SmilingWolf Posted April 23, 2014 Posted April 23, 2014 Hello everybody! Today I would like to present you all an unpackme protected with the latest version of SoftwarePassport/Armadillo. This one is one of the most complete Armadillo unpackmes ever made, implementing almost everything Arma puts inthe hands of the user ranging from the simple "Protect with password" to the nanomites, the code splices and everything in between. I have tried not to make it too easy for you all, just take a look at it The final goal is to manually unpack it, study it and show you have been able to read the first file you see when opening the password protected archive attached to this post (Mistery.7z). Enjoy! Unpackme.7z Mistery.7z 1
SmilingWolf Posted April 24, 2014 Author Posted April 24, 2014 (edited) Before you spend time fixing the nanos: I can assure you you don't want to unpack it with the default certificate active Edited April 24, 2014 by SmilingWolf
DimitarSerg Posted April 24, 2014 Posted April 24, 2014 (edited) Here is one shot(not perfect though). ---------------------------Arma Unpackme: Try1_nasty.exe - Ошибка приложения---------------------------software exception (0x80000003)You did not fix nanomites.I also unpacked it, fixed nanomites but have nops from this address (because I unpacked unregistered target):004011B8 > \90 NOPThe main problem for me is to repalace Enhanced Fingerprint to register with key. p.s. I used AKT for inline fix HWID, replaced it, but Edited April 24, 2014 by DimitarSerg 1
GIV Posted April 24, 2014 Posted April 24, 2014 (edited) The main problem for me is to repalace Enhanced Fingerprint to register with key. For that you must deal with the security.dll a little. Edited April 28, 2014 by GIV 1
Iona Posted April 24, 2014 Posted April 24, 2014 I salute tee, temerary reverser! If you can see this then it means you have been able to successfully unpack my unpackmeand understand all the details of the implementation of the protections (yep, that is, the use of the EnvironmentVariables in the end).it's very simple.If you want to complicate not let the HWID name key.
DimitarSerg Posted April 24, 2014 Posted April 24, 2014 Full Unpacked: http://www.sendspace.com/file/lw9ril 2
GIV Posted April 24, 2014 Posted April 24, 2014 Full Unpacked: http://www.sendspace.com/file/lw9ril Evil cracker.... !!!!
SmilingWolf Posted April 24, 2014 Author Posted April 24, 2014 (edited) I salute tee, temerary reverser! If you can see this then it means you have been able to successfully unpack my unpackme and understand all the details of the implementation of the protections (yep, that is, the use of the Environment Variables in the end). it's very simple. If you want to complicate not let the HWID name key. Good, altough not being able to see the fully unpacked exe (you have followed the directions in the README ) I can't know if you did this by hand or with Armag3ddon (or, perhaps, with a script you have written ). Still, I'll trust you, so congratulations again If I wanted to make the retrieval of a good Sym longer than the unpacking itself (3 days of bruteforce on my crappy P4, 30-45 mins on a HD7850) then yeah, I could have just not included a "valid" combination. But this was an excercise and a PoC, not something to just waste your CPU cycles against hoping a program could spit out a valid value. SmilingWolf Is your serial is banned ? LOL Stolen keys are something you can encounter while unpacking a commercial target, so why not? Evil cracker.... !!!! Edited April 24, 2014 by SmilingWolf
GIV Posted April 24, 2014 Posted April 24, 2014 3 days of bruteforce on my crappy P4 We share the same feelings amigo. I have here the good old P4 too.
DimitarSerg Posted April 24, 2014 Posted April 24, 2014 And now I finished (open the archive): Text from it: ........ Included in this package you will find: -Test.ARM: the Arma project file which was used for this unpackme. Not really of use, just included in case you wanted to take a look; ........ 3
Z3r0n3 Posted April 24, 2014 Posted April 24, 2014 We share the same feelings amigo. I have here the good old P4 too. The same old P4 1
SmilingWolf Posted April 24, 2014 Author Posted April 24, 2014 (edited) And now I finished (open the archive): Text from it: ........ Included in this package you will find: -Test.ARM: the Arma project file which was used for this unpackme. Not really of use, just included in case you wanted to take a look; ........ Comments/suggestions/whatever? What would you say about the unpackme? Edited April 24, 2014 by SmilingWolf
DimitarSerg Posted April 24, 2014 Posted April 24, 2014 (edited) Comments/suggestions/whatever? What would you say about the unpackme? Good unpackme but Armadillo is Died and even if you didn't give the valid keypair, I would get valid sym with brute ~about 1 hour on my laptop Edited April 24, 2014 by DimitarSerg
Iona Posted April 24, 2014 Posted April 24, 2014 Good unpackme but Armadillo is Died and even if you didn't give the valid keypair, I would get valid sym with brute ~about 1 hour on my laptop Please find SymKey or unpack Unpackme.7z
DimitarSerg Posted April 24, 2014 Posted April 24, 2014 (edited) Iona, lvl 0 ? И зачем было дурачка включать, мы же друг друга прекрасно поняли о чем речь, а речь было о конкретном анпакми с лвл10, для брута симметрика которого есть софт, а так получилось "я тобі про індики, а ти мені про кури дикі", почему не ВМП накрыл ? Edited April 24, 2014 by DimitarSerg 1
Iona Posted April 24, 2014 Posted April 24, 2014 (edited) Iona, lvl 0 ? yes Edited April 24, 2014 by Iona
EvOlUtIoN Posted April 27, 2014 Posted April 27, 2014 To have the STOLENKEY fixed requests some keygenning skills i actually don't have. knowing the decryptin key it is posible to find the sym key, which is a much easier target that bruteforce the certificate. Maybe Mr.Exodia can solve this one easily.
