

02827FD9 D3 0F 52 A2 62 8E 50 EC C6 7D F4 5C C2 DD 85 58 ÓR¢bŽPìÆ}ô\ÂÝ…X

02827FE9 FC 93 F5 B8 94 5B 29 55 70 E6 B4 94 6E 20 8B 13 ü“õ¸”[)Upæ´”n ‹

02827FF9 5C 1E D1 68 EC 1D 4C 4E 4B 71 AC 1D D0 5F 34 53 \ÑhìLNKq¬Ð_4S

02828009 0D B0 AB 8D 5B 32 1E 02 1D 71 64 1C 17 7B 9C 6F .°«[2qd{œo

02828019 E9 EF 87 94 00 00 00 00 00 00 00 00 00 00 00 00 é............

02828029 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

02828039 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

02828049 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

02828059 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

02828069 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

02828079 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

02828089 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

02828099 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

028280A9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

028280B9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

028280C9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

028280D9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

028280E9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

028280F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

02828109 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

02828119 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

02828129 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

02828139 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

02828149 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

02828159 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

02828169 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

02828179 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

this is a example with one certificate, but certificates are continuous. Two bytes for level key an four fot checksum o sha algorithm.

regards.

Edited by Lito
  • Like 1
Link to comment

Lito, where you got, that it's a sha, lol?

I checked out this file, and seems, it's protected with Unsinged level 0, that's why you can't find that checksum.

Anyway, I'll give my keygen, if the author publish a 1 correct serial :)

Link to comment

Lito, where you got, that it's a sha, lol?

I checked out this file, and seems, it's protected with Unsinged level 0, that's why you can't find that checksum.

Anyway, I'll give my keygen, if the author publish a 1 correct serial :)

Its only valid for signed Keys.

Link to comment

Lito, where you got, that it's a sha, lol?

I checked out this file, and seems, it's protected with Unsinged level 0, that's why you can't find that checksum.

Anyway, I'll give my keygen, if the author publish a 1 correct serial :)

sha or MD5 its not important

Link to comment

huh?

i did not understood you. what is valid for signed keys?

----UPDATE----

seems, you never reversed armadillo serial verification by yourself,

Important is to figure out the protection, rather than find checksum & publickey by tools or tutorials

Edited by qpt^J
Link to comment

I am remembering. The call to the algorithm is done if the keys are signed. Though I do not remember it very well.

but its works.

qpt^J thanks, but the information its only for the one who understands it. Ghandi, evolution, lena, etc. i think that they understand it.

Edited by Lito
Link to comment

It works like this

after a call of "today", you will jump one of the calls below

First call is for v2 signed,v3 signed,v3 short.

Second call is v1 unsigned.

here, you have to decrypt serial using blowfish,

decrypted serial have this structure

symkey xor HWID(32 bit) ,other info(16 bit),today(16 bit)

haha, sorry, but i really did not understand you :P

  • Like 2
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...