Log in

View Full Version : Armadillo 2.51 - 3.xx DLL unpacking - OEP?


MEPHiST0
May 20th, 2004, 22:50
hi all..

attempting to unpack a arma protected dll..

the DLL is opened by Internet explorer.. blah blah, not a prob..
attach explorer.exe and i get teh priviledged instrcution from arma.. and attemp to unpack from there..

anywho im having trouble find the entry point...
i usually bpx on SetProcessWorkingSetSize or GetCurrentthreadId to get to OEP..

but this is not working? (or well it might take me to OEP.. but im sure its not hte right way.. maybe)

any tips on getting to oep?

MEPHiST0
May 21st, 2004, 18:07
o fine, i see how u all are :P


Woodmann
May 21st, 2004, 19:17
Howdy,

You have been around here enough to know the process.

I am sure you are not the first person to have this problem.

Now, since I am a mind reader I can tell you that the OEP can be found at this address:0041000.

If I am wrong, the psychic network has nothing to worry about

-cbo-

CluelessNoob
May 21st, 2004, 20:58
Quote:
[Originally Posted by Woodmann]If I am wrong, the psychic network has nothing to worry about


If the psychic network were right half as often as you we would all worry.


MEPHiST0
May 22nd, 2004, 02:01
woodmann..
o yea your a mind reader

i was looking for tips on unpacking armadillo .dll's.. not psychic advice
just never unpacked an arma dll before.. so hard to belive..?

ive managed arma+debug blocker.. not copymem nor nanomites..

and no that is not oep.. not close..

i tried that .dll unwrapper for arma that Lunar made.. (nice tool btw..)
but didnt unwrapp this .dll, nothing, no info at all.. unlike some .dll's that at least gave oep..like i said its opend by explorer.exe for a context menu..
not sure if that makes a differnce..

tried the api i knew about that arma uses.. but no luck.. maybe i should have tried it when i wasnt drinking?

anyway ive read the thread below mine.. simular topic.. but i didnt read anything about getting oep.. so i created my own thread, just wondering how to get OEP out arma packed dlls

SHaG
May 22nd, 2004, 02:58
I've actually done some arma dll unpacking. I attach my test files for it:
- dllforarmadillo_nodillo.dll - a simple dll that shows message boxes from dllmain
- dllforarmadillo.dll - the same dll packed with armadillo
- etster.exe - does loadlibrary =)

Now look at the original dll, se where the EP is - thats your OEP. Now try to find this same address in the packed one. =)
A tip for when you get to resolving imports, there is a place where dildo destroys them, but it can be bypassed.

Don't want to disclose more info on this, I'm sure Chad reads this board. Fi he does I'd like to tell him I think he's a moron with an inflated ego. :P

Hopcode
May 22nd, 2004, 05:26
Im not sure he is the only one with inflated ego if you ask me

Anyway, the new import protection cannot be bypassed that easy, you are working on demo import protection.

I recommend to read Ricardo's tutorial for this one. Nice work!

Cheers

Hopcode

SHaG
May 22nd, 2004, 05:40
There are many, many others with egos the size of hot air baloons... =)

Well, yeah, this is made by a demo version, but I've actually worked with a dll from a retail soft that used exactly the same mechanism. Maybe that app was protected by a demo/pirated version of Arma?

Concerning Ricardos tuts: they sure are great! Only problem is extracting all that knowledge using Babelfish. =)

Hopcode
May 22nd, 2004, 09:24
they did not use the good protection level, that's all

its like when authors don't use pieces of code encryption in Asprotect etc.
without a key, unpacking is useless..

Oh well...

crUsAdEr
May 22nd, 2004, 10:16
Which is why i still find Asprotect a better protection compare to Armadillo... with the later using code encryption or not doesnt matter, unpacking always works :/...

MEPHiST0
May 22nd, 2004, 10:47
most unpacked aspr exe's ive done..
either get an access violation in: 6138xx (xx is dif in every exe..)
somtimes no access violation..
but just search in hex for 61 38.. get ur name in there somewhere
can bpx hw access > dword to check out where its coming from..
its usually regged..

SHaG:

thanks man for the help
doesnt help me out much tho.. i can HW bp on that OEP and get to it..
but the reason for this post is, because im all out of idea's to get OEP

but im gonna download that and try it out right now, do it acouple times.. maybe ill notice somthing that can help me out.. thx again

MEPHiST0
May 23rd, 2004, 13:09
hell0

i got to the OEP of SHAG's nice little semi-tutorial thing he did..
(thanks SHAG!!)

but i have a question...
first of all i know about nanomites and what they do.. well sorta.. same with copymem..

and this seems to happen with ALOT OF arma packed EXE's / now Dll's since i can unpack em now..

now..
the CALL into Entry points:
<-- i trace into this: and 'SOMETIMES' CODE is All f00ked up.. not executable
<-- happens alot when protection is arma+debug blocker
found a DLL that has done it too me too..

now a buddy of mine says 'the appz i have trouble with'..
they unpack perfectly normal for him, trace into the CALL EDI and code is fine.. dump.. fix iat and it runs..

does anyone know what could be doing this? its almost like arma isnt decrypting the entry point.. but im not advanced enough to find out what the reason is.. has anyone ever have this kind of prob?

--------------------------------------------------------------------

SHAG's .dll however worked out fine..
I didnt realize it, but i have got to the EP.. not knowing it was OEP (/me is drunk)
the Entry point was in perfect condition unlike some other Dll's i have tried..
pissin me off.. thinkin it was some anti viruss .dll's i had loaded that could be messin with the EP... but im stupid :P

let me know if anyones experianced this problem.. because id like to unpack every arma there is

nikolatesla20
May 23rd, 2004, 15:28
A DLL will never have nanomites.

-nt20

SHaG
May 24th, 2004, 02:28
NT20: That's what I was trying to get at but was afraid to say because I wasn't sure. As I see it, protecting DLLs just can't be done in quite the same way as protecting EXEs.

MEPHiST0: I saw you tried to msg me on efnet (got it in my bnc log). Please try again. Nick is SHaG when I'm online and shag when I am not.