Apuromafo Posted July 8, 2015 Posted July 8, 2015 (edited) Tester, exist a password, can be bypaseable with old password patch of mr.exodia or using the script of the author of unpackme but must add the armaccess.dll must unpack as alwais , when bypass copymew2, repai iat, repair codesplicit,and post repair nanomitesif are only unpacked you see this: ---------------------------Arma Unpackme---------------------------If you unpack me write a tutorial!---------------------------Aceptar ---------------------------if push the button is called some environmentvariable,and crash with nothing to do.do again, fix the hiw, set user and pass, the key is accepted, is only 1 cert, now when push say a second message:because exist a "DEFAULT" certpost say when altusername with wolf key say:---------------------------Work some more---------------------------Running with the default certificate---------------------------Aceptar --------------------------- CAN be unpacked with armaggedon 2.x ?and too with script of your authory (but mus add armaccess.dll)fixed nanomites with mr.exodia tool because the nevada tool was done some bugs.fixedcodesplicit with arminlinetool and mr.exodia tool, there are some code there was bad is strange.iat can be fixed with importrect 1.7e /armaggedon (the iat is solved) /import fixer 1.2+scyla //scriptunpacked in xp sp3, tested there run in win 8.1 and xpsp3i was patch some jumps for force to see the 2nd dialog, and too was now other there was copied the xor unpacked, for you can see the string here are exposed:the reference normal Address Disassembly String 004011A6 push apuromafo_forum.408160 "Arma Unpackme"004011AB push apuromafo_forum.408170 "DAFAQ?"00401527 cmp dword ptr ds:[eax+400074],E ".\r\r\n$"0040195E push apuromafo_forum.4081B4 "FlsAlloc"00401966 push apuromafo_forum.4081A8 "FlsGetValue"00401973 push apuromafo_forum.40819C "FlsSetValue"00401980 push apuromafo_forum.408194 "FlsFree"00401E8C movsx eax,byte ptr ds:[eax+4081B8] "lloc"00402B7C push apuromafo_forum.408234 "CorExitProcess"00402F24 push apuromafo_forum.408BEC L"<program name unknown>"00402F65 push apuromafo_forum.408BE4 L"..."00402F7A push apuromafo_forum.408BDC L"\n\n"00402FAB push apuromafo_forum.408B90 L"Microsoft Visual C++ Runtime Library"00405CED push apuromafo_forum.4090FC "MessageBoxW"00405D06 push apuromafo_forum.4090EC "GetActiveWindow"00405D16 push apuromafo_forum.4090D8 "GetLastActivePopup"00405D26 push apuromafo_forum.4090BC "GetUserObjectInformationW"00405D3F push apuromafo_forum.4090A4 "GetProcessWindowStation" in the other with not xor process , and copied the original string decoded Address Disassembly String 004010B3 push apuromafo_forum_noxor.40B030 "Arma Unpackme"004010C7 push apuromafo_forum_noxor.40B00C "If you unpack me write a tutorial!"004010F2 push apuromafo_forum_noxor.40B040 "ALTUSERNAME"00401135 push apuromafo_forum_noxor.40B08C "DEFAULT"00401178 push apuromafo_forum_noxor.40B0BC "Work some more"0040118C push apuromafo_forum_noxor.40B094 "Running with the default certificate"004011A6 push apuromafo_forum_noxor.408160 "Arma Unpackme"004011AB push apuromafo_forum_noxor.408170 "DAFAQ?"00401527 cmp dword ptr ds:[eax+400074],E ".\r\r\n$"0040195E push apuromafo_forum_noxor.4081B4 "FlsAlloc"00401966 push apuromafo_forum_noxor.4081A8 "FlsGetValue"00401973 push apuromafo_forum_noxor.40819C "FlsSetValue"00401980 push apuromafo_forum_noxor.408194 "FlsFree"00401E8C movsx eax,byte ptr ds:[eax+4081B8] "lloc"00402B6D push apuromafo_forum_noxor.408244 L"mscoree.dll"00402B7C push apuromafo_forum_noxor.408234 "CorExitProcess"00402EE3 push apuromafo_forum_noxor.408C1C L"Runtime Error!\n\nProgram: "00402F65 push apuromafo_forum_noxor.408BE4 L"..."00402F7A push apuromafo_forum_noxor.408BDC L"\n\n"00402FAB push apuromafo_forum_noxor.408B90 L"Microsoft Visual C++ Runtime Library"00405CED push apuromafo_forum_noxor.4090FC "MessageBoxW"00405D06 push apuromafo_forum_noxor.4090EC "GetActiveWindow"00405D16 push apuromafo_forum_noxor.4090D8 "GetLastActivePopup"00405D26 push apuromafo_forum_noxor.4090BC "GetUserObjectInformationW"00405D3F push apuromafo_forum_noxor.4090A4 "GetProcessWindowStation" i atach my unpacked as reference.apuromafo_FORUM_codenotoptimized.rar Edited July 13, 2015 by Apuromafo
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now