I do not want knowledge to be lost into oblivion. But rather than simply releasing my unpacker source code, i will start this mini project to write an unpacker for armadillo, whoever interested can just participate and hopefully in the end u will have an armadillo skinner of your own; hopefully u wont spread it to everyone though cos unpackers itself doesnt teach ppl much.

anyway, it is not exactly a simple task so be prepared for some Dumping hard work , i would estimate if u know arma well to take 2 wks of hard work to code an unpacker, if not will be a month or more... i coded mine fully in masm but u can code in anything u wish...

we will start off with
1. Dumping ArmAccess.dll
2. Dumping protected PE files
3. Fix & rebuild IAT
4. Fix strategic splice code
5. Then fix nanomite
6. Finally bruteforce secure sections.
7. clean up & other misc tasks like handling dll, ocx, exe etc

yep it all can be done and has been done... so no fear or dead end as long as u have the will to do it, i will provide helps where required etc, my unpacker is not complete either so we can work & improve each other... so whoever is interested start as u wish

have fun...

hah.. now that Zairon mentioning i should use crackme etc instead of real target (which i will do Zairon, so dont worry abt me breaking the forum rule)...

of course the unpacker will have to be able to handle custom built version of armadillo, yes it can be overcome rather easily if anyone still has doubt.

I found the trick in nanomites, code splicing & IAT scrambler.

in this moment i have no time to post [in addition my english is very poor].

I'll post or PM in 2 or 3 hours.

Hello

Interesting!
Iam up for the challenge

I was going to write a couple unpackers for other protectors, those can wait a litle.

your unpacker isn't complete, what is needed ?

Can it unpack Armadillo.exe from their site ?
The real challenge for an unpacker i think. customers , like for any protectors,
apply protections like morons.

Also.. brute forcing secured sections.. this is impossible without a key.
Strong crypto is used i believe.

Cheers,

Hopcode

warming up MASM

hi Hopcode,

glad you are interested, if unpacking armadillo itself is no problem... my unpacker is incomplete cos it is not fully automatic, some manual work is still required (aka not user friendly but it was never designed to be

just get started anyway u want, depends on how much u have worked with arma... well well, trust me, whatever i listed there can be done and has been done so just go ahead

just post anything related here, then we can discuss possible solutions to it. Guess u r using masm ?

anyway, like my first post said, your first task will be dumping the ArmAccess.dll & decrypt it!!!

Hello

>glad you are interested, if unpacking armadillo itself is no problem... my >unpacker is incomplete cos it is not fully automatic, some manual work is still >required (aka not user friendly but it was never designed to be

but then, it does handle nanomites completely on latest Armadillo ?
and Import Elimination ? who cares if it is not 100% auto

>just get started anyway u want, depends on how much u have worked with >arma... well well, trust me, whatever i listed there can be done and has been >done so just go ahead

I have studied it. not too much in depth, but enough to understand wtf is going

>just post anything related here, then we can discuss possible solutions to it. >Guess u r using masm ?

yes, im using MASM. or TASM. depends of my mood

>anyway, like my first post said, your first task will be dumping the >ArmAccess.dll & decrypt it!!!

Via the unpacker you mean ?
What do you recommand for that?
Acting like a debugger of some sort ? hooking API ? injecting code inside Packed Process ? since you have done some work on it, which ways do you recommand to handle the protector ?

The fundation is the base of the unpacker, so better start on the good path, rather than realising it is fucked up, and doing it all later.

Hopcode.

lol of course it handles everything completely ... noone can sit down and manually fix hundreds of nano each time...

1. Via unpacker i mean a software that can run and remove armadillo from the protected target and produce a working target exe ...
2. Well since armadillo uses a Debugger approach, i decided to do the same, my unpacker acts as a debugger so i can control armadillo execution flow etc... which is a lot easier... with that approach u can inject code, hook API and do anything you wish to the protected exe... though that means u have to emulate arma-debugger process to pass copymem session hashkey to the child process etc (which u will soon discover what a JOKE armadillo is

Ok thanks for infos

Well, Armadillo might be a joke, but its harder than Asprotect, which IS a bad joke coz it sucks pond water..

