Hi !!

This tool I made in several last days should remove Armadillo copy mem protection. It will do only that. IAT and OEP you must find by yourself. I tested this on versions 2.40 to 3.50 and worked with all of them.

So this is only very beta version. Try this, test and replay if it works or not. Load your process with "Load button".
If you got message "You can dump now", dont close this box (otherwise youll terminate process). After this message run LordPE, or PeTools and dump second process (younger of two of your started program).

I expect some comments !!

Zilot

F*cking nice tool dupe

would you please not protect your app with crappy ASPR ?

Must complain to Alexey

Seems you are win 98 user ? Sorry

Try this one

>>ESP: 0012FF28

Zilot, little exersize, is Thigo "win 98 user"!?

I think you owe one anwer to me. Silently avoid to answer in PM



Dunno, maybe is maybe not. Dont have win98 since 2 years ago, and then I didnt memorize.

No...

This one works better
And no i'm not using Win98. I use win2k SP4, no debugger running.

Strange, I use win2k too, and it worked fine. Anyway I'm glad it works.

Evaluator, I'm still waiting. I'm wondering what I have to do, to get answer.

ok, i unpacked it from Obsidium, as you want.
What version of Obsidium you use?

pending answer is +995

You did great job for Chad, now he can seat back and enjoy your work. Why do you think I packed this ??



Thanks for answer, exactly what I got in that crackmes on address 54AC34, after call to 43B256, I mean +995 was value in eax, after return from 43B256

yei!

seems i wrongly translated your request(:
>>Evaluator, I'm still waiting

ok, by default: Unpacker forces protectors to be better.
so You are helping author of arma, not i.(ask ni20 also)

why you think, that author will unable unpack aspr or obsi?
Have you true info, that hi is so lamer in unpacking?

**
that is realy answer! if you can't solve, ask Zairon
maybe hi can solve!? but privately.

Man !!!!
You translated it well. And I understood your answer. But have I to say everytnhing literally . You didnt understand what I wanted to say with last sentence ? Does anybody else know our story from PM ? What would he conclude ?




Do you think they pack files, make protectors because they think we wont be able to defeat them??
They are just stealing our time. Why to have fair play with them, when they play as more dirty as they can. They even (especailly Chad) threaten to some of us with law. Let them spend some time in thinking what we have done.

there is only 1 way, if you dON'T WANT help protecrots-authors:
DO NOT publish your unpacking tools.

keep your tools for you, yor friends.
also don't sell, it's stupid. [seems for money will best- unpacking targets for 1-5$ etc.]

if you want to make VENDETTA, unpack&spread protected targets widely,
so this will mutch harder damage protector's honor.

evaluator, my high skilled body, Zilot is absolutely right. If you are going to hide your knowledge - OK, be happy with it. For the rest of us it is garbage. There is NOTHING special in armadillo indeed! Indeed! The whole principal of this proggy is to use DebugAPI. If you know, how ANY Win32-tracer works - you can crack it. These rdtsc and other shit are shit indeed!
Chad is not that cool, my friend. I myself know far more sophisticated software then the one Zilot did. That software is able to restore nanomities in automate mode, decrypt the code section and do a dump correctly. And this software is distributed absolutely freely with the tutorials! So in Russia almost everyone now can hack Arma.
If you are going to play hide and seek - you lost from the very beginning. If you are going to share your knowledge (BTW, REALLY strong - I've read your posts) - we will all win.
The principal of Arma is known long ago. For Chad to rewrite it completely from the sratch using another principal - he-he, he won't be able to do it. If he does, then we crack it again.

So volodya:

Would you be referring to "Armadillo nanomites recoverer 1.4 + dumper"? Or some other?

Regards,

vladimir,
because you wrote: "Zilot is absolutely right"

i have 1 question:
how about me?
Am i right some-where in my previous post(or totally wrong)?

