PDA

View Full Version : ARTeam: ArmaGeddon v1.0 Conceptual overview tool for unpacking Armadillo by CondZero


Shub-nigurrath
February 18th, 2008, 11:35
Hi all,
new tutorial and a new tool: ArmaGeddon 1.0
Not everyone likes to give away the tool and a tutorial on how it works. Thanks CondZero!

[Tutorial]
ArmaGeddon V1.0 Conceptual Overview Tool For Unpacking Armadillo
available at http://tutorials.accessroot.com
which explain underhood of the tool

[Tool]
Available here:
http://arteam.accessroot.com/releases.html

Supported Features
------------------
Standard Protection
Minimum Protection
Memory Patching
Debugblocker
CopyMemII
Import Elimination
Import Redirection (Emulation)
Strategic Code Splicing
Nanomites
..

BR,
Shub

JMI
February 18th, 2008, 12:01
Thanks Shub for the new tutioral. Maybe you could create a note and link to the new "tool" in the CRCETL for ArmaGeddon v1.0, before dELTA sneaks in there and does it for you.

Regards,

dELTA
February 18th, 2008, 12:12
Extremely nice work as usual, thanks for the work and the heads up!

CRCETL:
http://www.woodmann.com/collaborative/tools/ArmaGeddon

JMI
February 18th, 2008, 12:17
See!!! I told you he would sneek in an create it for you.

Regards,

Shub-nigurrath
February 18th, 2008, 12:20
argh, too late. ^_^
Anyway I'm a little lazy so I was waiting for him.. ;-)

Polaris
February 18th, 2008, 13:23
Shub-nigurrath, is there any chance that in the near future we will also see the ArTeam Import Reconstructor released? I am very curious to check it out Anyway, good job with this release!

condzero
February 18th, 2008, 13:50
Polaris,

That is a good question. Currently it comes in 2 flavors:

1. ARImpRec.dll - which if you do as I have done using DLL2LIB to convert to its equivalent ARImpRec.lib which allows for you to imbed into your program
2. ARTeamImportReconstructor.exe standalone, works pretty much like ImpRec only better for shuffled imports.

I'm sure our Nacho_dj (author) would be receptive. These tools are very new and still going through some growing pains, but I'm extremely excited and impressed with them.

cheers!

JMI
February 18th, 2008, 14:28
Well, when it's ready to "go public" we would be pleased to have it listed on the CRCELT and please remember that ANYONE can make additions to the collection when there are new "tools" available.

Regards,

Polaris
February 18th, 2008, 14:51
Condzero, thanks for the quick (and positive) answer!

Nacho_dj
February 18th, 2008, 15:42
As condzero said, the import tool was designed exclusively for the issue of a fast and easy recovery in shuffled IAT. So, it is limited in functionality, but at least it saves you time when rebuilding from Armadiilo.

I'll try to improve it a little before its release. Thanks for your interest.

Btw, condzero, Armageddon rockz!

Cheers

Nacho_dj

Admiral
February 18th, 2008, 16:44
Sweet. You actually reverse-engineered ArmInline to work out how to interface with my Nanolib.dll . You could have just asked, but I'm flattered nonetheless .

Excellent work though. It's so much more convenient to have this menial work done for you quickly and reliably than to manually pick Armadillo's shell off.

Admiral

name
February 19th, 2008, 01:55
when im tryng to open this programe its not opning wat the problem plz if u have any idea tell me

i got this error

http://xs224.xs.to/xs224/08082/bin824.jpg

Polaris
February 19th, 2008, 04:54
From the tutorial:

Quote:

If you experience any problems running the program, you may need to download and install Microsoft Visual C++ 2005 Redistributable Package (x86) available here:
http://www.microsoft.com/downloads/details.aspx?familyid=32bc1bee-a3f9-4c13-9c99-220b62a191ee&displaylang=en


Did you already try this?

name
February 19th, 2008, 10:14
ok i instal it but i get a problem when i click on load button and tryng to select a file for unpacking like dilodie its not showing any file in browser ?

http://xs224.xs.to/xs224/08082/desk617.jpg

Nico
February 19th, 2008, 10:51
lol at the last post.. even "clic and enjoy" unpackers aren't enough for some people.. grin.

Well as an ex author of Armadillo, i just wanted to say this is a nice unpacker, i respect nice reverse engineering work.

