Hi all,

just spent 2 hours reading all posts about armadillo... found plenty of infos (especially Crusader's ideas !), but I'm a little confused now...

AT least one question : how can I recognize wether a target is copymem protected or not ?

Would be great if a specialist could issue a step_by-step tutorial on latest armadillo protection (2.6 ?)... for unpacking newbies (as I am).

I've got a target i'm working on... I can mail the link it if you want.

Thx

Ben

Yep! Post the link, please. I'm sure that I can help you

Hi Killer, glad to hear from you. In fact I mailed you the target smetimes ago, cause I had tried your armkiller 2.5beta, but didn't work (in fact did not cretae any unpaked exe).

the target is there

Uses new arm sine build 24. former builds I could unpack by myself.

i'm pretty sure a lot of us would be glad to see a detailed tut !

Regards

Quick tutorial:

1. Download ArmKiller http://unpacker.narod.ru/armkiller25.zip
2. Run it. Choose WealthLab.exe (10-Aug-2002).
3. Wait for the first MessageBox. Don't close it.
4. Run LordPE (http://www.woodmann.net/protools/files/utilities/lordpe.zip)
Dump 2 process with name WealthLab.exe.
Check the content of the first section. Erase a dump with zero filled section.
I think that the second process is valid.
5. Run ImpRec (http://www.woodmann.net/protools/files/utilities/imprec.zip)
Choose the right process. Enter this info:
EIP = 2C68D0h IT RVA = 2D01F4h IT Size = A40h
Get Import -> Fix Dump for dump.exe.
6. Run it

hehehe, not really a tutorial !!

at least I had the right eop....

But the first link doesn't seem to work... is you source code availabe ? I'd like to learn !

Thx

Sorry, the right link is:

http://unpacker.narod.ru/armkiller25.zip

i'm going to check this out.

Regards

Well, I've got some very strange results...

First of all, i'm unable to get any valid process... both have sections filled with zeroes, and executable section is no valid at all.

The only way I can get smthing usable is to answer 'no' to the first msgbox, and let the program load completely. There I can get a dump from the second process which looks valid. But is armkiller still working at this point ? i'm not sure... I had nearly the same results without armkiller. That's the reason why I wonder wether this target is really crypted or not ?

The point is that I'm unable to rebuild IAT... There is always some pointers left unresolved... Did it really work by you ? I've tried under win98 (very bad results) and XP(much better). tomorrow i'll try to install a fresh win2k... and perhaps look for a way to build it manually (looking for tutz... again hehehe).

All comments are welcome

well, I really can't get anything from armkiller... In fact, result seems better without : good oep and finally got a complete import table. It's pretty easy cos the IT from the dump is only partially cleared.

But my proggee keeps crashing !

I've noticed that imprec builds some imported fonction, since the original target calls their aliases (for ex. imprec builds lstrcpy but original prog uses lstrcpyA). Is it a problem ? I don't think so...

in fact the real pb is that I don't know wether the dump from which I work is good or not !

hi, I dun the same ver. recently -- the tracer on Win98 didn't work at all, on XP it restore all, but these imps were faked:

GetProcAddressA
LoadLibraryA
WinExec

The ~A suffix I had too -- it signs a non-unicode (ANSI?) version is called thus the changes shouldn't matter unless you run a far-east OS locale. Try inspecting above calls (set breakpoints) and see what really called. Have ya the same results?

Strange. I have a dump that works under Win2K. You can download it here:

But I can't run WealthLab under Win98SE. It shows just an exception

You can try to dump it with my new version ArmKiller 2.6
(http://armkiller.cjb.net).

Hi armkiller link is wrong. NOT FOUND Sorry

Hi Armkiller,

Please don't post anything like this in here.This is a crack links which is not allowed in here.