Jump to content
Tuts 4 You

[UnPackMe] Armadillo 9.64 32-bit


SmilingWolf

Recommended Posts

SmilingWolf

Hello everybody!

 

Today I would like to present you all an unpackme protected with the latest version of SoftwarePassport/Armadillo.

 

This one is one of the most complete Armadillo unpackmes ever made, implementing almost everything Arma puts in
the hands of the user ranging from the simple "Protect with password" to the nanomites, the code splices and everything in between.

 

I have tried not to make it too easy for you all, just take a look at it :)

The final goal is to manually unpack it, study it and show you have been able to read the first file you see when opening the password protected archive attached to this post (Mistery.7z).

 

Enjoy! :)

Unpackme.7z

Mistery.7z

  • Like 1
Link to comment
SmilingWolf

Before you spend time fixing the nanos: I can assure you you don't want to unpack it with the default certificate active :P


Edited by SmilingWolf
Link to comment
DimitarSerg
 
 

 

Here is one shot(not perfect though).


---------------------------
Arma Unpackme: Try1_nasty.exe - Ошибка приложения
---------------------------
software exception (0x80000003)You did not fix nanomites.
I also unpacked it, fixed nanomites but have nops from this address (because I unpacked unregistered target):
004011B8 > \90 NOPThe main problem for me is to repalace Enhanced Fingerprint to register with key.

 

p.s. I used AKT for inline fix HWID, replaced it, but 2014_04_24_111639.png

 
Edited by DimitarSerg
  • Like 1
Link to comment

The main problem for me is to repalace Enhanced Fingerprint to register with key.

 

For that you must deal with the security.dll a little.

post-31931-0-06327000-1398328736_thumb.j

Edited by GIV
  • Like 1
Link to comment

I salute tee, temerary reverser! If you can see this then it means you have been able to successfully unpack my unpackme
and understand all the details of the implementation of the protections (yep, that is, the use of the Environment
Variables in the end).it's very simple.
If you want to complicate not let the HWID name key.

Link to comment
SmilingWolf

I salute tee, temerary reverser! If you can see this then it means you have been able to successfully unpack my unpackme

and understand all the details of the implementation of the protections (yep, that is, the use of the Environment

Variables in the end).

it's very simple.

If you want to complicate not let the HWID name key.

Good, altough not being able to see the fully unpacked exe (you have followed the directions in the README :)) I can't know if you did this by hand or with Armag3ddon (or, perhaps, with a script you have written :ninja:). Still, I'll trust you, so congratulations again :)

 

If I wanted to make the retrieval of a good Sym longer than the unpacking itself (3 days of bruteforce on my crappy P4, 30-45 mins on a HD7850) then yeah, I could have just not included a "valid" combination. But this was an excercise and a PoC, not something to just waste your CPU cycles against hoping a program could spit out a valid value.

 

 

SmilingWolf

Is your serial is banned ? LOL

Stolen keys are something you can encounter while unpacking a commercial target, so why not? :)

 

 

Evil cracker....

!!!!

:osama:

:P

Edited by SmilingWolf
Link to comment
DimitarSerg

And now I finished (open the archive):

Text from it:

........

Included in this package you will find:

-Test.ARM: the Arma project file which was used for this unpackme. Not really of use, just included in case you wanted

to take a look;

........

  • Like 3
Link to comment
SmilingWolf

And now I finished (open the archive): Text from it: ........ Included in this package you will find: -Test.ARM: the Arma project file which was used for this unpackme. Not really of use, just included in case you wanted to take a look; ........

 

Comments/suggestions/whatever? What would you say about the unpackme? :)

Edited by SmilingWolf
Link to comment
DimitarSerg

Comments/suggestions/whatever? What would you say about the unpackme? :)

Good unpackme but Armadillo is Died :)

and even if you didn't give the valid keypair, I would get valid sym with brute ~about 1 hour on my laptop

Edited by DimitarSerg
Link to comment
DimitarSerg

Iona, lvl 0 ?

И зачем было дурачка включать, мы же друг друга прекрасно поняли о чем речь, а речь было о конкретном анпакми с лвл10, для брута симметрика которого есть софт, а так получилось "я тобі про індики, а ти мені про кури дикі", почему не ВМП накрыл ? :)

Edited by DimitarSerg
  • Like 1
Link to comment

To have the STOLENKEY fixed requests some keygenning skills i actually don't have. knowing the decryptin key it is posible to find the sym key, which is a much easier target that bruteforce the certificate. Maybe Mr.Exodia can solve this one easily. :)


Link to comment
  • 8 months later...
  • 6 months later...