Nice little packer you made too

Polaris
February 19th, 2008, 10:52
You should check the caption... You're opening a nanomities file, not the file for unpacking.

Polaris
February 19th, 2008, 10:53
Quote:
[Originally Posted by Nico;72785]lol at the last post.. even "clic and enjoy" unpackers aren't enough for some people.. grin.


Hahhahahahahaha

name
February 19th, 2008, 10:59
Quote:
[Originally Posted by Polaris;72786]You should check the caption... You're opening a nanomities file, not the file for unpacking.


cant get wat do u mean its not an unpacker?

Nico
February 19th, 2008, 11:06
You don't fit the minimum requierement "name."

- Brain Final Version (not a time limited one, with all features enabled)

dELTA
February 19th, 2008, 11:38
Hey "name"...


Get a clue.
Stop writing like a stupid kiddie.
Stop bloating our database with your uploaded screenshots.
Read the FAQ.
Get lost.

Your current posts will be kept purely for their entertainment value, but further pollution of this and other threads with brain dead crap like that will be deleted without warning.

For cryin' out load...

SSlEvIN
February 19th, 2008, 13:47
name, you made my day, definitely !!! Right, now beam me up, Scotty !

JMI
February 19th, 2008, 14:15
Darn! The Prince is trying to steal my "Lame Poster" chastisement.

Regards,

GEEK
February 20th, 2008, 02:39
Quote:
[Originally Posted by Nico;72789]You don't fit the minimum requierement "name."

- Brain Final Version (not a time limited one, with all features enabled)


nice sense of humour

name
February 20th, 2008, 07:32
ok thanks brothers i like your behaviour one more time thanks

SunBeam
February 26th, 2008, 17:41
Long time, no post around here. This dude has PMed me at ap0x's board, RES boards, ARTeam and some other places asking me for the same freaking thing - to unpack a crappy sniffer that uses y0da's protector. Even if he followed a damn tutorial, he would be able to do it. Not to mention their is effin' OllyDbg + ODbgScript + a script made by fly for this protector. What else can you want more?!

Sorry for the off-topic, heh. Anyway, back on track, don't know if it's been stated, any soon-to-be support for DLLs? Not much protection involved, but it would make a nice addition (compared to say dilloDIE )

Shub-nigurrath
February 27th, 2008, 03:34
Hi mate,
actually nacho and condzero solved some nasty bugs which prevented the program to correctly dump & rebuild some targets (details on our forum), the dll thing is the easiest part because several protections cannot be used.. it's somehow planned to add it before or later.

SunBeam
February 27th, 2008, 04:31
Thanks for the info, Shub. Will keep a look out for updates Read the newest ones on ARTeam board

condzero
February 27th, 2008, 11:01
We are currently testing v1.1 as you(we) speak. It will offer the following:

February 2008 - v1.1
+ added dll support (dll loader.exe)
+ added option "Use OpenMutext trick" to force a single process. Use only if normal "debug blocker" processing fails. This would occur when a parent process launches the child process, but doesn't debug the child process (i.e. use the WaitForDebugEvent API)
+ improve IAT elimination functionality
+ includes updated ARTeam Import Reconstructor

I think these changes will address many issues to date. Should be released fairly soon. stay tuned.

cheers! and thx for the comments...

Polaris
February 27th, 2008, 11:03
Lovely!

tofu-sensei
February 27th, 2008, 13:27
condzero, could you also change the way you name the dumped executables? instead of appending an underscore to the name of the second file, you could append it to the first one.
otherwise the unpacker will fail to fix any nanomites in targets that check their own filename (at least that's what i guess was happening).
that's the only problem i've come across so far.

condzero
February 27th, 2008, 14:09
Quote:
otherwise the unpacker will fail to fix any nanomites in targets that check their own filename (at least that's what i guess was happening).
that's the only problem i've come across so far.


This should not be the case. The sequence s/b unpack to saved dumped file>> ex: dumped.exe.

The Import Reconstructor will then save to>>dumped_exe similar to imprec.

