Hi folks,

I attempted to write an unpacker for Armadillo 2.5x.. needless to say this is my first attempt at unpacker (lame way) but i wanted some practise...

Yeah, however this little project is nowhere near done and i dont have the time at the moment...

Well... i cant get the IAT rebuilding to work properly (or even to work at all)... the dumper should work on win2k.. dont know about any other OS... So here i attach my Armadillo 2.5x dumper (with asm source code), it can dump the un-encrypted text section, hopefully help you overcome the 16kb encryption tactic used by Silicon Realm... removes the four section added by Armadillo, adjust OEP to the right one.... I have tested it with a few programs but i dont have access to many programs protected by new armadillo so it might not work...

You have to do rebuild IAt with Revirgin or Imprec...

Yeah, and PLEASE comments on any errors i made as i am new in asm... curse if you want to if it crash your computer, i am sorry but i know my codes arent good yet... I will be happy to answer any question about the little prog....

cheers
Binh

Damn.. I cant post attachment?

Hey Binh:

Where is the code ? Just do a new post and attach it. I think it should work, provided it is not like an 80 MB exe

Great work, friend. Keep it up

Signed,
-- FoxThree

Hmm.. testing....

you know lenin :-)

hi binh,

iam working on an unpacker too ))

but i don't dump... i full decrypt it...
unpacker is finished about 60%

^DAEMON^

Yo Daemon,

Thanx for your tE-Unlock source code, helped me quite a bit! I was thinking of decrypting as well... the algo can be more or less ripped from armadillo itself as there is no poly layer... but i wanted to learn a bit about loader and process patching.. and i realise that i dont know how to decrypt IAT yet... that is why dumping and hence i can rebuild it...

Are you working on Armadillo or something else?
Binh

yeah iam working on armadillo (currently v2.51)
... the encryption is DAMN mad

the current beta has around 3400 lines of code...
but maybe i'll never release the unpacker to the public...
dunno yet

anyway good luck

^DAEMON^

LOL, Daemon, if you remove your anti debugging and anti tracing code maybe the code wont be 3000 lines :>>..

hee lucky i did not attempt to decrypt :>... probably way over my head...

You dont need good luck cos you are good enough i guess, so all the best for you unpacker :> (dont release the program, only your source code :>>>

cheers,
binh

Thanks a lot for your unpacker Armadillo 2.5x.

Unfortunately, I don't have any success to unpack my software. I have tested to unpack Notepad that I protected with Armadillo 2.51, but the unpacker keep running for a while, and slowing down my computer.

I have tested under Win98 and WinXP without success. Do you have any idea ?

Thanks again for your GREAT job.

Hi vte,

I just checked with win98, somehow CreateProcess doesnt seem to work right there... not sure if i have the time to fix it..

I fixed the other bug so it should work on XP now...

Anyway, here is how you should manually unpack armadillo 2.5x

to find OEP, bpx on SetProcessWorkingSetSize, when armadillo breaks in sice, F12 once then trace with F10 about 1 page down..
you will see this
mov ecx, [eax+1C] ; get from "data1" section
xor ecx, [eax+18] ; calculate OEP

xor ecx, [eax+8]
add edi, ecx ; edi contains image base
call edi; ; here you will find OEP

Dont step in to the call, at call edi do a bpx writeprocessmemory, wait for sice to brake and press F12 twice, you should be at the main decrypting call... there you have a few options to force armadillo to decrypt the whole code section... the routine looks like this
push 0 ; 0 for decrypt, 1 for encrypt i think
mov ecx, [ebp+8]
push ecx ; ecx points to section to be decrypted
call Decrypt

Hope this helps.. if i ever fix the win98 bug i will upload the dumper again

Regards

Thanks a lot for your GREAT informations.
Will do a testing now, and will post my result back.

...but where?

BTW - a thing I've been wondering about:
Where does Armadillo get it's usage info (expiry info / Fixclock info) from? I can't seem to find any reference to Registry keys by way of Regmon. The 'HKLM\Software\The Silicon Realms Toolworks\Armadillo\{...}' keys seem not to have anything really to do with this...

hi

armadillo saves something in the registry and a file in the -temp-directory, where this kind of data are stored.

ciao
SilberFuchs