Log in

View Full Version : arm tut


BenJ
August 12th, 2002, 23:11
Hi all,

just spent 2 hours reading all posts about armadillo... found plenty of infos (especially Crusader's ideas !), but I'm a little confused now...

AT least one question : how can I recognize wether a target is copymem protected or not ?

Would be great if a specialist could issue a step_by-step tutorial on latest armadillo protection (2.6 ?)... for unpacking newbies (as I am).

I've got a target i'm working on... I can mail the link it if you want.

Thx

Ben


Armkiller
August 13th, 2002, 22:36
Yep! Post the link, please. I'm sure that I can help you

BenJ
August 13th, 2002, 23:03
Hi Killer, glad to hear from you. In fact I mailed you the target smetimes ago, cause I had tried your armkiller 2.5beta, but didn't work (in fact did not cretae any unpaked exe).

the target is there

Uses new arm sine build 24. former builds I could unpack by myself.

i'm pretty sure a lot of us would be glad to see a detailed tut !

Regards

Armkiller
August 14th, 2002, 20:45
Quick tutorial:

1. Download ArmKiller http://unpacker.narod.ru/armkiller25.zip
2. Run it. Choose WealthLab.exe (10-Aug-2002).
3. Wait for the first MessageBox. Don't close it.
4. Run LordPE (http://www.woodmann.net/protools/files/utilities/lordpe.zip)
Dump 2 process with name WealthLab.exe.
Check the content of the first section. Erase a dump with zero filled section.
I think that the second process is valid.
5. Run ImpRec (http://www.woodmann.net/protools/files/utilities/imprec.zip)
Choose the right process. Enter this info:
EIP = 2C68D0h IT RVA = 2D01F4h IT Size = A40h
Get Import -> Fix Dump for dump.exe.
6. Run it

BenJ
August 14th, 2002, 21:25
hehehe, not really a tutorial !!

at least I had the right eop....

But the first link doesn't seem to work... is you source code availabe ? I'd like to learn !

Thx

Armkiller
August 14th, 2002, 21:30
Quote:
Originally posted by BenJ
hehehe, not really a tutorial !!

at least I had the right eop....

But the first link doesn't seem to work... is you source code availabe ? I'd like to learn !

Thx


Sorry, the right link is:

http://unpacker.narod.ru/armkiller25.zip

BenJ
August 14th, 2002, 22:05
i'm going to check this out.

Regards

BenJ
August 15th, 2002, 01:51
Well, I've got some very strange results...

First of all, i'm unable to get any valid process... both have sections filled with zeroes, and executable section is no valid at all.

The only way I can get smthing usable is to answer 'no' to the first msgbox, and let the program load completely. There I can get a dump from the second process which looks valid. But is armkiller still working at this point ? i'm not sure... I had nearly the same results without armkiller. That's the reason why I wonder wether this target is really crypted or not ?

The point is that I'm unable to rebuild IAT... There is always some pointers left unresolved... Did it really work by you ? I've tried under win98 (very bad results) and XP(much better). tomorrow i'll try to install a fresh win2k... and perhaps look for a way to build it manually (looking for tutz... again hehehe).

All comments are welcome

BenJ
August 15th, 2002, 18:42
well, I really can't get anything from armkiller... In fact, result seems better without : good oep and finally got a complete import table. It's pretty easy cos the IT from the dump is only partially cleared.

But my proggee keeps crashing !

I've noticed that imprec builds some imported fonction, since the original target calls their aliases (for ex. imprec builds lstrcpy but original prog uses lstrcpyA). Is it a problem ? I don't think so...

in fact the real pb is that I don't know wether the dump from which I work is good or not !

_Servil_
August 15th, 2002, 20:11
hi, I dun the same ver. recently -- the tracer on Win98 didn't work at all, on XP it restore all, but these imps were faked:

GetProcAddressA
LoadLibraryA
WinExec

The ~A suffix I had too -- it signs a non-unicode (ANSI?) version is called thus the changes shouldn't matter unless you run a far-east OS locale. Try inspecting above calls (set breakpoints) and see what really called. Have ya the same results?

Armkiller
August 15th, 2002, 21:32
Quote:
Originally posted by BenJ
well, I really can't get anything from armkiller... In fact, result seems better without : good oep and finally got a complete import table. It's pretty easy cos the IT from the dump is only partially cleared.

But my proggee keeps crashing !

I've noticed that imprec builds some imported fonction, since the original target calls their aliases (for ex. imprec builds lstrcpy but original prog uses lstrcpyA). Is it a problem ? I don't think so...

in fact the real pb is that I don't know wether the dump from which I work is good or not !


Strange. I have a dump that works under Win2K. You can download it here:

But I can't run WealthLab under Win98SE. It shows just an exception

You can try to dump it with my new version ArmKiller 2.6
(http://armkiller.cjb.net).

kalisto
August 16th, 2002, 07:42
Hi armkiller link is wrong. NOT FOUND Sorry

esther
August 16th, 2002, 09:15
Hi Armkiller,

Please don't post anything like this in here.This is a crack links which is not allowed in here.