For nanomites, the nanolib.dll will execute (via CreateProcess) the original target and scan for INT3 just as ArmInline tool does. When finished, you "Repair Dump" to a filename >>dumped_NanoFix.exe

I'm not sure what your problem is?

tofu-sensei
February 27th, 2008, 15:05
ah, you're right. the target i tried seems to have some custom protection (which also checks the filename), for some reason it won't start when rebuilding nanomites (maybe because there are two instances of the program running?).
as a result i'm getting somthing like this:
Code:
------ Nanomites ------
Initialising...
6902 potential INT3 found.
Process terminated

condzero
February 27th, 2008, 17:17
@tofu-sensei: please pm me your target and I'll have a look at it.

cheers

condzero
February 28th, 2008, 10:06
@tofu-sensei: had a chance to look at your target. What led you to believe it had nanomites?

Seems like as good a time as any to state that, yes certain applications have a disdain for being renamed (i.e. dumped, then run new dumpname). So you are right about the filename.

If you get an error such as yours (error while loading because app is checking itself and cannot be launched twice by the same process is my guess) with the nanomite analysis from the Armageddon tool, I would suggest that you keep the process open (don't terminate) then use ArmInline to locate and process the nanomites. This should solve your problem. Both tools are very compatible in this regard, the process should be fairly seemless, should it become necessary.

cheers

tofu-sensei
February 28th, 2008, 10:24
Quote:
[Originally Posted by condzero;73011]@tofu-sensei: had a chance to look at your target. What led you to believe it had nanomites?

the message "xxx potential INT3 found" - oh well, guess those were just padding bytes, then. sorry for wasting your time

Shub-nigurrath
February 29th, 2008, 12:12
Hi all,
condzero just released the new version of his armageddon. He added and fixed several things. One on top of all the dll support..

February 2008 - v1.1
+ added dll support (dll loader.exe)
+ added option "Use OpenMutext trick" to force a single process. Use only if normal "debug blocker" processing fails. This would occur when a parent process launches the child process, but doesn't debug the child process (i.e. use the WaitForDebugEvent API)
+ improve IAT elimination functionality
+ includes updated ARTeam Import Reconstructor

You should already know where to take it. BTW I have already updated CRCEL, before dELTA jumps in doing it ^_^

Have phun,
Shub

Hopcode
February 29th, 2008, 12:33
When do you guys release the Import rebuilding dll ? Imprec.dll just suck, so it would be cool to have a new one to test

name
March 1st, 2008, 08:19
great thanks to AR nice release now i understand i unpacked alot of files

now i know how to use this lolz

dELTA
March 2nd, 2008, 19:07
Thanks for updating the CRCETL entry Shub (and of course thanks ARteam for a great contribution).

Shub-nigurrath
March 5th, 2008, 09:00
Attention,
version 1.2 of the tool is out:

March 2008 - v1.2
+ improved PE section name resolution for internal use (thank's Ghandi)
+ improved ARTeam Import Reconstructor v1.1

again CRCETL is updated.

JMI
March 5th, 2008, 10:52
Shub:

I added the most recent "Last Updated" listing to March 5, 2008, from the February listing, just to me as accurate as possible.

Regards,

Shub-nigurrath
March 8th, 2008, 18:49
Ding Ding.. guess what? New version!! condzero is restless ..

March 2008 - v1.2g [gabor edition]
+ add warning message for OEP call return VA not from Armadillo VM
Note: Informational, not usually relevant for dll's or exe's with copymem2,
but may be useful for troubleshooting invalid OEP's resulting
from custom implementations and/or packing / compressing of a file
prior to being protected by Armadillo
+ fix problem with copymem2 search string error
+ fix problem with createdump on error

dedicated to gabor who pointed condzero to a series of problems he only reported.. ^_^

JMI
March 8th, 2008, 18:56
Thanks Shub and condzero for the update and updating the CRCETL entry.

Regards,

SunBeam
March 8th, 2008, 22:22
Just a quick report - doesn't work at all on BigFish Games' appz. They're Arma 4.66 and I get this:

http://i25.tinypic.com/2la34ah.png

Nacho_dj
March 9th, 2008, 03:38
Please, could you PM the target name, to me or any of the ARTeam members here?

As far as I know, it has been working for many BFG targets, so this could be an exceptional case...

Many thanks for your report

Nacho_dj

Admiral
March 9th, 2008, 10:22
Can I ask what method you're using to remove the IAT elimination? That error message suggests you're using something version-specific, but as far as I understand, it can be fixed deterministically in a general manner with a very high probability of success.