Tester, exist a password, can be bypaseable with old password patch of mr.exodia or using the script of the author of unpackme but must add the armaccess.dll
 

must unpack as alwais , when bypass copymew2, repai iat, repair codesplicit,and post repair nanomites
if are only unpacked you see this:

 

---------------------------
Arma Unpackme
---------------------------
If you unpack me write a tutorial!
---------------------------
Aceptar   
---------------------------if push the button is called some environmentvariable,and crash with nothing to do.do again, fix the hiw, set user and pass, the key is accepted, is only 1 cert, now when push say a second message:
because exist a "DEFAULT" cert

post say when altusername with wolf key say:
---------------------------
Work some more
---------------------------
Running with the default certificate
---------------------------
Aceptar   
---------------------------
 

CAN be unpacked with  armaggedon 2.x ?
and too with script of your authory (but mus add armaccess.dll)
fixed nanomites with mr.exodia tool because the nevada tool was done some bugs.

fixedcodesplicit with arminlinetool and mr.exodia tool, there are some code there was bad is strange.
iat can be  fixed with importrect 1.7e /armaggedon (the iat is solved) /import fixer 1.2+scyla //script
unpacked in xp sp3, tested there run in win 8.1 and xpsp3i was patch some jumps for force to see the 2nd dialog, and too was now other there was copied the xor unpacked, for you can see the string here are exposed:
the reference normal
 

 

Address   Disassembly                                                       String                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

004011A6  push apuromafo_forum.408160                                       "Arma Unpackme"
004011AB  push apuromafo_forum.408170                                       "DAFAQ?"
00401527  cmp dword ptr ds:[eax+400074],E                                   ".\r\r\n$"
0040195E  push apuromafo_forum.4081B4                                       "FlsAlloc"
00401966  push apuromafo_forum.4081A8                                       "FlsGetValue"
00401973  push apuromafo_forum.40819C                                       "FlsSetValue"
00401980  push apuromafo_forum.408194                                       "FlsFree"
00401E8C  movsx eax,byte ptr ds:[eax+4081B8]                                "lloc"
00402B7C  push apuromafo_forum.408234                                       "CorExitProcess"
00402F24  push apuromafo_forum.408BEC                                       L"<program name unknown>"
00402F65  push apuromafo_forum.408BE4                                       L"..."
00402F7A  push apuromafo_forum.408BDC                                       L"\n\n"
00402FAB  push apuromafo_forum.408B90                                       L"Microsoft Visual C++ Runtime Library"
00405CED  push apuromafo_forum.4090FC                                       "MessageBoxW"
00405D06  push apuromafo_forum.4090EC                                       "GetActiveWindow"
00405D16  push apuromafo_forum.4090D8                                       "GetLastActivePopup"
00405D26  push apuromafo_forum.4090BC                                       "GetUserObjectInformationW"
00405D3F  push apuromafo_forum.4090A4                                       "GetProcessWindowStation"
 


in the other with not xor process , and copied the original string decoded

 

Address   Disassembly                                                       String                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

004010B3  push apuromafo_forum_noxor.40B030                                 "Arma Unpackme"
004010C7  push apuromafo_forum_noxor.40B00C                                 "If you unpack me write a tutorial!"
004010F2  push apuromafo_forum_noxor.40B040                                 "ALTUSERNAME"
00401135  push apuromafo_forum_noxor.40B08C                                 "DEFAULT"
00401178  push apuromafo_forum_noxor.40B0BC                                 "Work some more"
0040118C  push apuromafo_forum_noxor.40B094                                 "Running with the default certificate"
004011A6  push apuromafo_forum_noxor.408160                                 "Arma Unpackme"
004011AB  push apuromafo_forum_noxor.408170                                 "DAFAQ?"
00401527  cmp dword ptr ds:[eax+400074],E                                   ".\r\r\n$"
0040195E  push apuromafo_forum_noxor.4081B4                                 "FlsAlloc"
00401966  push apuromafo_forum_noxor.4081A8                                 "FlsGetValue"
00401973  push apuromafo_forum_noxor.40819C                                 "FlsSetValue"
00401980  push apuromafo_forum_noxor.408194                                 "FlsFree"
00401E8C  movsx eax,byte ptr ds:[eax+4081B8]                                "lloc"
00402B6D  push apuromafo_forum_noxor.408244                                 L"mscoree.dll"
00402B7C  push apuromafo_forum_noxor.408234                                 "CorExitProcess"
00402EE3  push apuromafo_forum_noxor.408C1C                                 L"Runtime Error!\n\nProgram: "
00402F65  push apuromafo_forum_noxor.408BE4                                 L"..."
00402F7A  push apuromafo_forum_noxor.408BDC                                 L"\n\n"
00402FAB  push apuromafo_forum_noxor.408B90                                 L"Microsoft Visual C++ Runtime Library"
00405CED  push apuromafo_forum_noxor.4090FC                                 "MessageBoxW"
00405D06  push apuromafo_forum_noxor.4090EC                                 "GetActiveWindow"
00405D16  push apuromafo_forum_noxor.4090D8                                 "GetLastActivePopup"
00405D26  push apuromafo_forum_noxor.4090BC                                 "GetUserObjectInformationW"
00405D3F  push apuromafo_forum_noxor.4090A4                                 "GetProcessWindowStation"
 

i atach my unpacked as reference.apuromafo_FORUM_codenotoptimized.rar 

Edited by Apuromafo
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...