Sd protector, as interesting as it might be, is a lot easier too.
SVKP also stinks, so does ACProtect..

Basically, all protectors are jokes then

i will start coding this week.

Cheers

Ive studing manual unpacking stuff and this project is all that I was looking for. Unpacking from the very beginning!
I will follow all the steps from 1 to 7, I hope and of course use masm
I will learn a lot this time, lets rock!

Out of curiosity what kinda crypto is used on Arma secured sections? Obviously if its bruteforce-able its not very strong. Protectors are more/less all about implementation remember, so Protectors are usually as good as the authors of the protected programs :P

I have to comment, I don't know why many people insist on using MASM - unless perhaps they don't have access to a C compiler. In MS VC you can just as easily write a good unpacker that is very small, and you can even put inline ASM if you want (which basically IS MASM then).

Don't get me wrong, MASM is great, and I love using it too, but for more complex unpackers it is not a crime to use C. Straight C will usually compile just as tight as MASM would. And with C you get the benifit of the runtime libraries. For example, in all of my unpackers I use vectors and maps (STL classes). It makes everything so much better and easier to read/maintain.

Just stating, don't be afraid of C.

-nt20

i agree... i like using turbo c 2.01...

br

sl0rd, welcome onboard... just in case u r waiting for smth to happen, nothing aint gonna happen till u do smth ... yeah so start downloading the lastest Armadillo3.77 on their website and perhaps look at it, play with it...

The first simple task would be removing the first decryption layer which apparently Chad & co have added lots more seh etc but the job should be easy since that layer doesnt do anything beside confusing u and stopping u from applying IDA on it... once you get rid of that layer you can use IDA to study how arma decompress the dll, how debug-blocker works, and how nanomites are handled...

Hopcode : whenever u start coding, try to keep things organised, it is gonna be a fairly big project so try to break the codes into small files etc, u know the usual coding practise, keeping constants in one place etc... just get the debugger framework up and running and u r good to explore arma

There is a lot to do, I think, for a beginner like me. But my goal is to learn not make a unpacker at all
About using MASM, I will use it just because I want increase my asm skills, I will use templates almost all time when doing GUI stuffs!
I thinking not use IDA, firstly I have just the trial version, after Im playing with olly debugger and I found it very intersting, I thinking seriously in using olly
I will download armadillo right now! lets go gang!!

A disassembler and a debugger are two very different things, and one does not exclude the other. People might have a more dead-listing or live debugging directed approach though, but for analyzing advanced stuff there's nothing like a good disassembler (e.g. IDA)...

This is how i code usually :-)
I started to code the debugger framework.
I will then code something to change IsDebugged in the PEB, in order to
bypass the debugger checks. I think i could use GetThreadContext and access the address pointed by EDX, because it always points to a very handy place ;-)

My first task will be to dump ArmAccess.dll, im not sure yet, how i can find its base Address. Maybe by hooking a couple of API i can find the info i need ?

Did you do it by hooking at all ?

Cheers,

Hopcode

I think it was for me Ok, ok I got it!!

ok let me discuss some plan of attack
Armadillo has 2 process running if they have debug blocker on, so your unpacker must be able to handle case of 2 processes or 1 single process running...
The problem with 2 process running is that your unpacker will acts as a debugger for Armadillo server/father processs (watever u call it so your debugger will need to use ToolHelpsAPI for accessing memory of the client/child process...
I take another approach, that is my unpacker acts as a debugger, and i do not hide this fact, so whenever we launch an armadilloed app, the app will think debug blocker is on, then execute as child/client process only and do not create a new process irregardless of protection settings.

That sounds a bit confusing but maybe after some trials u will know what i mean. Just a suggestion

Perhaps u can try dumping ArmAccess.dll manually with Olly once, then you will know how code a dumper for it. But first you will need to rip of the first layer of decryption by armadillo... u will need it for nanomite fixing later .
You will see armadillo excute like this
execute code in section .adata (nothing here at all, just garbage + decryption)
execute code in section .text1 (branch into server/client process...)
u will need to find OEP in section .text1 and your unpacker's first task is to dump at OEP here ... then we will cont from there...

cheers,

Ok so basically, you suggest to take over Armadillo's parent position?