ArmInline's method was to create a list of addresses of every function in every loaded module, then scour the code segment for any DWORD PTR instructions, enumerating all the respective addresses and their referees. From here, it's a painstaking exercise in integer sorting and module cross-referencing to describe all imported modules, their functions and the locations that reference them (using the assumption that any literal pointer to a DLL function is an import). With this information it is straightforward to construct an entirely new import table, without worrying about any of Armadillo's version-specific implementation details. This may sound like overkill, but it makes the algorithm nearly foolproof and as far as I know it works flawlessly around the clock.

condzero
March 9th, 2008, 11:04
Quote:
Can I ask what method you're using to remove the IAT elimination


I am using a fairly simple and straightforward technique whereby I search for a given hex string within the function to set a pointer.

Code:


00552773 83BD CCD7FFFF 00 CMP DWORD PTR SS:[EBP-2834],0
0055277A 74 4D JE SHORT dumped.005527C9
0055277C 8B85 78D3FFFF MOV EAX,DWORD PTR SS:[EBP-2C88] <<
00552782 2B85 7CD8FFFF SUB EAX,DWORD PTR SS:[EBP-2784] <<
00552788 C1E8 02 SHR EAX,2 <<


The search string references the above code at address 0055277C. I then search backwards for the DWORD PTR SS:[EBP-2834] which actually contains the "suggested" new memory VM for IAT elimination. Using the referenced hex string at this address "CCD7FFFF", I can then find the first occurrence of this and set my SWBP. When we hit the BP, we interrogate the variable for a value > 0, if found, we can simply change it to point to an address of our choosing within the range of the module's code. Basically, by tweaking the search strings, we can effectively manage a wide range of Armadillo releases. Maybe not the most scientific or best way perhaps, but simple and fairly reliable to date.

BTW, the use of search strings (+ wildcards) was to anticipate future growth. By incorporating Try / except type blocks of code, we can search multiple interations if necessary or so my thinking is / was.

cheers

Shub-nigurrath
May 19th, 2008, 04:29
ArmaGeddon 1.3 is out, this is a major release

from the internal readme:

Quote:

May 2008 - v1.3
+ resolve relocations for dll files (Nacho_dj)
+ added new option to minimize the size of a dumped file (Nacho_dj)
Particulary useful for Shockwave Flash + applications that make use of an overlay. Of course this will also rebuild a normal target's PE structure.
+ improved import rebuilder v1.1.2 (Nacho_dj)
+ added new option to "Resolve" nanomite INT3 instructions with their original
jmp instructions and patch directly to the dumped target. Requires use of the nanomite "Analyze" + "Log" options. Note: you can also elect to resolve nanomites directly to a target process's memory if you elect to detach!!
+ integrated Admiral's Strategic Code Splicing removal engine into the tool.
This is now the (default) behaviour and can be overridden with new option to
redirect CS (code splices) instead
+ new option to dump / decrypt / decompress the .pdata section to a binary file
+ new option to detach from a process (choose: DebugBlocker or CopyMemII)
+ resolve problem for ArmAccess dll function:Installkey missing error msg
+ add support for UPX compressed single process targets
+ new option to change your Standard / Enhanced Hardware Fingerprint ID
+ resolve some minor bugs


BR,
Shubby

dELTA
May 19th, 2008, 12:44
Shubby...

Anyway, thanks as usual for the heads-up and the CRCETL update (and to CondZero of course, for keeping this great tool updated).

naides
May 19th, 2008, 19:09
I have found something curious regarding Armageddon.

I had some little sudoku game that was packed with Arma 5.2. ArmaGeddon unpacked it seamlessly and it worked fine. However, a couple of weeks back, I think since I installed Windows XP SP3, the unpacked application refused to run, and Armageddon does not unpack it correctly anymore. It seems to "escape" the tool and run instead of stopping at the entry point. . .
I confess I have not really looked into it carefully, but other people that have installed SP3 may want to check if this is a widespread issue with ArmaGeddon.

Shub-nigurrath
May 20th, 2008, 07:58
I have SP3 and works flawlessly on other targets either dll or exe, but not arma 5.2

condzero
May 20th, 2008, 13:23
I would be most interested in any findings on this as well as any potential problems with Arma 5.2.

