i couldn't get the new version of dillodumper to make a working .exe of any armadillo protected app i tested. i've tried 5 different ones.

here is a sample of what it prompted when i tried unpacking an app:

Loading victim process..
Examining .....
Executing...
Preparing....
Starting normally
Scanning....Please wait..
Acquired...
Acquired...
Syncing .....
Attempting dump, please be patient...
OEP : 40A44Ch
Program dumped..
Header fixed..
Dump Successfully fixed !
Building IAT....
Loading Modules and DLL forwards in process .. :
Forwards complete.
IAT rebuild complete.
Server process terminated
Client process terminated
Done !
Press key to continue



but when trying to launch dumped.exe, it gave me an error saying: "dumped.exe is not a valid Win32 application."

it gave this error also on all the other apps, any ideas ?

I find it hard to believe it would not work on up to 5 programs, but I did find a bug in the IAT rebuild engine and built a new version.


There is still another bug somewhere in my import rebuild code, rebuilding imports is quite a complex task, and I fear I may have released this version too soon (although it worked on all my arma targets)

The new version of dumper allows you to skip the IAT rebuild part and just use ImpREC for it if you wish.

The biggest reason for development of the tool was to make dumping easier against copymemII and expiration restrictions. Rebuilding Imports is still something being debugged, as I get reports from various people.

If you'd like to send me an email with a specific target, it would help me track down the problems better.

DO NOT POST ANY SPECIFIC TARGET IN THIS THREAD!

lunardust20@
yahoo.com

Once again I apologize for the problems, but please understand that imports can be highly complex (ordinals, names, forwards, etc). I am basically trying to do what ImpREC does, so I'm emulating an entire other program. It's going to have some instabilities for a little while...

-Lunar_Dust

When I was trying to unpack a armadilled file with dillodumer v.2.34 and others , it shows only....

Loading victim process..

and then nothing happens.

If the file is protected with Arma 3.0 or 3.0a, it will not run on a machine that has SoftICE installed and not hidden correctly.

This dumper only removes "Advanced detection" in which they search for the NTICE service. There is still an UnhandledExceptionFilter check which will cause the arma executable to appear to just not do anything if it finds a breakpoint on UnhandledExceptionFilter (which softice sets when it's installed). The arma executable will sit in an endless loop of error, without reporting anything, and without crashing. You have to kill it from the Task Manager.

See the Tools of Trade forum on how to remove this breakpoint that SoftICE sets.


-nt20

Sorry, The file is protected by Armadillo 2.65 or before released .
And also I have not installed SICE.

So I am worried about that.

This proggie works like a charm for me. Thanks

They updated Armadillo.. their beta version breaks dillodumper
Hope to see an update soon.

which version of imprec works with this i have 1.3 ? a new release is out but confused where i can get it checked protools in vain

thematrix:

Please re-read the statement contained under the Tools of the Trade Forum, which state clearly:

Do not ask where to get the Tools of our Trade. Do not even think about asking for them.

Now that you have been reminded of the rules, let me also remind you that most of what you need in RCE can be found if you learn how to search the net. Imprec 1.4.2+ is out there, but was not released in the "general" channels. Use your search engine. Here's a BIG hint. Remember that the program"s name is not actually "imprec".
Regards.

Hi thematrix,
google dot com the program name + the authors name

Good Luck

I've informed Lunar_Dust of this new update, and his response right now was that he isn't going to be looking at this for a while now, he's busy with other things at the moment..

Here's a quote from him:

"Sorry guys right now I'm distracted with some other tasks, it's good they are finally improving their protection, for 89 bucks it should be better than what it was....I laugh however that I am most likely increasing their revenue by forcing older customers to want to upgrade to escape the dumper , for now, I don't have any updates yet, and maybe not for a long while. I found some more info tho on some detection schemes Arma 3.0 is using, for example, it detects superBPM by its driver name, similar to softice. "\\.\SuperBPMDev0". This should help some of you out there ..Chad and his buds are actually on top of things, looks like I'm making them work hard LOL. I will more likely wait until their new version is in wide distribution before I release another unpacker for it."

So Lunar is kinda pre-occupied, sorry...



-nt20

Heh.

Now that "i informed him" thing was funny, but smart people got the idea ;-)

About Armadillo, i think they rely on the int 3, which isn't likely to be broken with some easy code fixer as before.
At least i could not do it, im working on some tool right now.

As for the SuperBPM detection code, there are one other on 9x system in the loader but those checks are just "toys" because they aren't useful at all.

Even without those detections you won't use Super BPM because they use debug registers to compute some keys to decrypt some code .. So If you they aren't zeroed out, it will crash. No matter how well you hide your SuperBPM. i experienced that

I am not sure that you will make a new unpacker that soon too
Having studied the new beta version, i found a lot of changes that will stop you from doing what you were doing.

Sorry i reversed your dumper too ;-)

In any case, if you need some helps on your dumper, just say it, i will gladly help you.

Im bored lately, Asprotect isn't of any fun at all.

Regards and Respect,

HopCode.

LOL... sorry couldnt resist to post something...

Nice work there, Lunar_Dust (though i still advocate source code)... while some people try to keep their identity private... others cant wait to display theirs... was just musing over this 1ST guy, yes, his nick was "1ST" who claims to be unpacking god after releasing 2 unpacked exe of Aspr and Arma 2.51 on TNT forum... wonder when did Deamon recruits this new member ?



heh, Hopcode ... saying u r smart heh ... ???
just joking... informed ppl got the idea sounds more like it :-)

ok...


I may have the source for you soon. Of course, would it do much good anymore? I don't know. I was simply trying to keep the Arma guys from knowing TOO much.

Source is ugly, but functional, and has plenty of comments.

-Lunar_Dust (Group LUNAR)

> his nick was "1ST" who claims to be unpacking god after >releasing 2 unpacked exe of Aspr and Arma 2.51 on TNT forum... >wonder when did Deamon recruits this new member ?

I didn't claim anything

>heh, Hopcode ... saying u r smart heh ... ???
>just joking... informed ppl got the idea sounds more like it :-) [/B]

heh. Well no. i used smart to mean something like "not gullible"
But you got the idea ;-)

I was just saying i could help Lunar Dust if he wanted.

Have fun and enjoy the day

HopCode

Hopcode...

do I have your email?

-LD

Nop.
lemme send it to you in private message.

Hopcode ... was just joking ... no offense i hope :>

hehe
I know you were kidding me.
No problem mate!