We are going to act as the parent that is supposed to handle the nanomites, and all the rest?

For the dll, i was thinking of hooking the parent, and then, i could inject some code, to bounce on the debuggee. I think a GetModuleHandle on dll
would have allowed me to get its base address, and then do what i need to (like reading it into my buffer or whatnot)

Though, if i act as the parent, i should be able to inject directly into the debugee (hooks). to find child OEP, i would try to hook for GetVersion for instance, and dump it there. would that work ?

Since Arma is coded in VC++, it has a standard entry point it should work...

I have to experiment, a litle busy right now though.

Thanks for taking the time to explaining

Cheers,
Hopcode

yep, any of those ideas will work ... do watever suits your style... we are simply discussing ideas, so anyone can have their own styles of unpacker

This code is 2 or 3 weeks ago [my mid too..]

I have made this table:

Jump Info || Jump Flags

77 - 0F87 JA Jump if above (C=0 and Z=0)
C 0 P 1 A 1 Z 0 S 1 T 1 D 1 O 1 00000F96

73 - 0F83 JAE Jump if above or equal (C=0)
C 0 P 1 A 1 Z 1 S 1 T 1 D 1 O 1 00000FD6

72 - 0F82 JB Jump if below (C=1)
C 1 P 0 A 0 Z 0 S 0 T 0 D 0 O 0 00000203

76 - 0F86 JBE Jump if below or equal (C=1 or Z=1)
C 1 P 0 A 0 Z 0 S 0 T 0 D 0 O 0 00000203
C 0 P 0 A 0 Z 1 S 0 T 0 D 0 O 0 00000242

72 - 0F82 JC Jump if carry (C=1)
C 1 P 0 A 0 Z 0 S 0 T 0 D 0 O 0 00000203

E3 - JCXZ Jump if CX register is 0

E3 - JECXZ Jump if ECX register is 0

74 - 0F84 JE Jump if equal (Z=1)
C 0 P 0 A 0 Z 1 S 0 T 0 D 0 O 0 00000242

7F - 0F8F JG Jump if greater (Z=0 and S=O)
C 0 P 0 A 0 Z 0 S 0 T 0 D 0 O 0 00000202
C 0 P 0 A 0 Z 0 S 1 T 0 D 0 O 1 00000A82

7D - 0F8D JGE Jump if greater or equal (S=O)
C 0 P 0 A 0 Z 0 S 0 T 0 D 0 O 0 00000202
C 0 P 0 A 0 Z 0 S 1 T 0 D 0 O 1 00000A82

7C - 0F8C JL Jump if less (S<>O)
C 0 P 0 A 0 Z 0 S 0 T 0 D 0 O 1 00000A02
C 0 P 0 A 0 Z 0 S 1 T 0 D 0 O 0 00000282

7E - 0F8E JLE Jump if less or equal (Z=1 or S<>O)
C 0 P 0 A 0 Z 1 S 0 T 0 D 0 O 0 00000242
C 0 P 0 A 0 Z 0 S 0 T 0 D 0 O 1 00000A02
C 0 P 0 A 0 Z 0 S 1 T 0 D 0 O 0 00000282

76 - 0F86 JNA Jump if not above (C=1 or Z=1)
C 1 P 0 A 0 Z 0 S 0 T 0 D 0 O 0 00000203
C 0 P 0 A 0 Z 1 S 0 T 0 D 0 O 0 00000242

72 - 0F82 JNAE Jump if not above or equal (C=1)
C 1 P 0 A 0 Z 0 S 0 T 0 D 0 O 0 00000203

73 - 0F83 JNB Jump if not below (C=0)
C 0 P 1 A 1 Z 1 S 1 T 1 D 1 O 1 00000FD6

77 - 0F87 JNBE Jump if not below or equal (C=0 and Z=0)
C 0 P 1 A 1 Z 0 S 1 T 1 D 1 O 1 00000F96