I have winxp sp2 installed on my machine and this
is the environment that it was created in.

cheers

dELTA
May 20th, 2008, 15:15
I'm sure that naides can send you his exact target condzero. It would be very nice to see if SP3 breaks something debugging/reversing related...

Naides?

JMI
May 20th, 2008, 23:09
I am shocked, shocked I tell you, to even contemplate that a Mircosoft update might break some reversing tools. I believe this latest one was, at least in part, attempting to make the system more "secure" and might be expected to have some effects on previous methods of doing some things.

Regards,

Shub-nigurrath
May 22nd, 2008, 02:54
Hi all,
two hotfixes in two days. rce lib updated of course ;-)

May 2008 - v1.3.2
+ hotfix to resolve nanomites
+ relocate base address of Nanolib.dll
===========================================
May 2008 - v1.3.1
+ hotfix to resolve CreateProcess API problem
in Nanolib.dll for target work directory

not still addressing the SP3 issue.

dELTA
May 22nd, 2008, 03:13

JMI
May 22nd, 2008, 04:09
Thanks for the quick updates Shub. Let us know if the issue with SP3 solved.

Regards,

naides
May 22nd, 2008, 04:54
Just to let anyone know. I have been PM with condzero, regarding SP3. He provided me with an (I think) manually unpacked version of the app in question, which suddenly required ArmAccess.dll to run (????) I know for a fact that the packed version does not need this dll ( I found out that the .dll file is created on the fly by the unpacking code, but it seems it is not happening or not staying in SP3), nor do the packed or unpacked versions on SP2 asked for ArmaAccess.dll

Any comments??

condzero
May 22nd, 2008, 07:39
Not having unpacked this app before, I can't offer too much. It is not uncommon for progs to ask for ArmAccess.dll after unpacking due to non existance of Virtual ArmAccess.dll also for external environment variables (i.e. ALTUSERNAME) for progs that use them.

As soon as I get SP3 up and running, I will revisit this app for the problem you stated.

I unpacked using automated Armageddon tool. I did need to resolve nanomites a few times (which
you can do by "Log" option) because they were cute in imbedding the damn things in most of the
main functions off the menu. This way we can avoid the use of VEH for those that don't like this.

cheers

bubaka
May 23rd, 2008, 21:42
<target name removed> - armadillo 4.66 (according to Arma intruder). Armaggedon does NOTHING.

dELTA
May 24th, 2008, 04:22
Send any target names by PM to condzero, they are not allowed in the public forums.

JMI
May 24th, 2008, 11:56
Which ANYONE who has actually READ THE FAQ should already know!

Regards,

Shub-nigurrath
June 1st, 2008, 05:08
an update has been released by condzero

Quote:

June 2008 - v1.3.3
+ hotfix to resolve strategic code splicing issue for last inactive MOV EDI,EDI instructions and issue a warning message

JMI
June 1st, 2008, 09:40
Thanks Shub. I removed the double post which was apparently made by an extra click of the mouse.

Regards,

name
June 5th, 2008, 20:06
download link is not avaible when u gonna put a download link for Armageddon

Nacho_dj
June 6th, 2008, 01:37
Try this link, then search the tool in the index:
http://arteam.accessroot.com/releases.html

name
June 6th, 2008, 19:38
Link not working

Fatal error: Call to a member function on a non-object in /home/access/public_html/forums/sources/classes/class_display.php on line 90

JMI
June 6th, 2008, 22:16
The problem appears to be at your end. The link works perfectly from the U.S. Did you copy and paste into your browser??

Regards,

name
June 7th, 2008, 07:42
Yes i did the same thing copied link to browser but same problem and this link is working but download link is not avaible?

http://www.woodmann.com/collaborative/tools/ArmaGeddon ("http://www.woodmann.com/collaborative/tools/ArmaGeddon")

would u like to upload it somewhere else

www.2shared.com
www.rapidshare.com
www.megashare.com

dELTA
June 7th, 2008, 08:23
Does the following direct download link work?

http://arteam.accessroot.com/releases.html?fid=35

JMI
June 7th, 2008, 09:25
The "problem" still appears to be on your end. The links both get me to the AR Team Tools page and the download link for ArmaGeddon 1.3.3 works just fine from here. Have you tried a different browser??

Regards,

name
June 7th, 2008, 11:18
Done tanks