Who am I to judge if you are totally wrong or not? To my opinion, you were NOT right when you unpacked ZILOT's dumper - Chad should have more work. I hate packers - they SLOW the program!
For the rest, I can only say it again - you are VERY skilled! That's true. But for some reason you don't want to share your skills as to some packers. I can't really understand why. So, if you take armadillo - WaitForDebugEvent is the key to everything. They may play in detection of 0xCC or sth else, but the PRINCIPAL is the SAME in each and every version of it - fucking SLOW ring-3 tracer!

JMI
Mainly, yes. We have one brilliant tutorial by dragon. Another one I'm going to write. infern0 (the author of N-rec 1.4) is talking to me often. But for sure this is not the only one utility. They all have the same principal - CreateRemoteThread inside. Chad may add even more shit into his idiotic tool - it won't help - the PRINCIPAL is the same

volodya,
once again, i think:

publishing unpacker forces protector's author to upgrade his protector,
so better is NOT publish unpacker.

Please, judge it.

The development cycle of any commercial product assumes it MUST be a new version each half of the year. Otherwise the project will be shut down.

evaluator, you are trying to raise a philosophical question here. I'm sorry, but I definitely do NOT have enough time to argue with you here and go into sophistic questions. The one should decide for themselves. But let me give you the situation - you may ignore MS, you may hate it, but, despite of the fact, MS is developing and will be developing more and more ugly software and there is nothing you can do with it.
The same is with the progress concept in general. One may hate it, one may love it, but in the long run it DOES NOT matter! English people have a nice proverb here: "Dogs bark but caravan goes on".

volodya: Allow me to anticipate Eval's response. "Too much inglish."

Remember we need an unpacker just to get the jist of most of Eval's comments.

And as a complete aside, "English people" aren't generally known to have caravans. We/they, as a group, are not that good at riding camels, one or two humps. That proverb is probably just an English translation of a saying of more qualified camel pilots, who know better the dessert sands and the way of caravans and barking dogs.

I'll look for the tut you mentioned in the same place I found the tool and trust my luck to a machine translation. The general drift can usually be found in their very rough translations.

Regards,

And you can find the OEP of any copymem arma program in like 2 seconds by simply hooking ContinueDebugEvent.

-nt20

Exactly, my friend. THE PRINCIPAL! ring-3 tracer!

For the rest - perhaps, someday I'm going to translate my tutorials to English if anyone needs it...
As to the camels - most likely you are right
I'm not a native speaker, therefore...

Ev@l

Now U must make a tut on unpacking Obsidium.......

volodya,
I am very much upset with your cold position.

for last words, i decide to correct 2 thing for you:

1.
>evaluator, my high skilled body
i'm musician, unpacking is my hobbie,
i'm not high skilled in programming or in computer relative knowlidge.

just i (& all can (but yet) enjoy with my trickie mind & phuntasi.

2.
i'm not hiding my knowlidge. (& btw, unpacker is not knowlidge)

**
+SPLAJ, unpacking is my hobbie, but writing tuts won't to be

Ev@l

U R hobbie is being a pain in the ass.

You would freely help assole protectionist by posting unpacked tool. Then REFUSE to help us.

I say no more to U and in your native tongue 'merda' ciao

unpacker is not knowlidge

If you are just telling what button to push, indeed, it is not. If you are showing some concepts and really demonstrate some theory along with the practice - allow me to disagree.

+SPLAJ, i not understood, maybe you will try easy english?

evaluator, my friend, +SPLAJ is slightly more rude then necessary, but, in general, he is right. So, would you please delete your attachment of the unpacked Zilot's tool.

volodya,
because i already sad "last words" to you, so that was last words
between as. ok?
(means: forget about me)

as about attachment, i forward rights to delete[or not] to Woodmann

This isn't my thread, but I agree with +Splaj. It looks as tho Zilot requested through PM about the unpacking. Hence the unpacked file does not belong here. Although it's probably too late anyway, that attachment should be removed. It does not show a proper community spirit if one user wishes to work with another via PM and then the other user party makes the private issues public without knowledge or permission of the requesting party.

Even more so when the knowledge of the unpacking of that particular attachment does not accompany it. In essence it is then a crack and should be removed.