73 - 0F83 JNC Jump if not carry (C=0)
C 0 P 1 A 1 Z 1 S 1 T 1 D 1 O 1 00000FD6

75 - 0F85 JNE Jump if not equal (Z=0)
C 1 P 1 A 1 Z 0 S 1 T 1 D 1 O 1 00000F97

7E - 0F8E JNG Jump if not greater (Z=1 or S<>O)
C 0 P 0 A 0 Z 1 S 0 T 0 D 0 O 0 00000242
C 0 P 0 A 0 Z 0 S 0 T 0 D 0 O 1 00000A02
C 0 P 0 A 0 Z 0 S 1 T 0 D 0 O 0 00000282

7C - 0F8C JNGE Jump if not greater or equal (S<>O)
C 0 P 0 A 0 Z 0 S 0 T 0 D 0 O 1 00000A02
C 0 P 0 A 0 Z 0 S 1 T 0 D 0 O 0 00000282

7D - 0F8D JNL Jump if not less (S=O)
C 0 P 0 A 0 Z 0 S 0 T 0 D 0 O 0 00000202
C 0 P 0 A 0 Z 0 S 1 T 0 D 0 O 1 00000A82

7F - 0F8F JNLE Jump if not less or equal (Z=0 and S=O)
C 0 P 0 A 0 Z 0 S 0 T 0 D 0 O 0 00000202
C 0 P 0 A 0 Z 0 S 1 T 0 D 0 O 1 00000A82

71 - 0F81 JNO Jump if not overflow (O=0)
C 1 P 1 A 1 Z 1 S 1 T 1 D 1 O 0 000007D7

7B - 0F8B JNP Jump if not parity (P=0)
C 1 P 0 A 1 Z 1 S 1 T 1 D 1 O 1 00000FD3

79 - 0F89 JNS Jump if not sign (S=0)
C 1 P 1 A 1 Z 1 S 0 T 1 D 1 O 1 00000F57

75 - 0F85 JNZ Jump if not zero (Z=0)
C 1 P 1 A 1 Z 0 S 1 T 1 D 1 O 1 00000F97

70 - 0F80 JO Jump if overflow (O=1)
C 0 P 0 A 0 Z 0 S 0 T 0 D 0 O 1 00000A02

7A - 0F8A JP Jump if parity (P=1)
C 0 P 1 A 0 Z 0 S 0 T 0 D 0 O 0 00000206

7A - 0F8A JPE Jump if parity even (P=1)
C 0 P 1 A 0 Z 0 S 0 T 0 D 0 O 0 00000206

7B - 0F8B JPO Jump if parity odd (P=0)
C 1 P 0 A 1 Z 1 S 1 T 1 D 1 O 1 00000FD3

78 - 0F88 JS Jump if sign (S=1)
C 0 P 0 A 0 Z 0 S 1 T 0 D 0 O 0 00000282

74 - 0F84 JZ Jump if zero (Z=1)
C 0 P 0 A 0 Z 1 S 0 T 0 D 0 O 0 00000242

EB - E9 JMP Jump

Each Jump [table of jumps] is comparated with the flags [representing all jumps]:

00000202
00000203
00000206
00000242
00000282
000007D7
00000A02
00000A82
00000F57
00000F96
00000F97
00000FD3
00000FD6

0060353A 8B85 68EEFFFF MOV EAX,DWORD PTR SS:[EBP-1198]
00603540 8B0C85 B8D96200 MOV ECX,DWORD PTR DS:[EAX*4+62D9B8]
00603547 8B95 94EBFFFF MOV EDX,DWORD PTR SS:[EBP-146C]
0060354D 33C0 XOR EAX,EAX
0060354F 8A0411 MOV AL,BYTE PTR DS:[ECX+EDX] ;mov al, jmptype
00603552 8985 78EBFFFF MOV DWORD PTR SS:[EBP-1488],EAX
00603558 8B85 78EBFFFF MOV EAX,DWORD PTR SS:[EBP-1488]
0060355E 99 CDQ
0060355F 83E2 0F AND EDX,0F
00603562 03C2 ADD EAX,EDX
00603564 C1F8 04 SAR EAX,4
00603567 8985 80EBFFFF MOV DWORD PTR SS:[EBP-1480],EAX
0060356D 8B8D 78EBFFFF MOV ECX,DWORD PTR SS:[EBP-1488]
00603573 81E1 0F000080 AND ECX,8000000F
00603579 79 05 JNS SHORT SomeTarget.00603580
0060357B 49 DEC ECX
0060357C 83C9 F0 OR ECX,FFFFFFF0
0060357F 41 INC ECX
00603580 898D 7CEBFFFF MOV DWORD PTR SS:[EBP-1484],ECX
00603586 8B95 80EBFFFF MOV EDX,DWORD PTR SS:[EBP-1480]
0060358C 3B95 7CEBFFFF CMP EDX,DWORD PTR SS:[EBP-1484]
00603592 75 1B JNZ SHORT SomeTarget.006035AF
00603594 8B85 7CEBFFFF MOV EAX,DWORD PTR SS:[EBP-1484]
0060359A 83C0 01 ADD EAX,1
0060359D 25 0F000080 AND EAX,8000000F
006035A2 79 05 JNS SHORT SomeTarget.006035A9
006035A4 48 DEC EAX
006035A5 83C8 F0 OR EAX,FFFFFFF0
006035A8 40 INC EAX
006035A9 8985 7CEBFFFF MOV DWORD PTR SS:[EBP-1484],EAX
006035AF 8B8D 78EBFFFF MOV ECX,DWORD PTR SS:[EBP-1488]
006035B5 8B95 80EBFFFF MOV EDX,DWORD PTR SS:[EBP-1480]
006035BB 8B048D 28CF6200 MOV EAX,DWORD PTR DS:[ECX*4+62CF28]
006035C2 330495 AC726200 XOR EAX,DWORD PTR DS:[EDX*4+6272AC]
006035C9 8B8D 7CEBFFFF MOV ECX,DWORD PTR SS:[EBP-1484]
006035CF 33048D AC726200 XOR EAX,DWORD PTR DS:[ECX*4+6272AC]
006035D6 8985 88EBFFFF MOV DWORD PTR SS:[EBP-1478],EAX
006035DC 8B95 5CECFFFF MOV EDX,DWORD PTR SS:[EBP-13A4] ;mov edx, flags
006035E2 81E2 D70F0000 AND EDX,0FD7
006035E8 52 PUSH EDX
006035E9 8B85 78EBFFFF MOV EAX,DWORD PTR SS:[EBP-1488]
006035EF 0FBE88 90B76200 MOVSX ECX,BYTE PTR DS:[EAX+62B790]
006035F6 FF148D 98B86200 CALL DWORD PTR DS:[ECX*4+62B898]
006035FD 83C4 04 ADD ESP,4
00603600 8985 8CEBFFFF MOV DWORD PTR SS:[EBP-1474],EAX
00603606 8B95 48ECFFFF MOV EDX,DWORD PTR SS:[EBP-13B8]
0060360C 52 PUSH EDX
0060360D 8B85 8CEBFFFF MOV EAX,DWORD PTR SS:[EBP-1474]
00603613 50 PUSH EAX
00603614 FF95 88EBFFFF CALL DWORD PTR SS:[EBP-1478]
0060361A 83C4 08 ADD ESP,8
0060361D 50 PUSH EAX
0060361E 8B8D 78EBFFFF MOV ECX,DWORD PTR SS:[EBP-1488]
00603624 0FBE91 90B76200 MOVSX EDX,BYTE PTR DS:[ECX+62B790]
0060362B FF1495 D8B86200 CALL DWORD PTR DS:[EDX*4+62B8D8] ;algo-check the flags
00603632 83C4 04 ADD ESP,4
00603635 8985 84EBFFFF MOV DWORD PTR SS:[EBP-147C],EAX
0060363B 8B85 84EBFFFF MOV EAX,DWORD PTR SS:[EBP-147C]
00603641 83E0 01 AND EAX,1
00603644 85C0 TEST EAX,EAX ; if eax=1 the jump, JUMP!
00603646 0F84 AE000000 JE SomeTarget.006036FA

0012C2F4 == JmpType
0012C3D8 == Flags
0012BC78 == Is flag active

My english is , before i'll post more info

Thanks for poiting some code

How does the jmp handlers look like nowadays ?
I assume they change them regulary.

Do you find easy to read code ? or kind of obfuscated tests of the flags?
Last time i checked, there were both styles of tests.

Anyway, i have yet to code the first part of the unpacker.
Should be fairly easy to dump at Arma OEP.