-nt20

niko, too many decisions?

maybe easier is ask, if he request?

**
EDIT: niko, too much assumptions??

Yes I was a bit rude. I apologise to the protectionist assholes. They are really very nice ppl with good ideas and r willing to share their work with others for such little money.

>you were NOT right when you unpacked ZILOT's dumper

What right you can unpack other packers!?

Unpackers are useful source ppl can learn from them.Unpackers are knowlege if you provide source codes.Well did you ppl SHARE YOUR KNOWLEGE? Really doubt that.

Evibrator

Writing a tute is sharing knowlege,I totally agree with Splaj

I know I've waited a while before sharing this, please forgive me.


Here is the source code for DilloDumper 2.30. It's fairly messy, but its got a lot of comments that should help someone to understand what is going on. Some of the trix used I still use today in my new unpacker code for Arm. One of the reasons it's hard to share this is mainly because I developed it on 3 computers at the same time, so I hope this is the latest rendition , in other words, I'm not sure anymore which computer contains the latest code. But it looks like this was 2.30. 2.30 added "auto IAT" rebuild, so you'll find lots of functions related to doing that.

The source is NOT clean or very organized, in fact, it's all in ONE file. I know this is bad practice but this was my first unpacker/dumper and my only goal was to learn how to do some things. I've since improved my structures.

I hope ppl can learn something from this, even tho many already know how to manually unpack and are very skilled, information on writing an unpacker just doesn't exist on the web, it's one of those things you just have to do. Also, most examples of unpackers source on the web are in ASM. There's no real purpose to do this is asm, C is just as fast nowadays. So here is some C code for you MSVC users out there...


-nt20

Thank you for sharing your source


with respects

Zilot,

Your tool does not work with the file protected by Armadillo require id and code. I tested.

Mr. x:

Perhaps you should read from the start of the thread where Zilot described what the tool would do and would not do. He advised it would remove the copy mem portion, nothing more. Why would you even suspect it would solve the problem with versions requiring id and activation code? It was not offered as a "solve all" solution or as a one click solution for those who do not want to do any of their own work.

Regards,

nikolatesla20 Thanks for sharing your source code
I lookforward to learning from it

Best Wishes

R@dier

Yup, doesnt work. You have to find out the way to bypass id check. So if you have file with nag generated by Armadillo, you have to press 'continue trial' or whatever to make my tool working.

Is there a way to bypass the id check or is there a tut for (arm v 3.40)?
I am working on a prog with no continue trail posibilities..

Coding WorkShop update their protecctions ALWAYS

The AGoblin Loads the Program &..... nothing!!

The app load, work and exit; the Agoblin not response.

Agoblin works even with newest armadillo (3.61) downloaded from siliconrealms.com. Dont believe they protected it with older armadillo.

Two reasons why you can't get working application:

1. Shareware authors of Coding WorkShop change protection type
2. It is not copy-mem protection

Have you reversed older versions of Coding WorkShop. Once upon a time when I did it, there wasnt copy-mem protection.

I have unpacked 6 versions of Ringtone Converter & ALWAYS use the COPYMEM II protection.

I dont know why this version 4.8.2 is different in many ways ; download, analize & later say something.

You think I have nothing to do but to reverse Ringtone Converter ?

As I see you are expert for this software (you revesed 6 versions), so it wouldn't be hard to review what you did in previous versions and to apply all of that to this one.

JMI would say "There is a search button here, and if you doubt to someone use it"

My post is only a comment, i really like your job.

& i have found the trick in Ring.Conv. 4.8.2

So.. let's dump

Ok

I'm glad you found solution.

Народ.

Когда реально сломаете Армадиллу ебучую - стукните мне на мыло.

Hey, watch your language young man!

No, I speak only for russian.
Sorry.

Do hack last vesion of Armadillo.... Dumper of Zilot is not workable on w2003.

On my exe it愀 not working too! (3.0-3.6)
(Think it has to do with the fact that the application runs in endless loop if debug breakpoint is set.) => goblin hangs...