Cheers,

Hopcode

in the init [00603552] of code the registers [eax, ecx, etc] are saved.

the next step is do a loop init to end [00603552 to 00603646], copy a table containing the jump types [byte] and other containig the jump flags [dword], the loop compare each jump type with all flags, analizing the result of each comparation we can now the REAL type of jump, in the init the registers would be restored with the data saved before and then init on 00603552.

in the line
0060354F MOV AL,BYTE PTR DS:[ECX+EDX] ;mov al, jump type
mov al, the firts jump type [nano table - 1 byte] ordered minor to mayor

in the line
006035DC MOV EDX,DWORD PTR SS:[EBP-13A4] ;mov edx, flags
mov edx, the jump flags [table in the other post]

in the line
0060362B CALL DWORD PTR DS:[EDX*4+62B8D8] ;check the jmp type
if the flags are active according to the jump set 00000001 in 0012BC78

in the line
00603644 TEST EAX,EAX ;if eax=1 the jump, JUMP!

I'll post an example later. Sorry for my lame english

Jump type (byte) [0012C2F0]

Jump Flags (dword) [0012C3D4]

IsFlagActive [0012BC74]

Original registers at EIP==0066220A:

ECX 00DC70B0
EDX 0000000A
EBX 00670A00
ESP 0012BC90
EBP 0012D77C
ESI 00000010
EDI 0012C2E4


Original Code:

006621BD JMP SHORT SomeTarget.006621F2
006621BF ??? ; Unknown command
006621C0 JE SHORT SomeTarget.006621C2
006621C2 JMP SHORT SomeTarget.006621D1
006621C4 MOV EAX,87B90FEB
006621C9 LEAVE
006621CA STC
006621CB XOR AL,90
006621CD STC
006621CE JE SHORT SomeTarget.006621D5
006621D0 JMP SHORT SomeTarget.00662205
006621D2 SAL BYTE PTR DS:[EDX+ESI*8-48],87
006621D7 LEAVE
006621D8 INC EAX
006621D9 DEC EAX
006621DA TEST EAX,EAX
006621DC JNZ SHORT SomeTarget.006621BB
006621DE JMP 92CCBF44
006621E3 XCHG AX,DX
006621E5 MOV EAX,EAX
006621E7 JO SHORT SomeTarget.006621F0
006621E9 JL SHORT SomeTarget.006621EE
006621EB JMP SHORT SomeTarget.006621F2
006621ED CALL FA521D66
006621F2 MOV EAX,DWORD PTR SS:[EBP-119C]
006621F8 MOV ECX,DWORD PTR DS:[EAX*4+68C9C8]
006621FF MOV EDX,DWORD PTR SS:[EBP-1470]
00662205 XOR EAX,EAX
00662207 MOV AL,BYTE PTR DS:[ECX+EDX]
0066220A MOV DWORD PTR SS:[EBP-148C],EAX
00662210 MOV EAX,DWORD PTR SS:[EBP-148C]
00662216 CDQ
00662217 AND EDX,0F
0066221A ADD EAX,EDX
0066221C SAR EAX,4
0066221F MOV DWORD PTR SS:[EBP-1484],EAX
00662225 MOV ECX,DWORD PTR SS:[EBP-148C]
0066222B AND ECX,8000000F
00662231 JNS SHORT SomeTarget.00662238
00662233 DEC ECX
00662234 OR ECX,FFFFFFF0
00662237 INC ECX
00662238 MOV DWORD PTR SS:[EBP-1488],ECX
0066223E MOV EDX,DWORD PTR SS:[EBP-1484]
00662244 CMP EDX,DWORD PTR SS:[EBP-1488]
0066224A JNZ SHORT SomeTarget.00662267
0066224C MOV EAX,DWORD PTR SS:[EBP-1488]
00662252 ADD EAX,1
00662255 AND EAX,8000000F
0066225A JNS SHORT SomeTarget.00662261
0066225C DEC EAX
0066225D OR EAX,FFFFFFF0
00662260 INC EAX
00662261 MOV DWORD PTR SS:[EBP-1488],EAX
00662267 MOV ECX,DWORD PTR SS:[EBP-148C]
0066226D MOV EDX,DWORD PTR SS:[EBP-1484]
00662273 MOV EAX,DWORD PTR DS:[ECX*4+68BF38]
0066227A XOR EAX,DWORD PTR DS:[EDX*4+6862AC]
00662281 MOV ECX,DWORD PTR SS:[EBP-1488]
00662287 XOR EAX,DWORD PTR DS:[ECX*4+6862AC]
0066228E MOV DWORD PTR SS:[EBP-147C],EAX
00662294 MOV EDX,DWORD PTR SS:[EBP-13A8]
0066229A AND EDX,0FD7
006622A0 PUSH EDX
006622A1 MOV EAX,DWORD PTR SS:[EBP-148C]
006622A7 MOVSX ECX,BYTE PTR DS:[EAX+68A7A0]
006622AE CALL DWORD PTR DS:[ECX*4+68A8A8]
006622B5 ADD ESP,4
006622B8 MOV DWORD PTR SS:[EBP-1478],EAX
006622BE MOV EDX,DWORD PTR SS:[EBP-13BC]
006622C4 PUSH EDX
006622C5 MOV EAX,DWORD PTR SS:[EBP-1478]
006622CB PUSH EAX
006622CC CALL DWORD PTR SS:[EBP-147C]
006622D2 ADD ESP,8
006622D5 PUSH EAX
006622D6 MOV ECX,DWORD PTR SS:[EBP-148C]
006622DC MOVSX EDX,BYTE PTR DS:[ECX+68A7A0]
006622E3 CALL DWORD PTR DS:[EDX*4+68A8E8]
006622EA ADD ESP,4
006622ED MOV DWORD PTR SS:[EBP-1480],EAX
006622F3 MOV EAX,DWORD PTR SS:[EBP-1480]
006622F9 AND EAX,1
006622FC TEST EAX,EAX
006622FE JE SomeTarget.006623B2
00662304 PUSHAD
00662305 XOR EAX,EAX
00662307 JNZ SHORT SomeTarget.0066230B
00662309 JMP SHORT SomeTarget.00662320
0066230B JMP SHORT SomeTarget.00662340
0066230D SAL BYTE PTR SS:[EBP+18],7A
00662311 OR AL,70
00662313 PUSH CS
00662314 JMP SHORT SomeTarget.00662323
00662316 CALL F1DF318D
0066231B CALL DWORD PTR DS:[74097900]
00662321 LOCK JMP SHORT SomeTarget.006622AB
00662324 FSTP TBYTE PTR DS:[EDX-10]
00662327 MOV AL,BYTE PTR DS:[8D8B6133]
0066232C OUT DX,AL ; I/O command
0066232E ??? ; Unknown command
00662330 MOV ECX,DWORD PTR DS:[ECX*4+68C8E8]
00662337 MOV EAX,DWORD PTR SS:[EBP-1470]



Modified code:

006621BD NOP
006621BE NOP
006621BF MOV ECX,DWORD PTR DS:[60C058] ; Counter for NanoTypes (initial == 0)
006621C5 XOR EAX,EAX
006621C7 MOV AL,BYTE PTR DS:[ECX+60C000] ; Mov the nanotype
006621CD NOP
006621CE MOV ECX,DWORD PTR DS:[60C05C] ; Counter for JumpFlags
006621D4 MOV EDX,DWORD PTR DS:[ECX*4+60C060]
006621DB MOV DWORD PTR DS:[12C3D4],EDX
006621E1 NOP
006621E2 MOV ECX,0DC70B0 ;Restore Register
006621E7 MOV EDX,0A ;Restore Register
006621EC MOV EBX,SomeTarget.00670A00 ;Restore Register
006621F1 MOV ESP,12BC90 ;Restore Register
006621F6 MOV EBP,12D77C ;Restore Register
006621FB MOV ESI,10 ;Restore Register
00662200 MOV EDI,12C2E4 ;Restore Register
00662205 NOP
00662206 NOP
00662207 NOP
00662208 NOP
00662209 NOP
0066220A MOV DWORD PTR SS:[EBP-148C],EAX ; mov NanoType
00662210 MOV EAX,DWORD PTR SS:[EBP-148C]
00662216 CDQ
00662217 AND EDX,0F
0066221A ADD EAX,EDX
0066221C SAR EAX,4
0066221F MOV DWORD PTR SS:[EBP-1484],EAX
00662225 MOV ECX,DWORD PTR SS:[EBP-148C]
0066222B AND ECX,8000000F
00662231 JNS SHORT SomeTarget.00662238
00662233 DEC ECX
00662234 OR ECX,FFFFFFF0
00662237 INC ECX
00662238 MOV DWORD PTR SS:[EBP-1488],ECX
0066223E MOV EDX,DWORD PTR SS:[EBP-1484]
00662244 CMP EDX,DWORD PTR SS:[EBP-1488]
0066224A JNZ SHORT SomeTarget.00662267
0066224C MOV EAX,DWORD PTR SS:[EBP-1488]
00662252 ADD EAX,1
00662255 AND EAX,8000000F
0066225A JNS SHORT SomeTarget.00662261
0066225C DEC EAX
0066225D OR EAX,FFFFFFF0
00662260 INC EAX
00662261 MOV DWORD PTR SS:[EBP-1488],EAX
00662267 MOV ECX,DWORD PTR SS:[EBP-148C]
0066226D MOV EDX,DWORD PTR SS:[EBP-1484]
00662273 MOV EAX,DWORD PTR DS:[ECX*4+68BF38]
0066227A XOR EAX,DWORD PTR DS:[EDX*4+6862AC]
00662281 MOV ECX,DWORD PTR SS:[EBP-1488]
00662287 XOR EAX,DWORD PTR DS:[ECX*4+6862AC]
0066228E MOV DWORD PTR SS:[EBP-147C],EAX
00662294 MOV EDX,DWORD PTR SS:[EBP-13A8] ; mov edx, JumpFlags
0066229A AND EDX,0FD7
006622A0 PUSH EDX
006622A1 MOV EAX,DWORD PTR SS:[EBP-148C]
006622A7 MOVSX ECX,BYTE PTR DS:[EAX+68A7A0]
006622AE CALL DWORD PTR DS:[ECX*4+68A8A8]
006622B5 ADD ESP,4
006622B8 MOV DWORD PTR SS:[EBP-1478],EAX
006622BE MOV EDX,DWORD PTR SS:[EBP-13BC]
006622C4 PUSH EDX
006622C5 MOV EAX,DWORD PTR SS:[EBP-1478]
006622CB PUSH EAX
006622CC CALL DWORD PTR SS:[EBP-147C] ; Check IsFlagActive
006622D2 ADD ESP,8
006622D5 PUSH EAX
006622D6 MOV ECX,DWORD PTR SS:[EBP-148C]
006622DC MOVSX EDX,BYTE PTR DS:[ECX+68A7A0]
006622E3 CALL DWORD PTR DS:[EDX*4+68A8E8]
006622EA ADD ESP,4
006622ED MOV DWORD PTR SS:[EBP-1480],EAX
006622F3 MOV EAX,DWORD PTR SS:[EBP-1480]
006622F9 AND EAX,1
006622FC TEST EAX,EAX ; if eax==1 the jump, JUMP
006622FE NOP
006622FF MOV ECX,DWORD PTR DS:[60C05C] ; counter to JumpFlags
00662305 INC ECX ; ecx = ecx + 1
00662306 MOV DWORD PTR DS:[60C05C],ECX
0066230C CMP ECX,0D ; Number of JumpFlags
0066230F JNZ SomeTarget.006621BF
00662315 NOP
00662316 MOV DWORD PTR DS:[60C05C],0 ; Reset Counter JumpFlags
00662320 MOV ECX,DWORD PTR DS:[60C058] ; Counter NanoTypes
00662326 INC ECX ; ecx = ecx + 1
00662327 MOV DWORD PTR DS:[60C058],ECX
0066232D CMP ECX,55 ; number Of NanoTypes
00662330 JNZ SomeTarget.006621BF ; Init all Loop
00662336 NOP
00662337 NOP
00662338 NOP
00662339 NOP
0066233A NOP
0066233B NOP
0066233C NOP

Setting a BP-Log;

0066220A - log eax
0066229A - log edx
006622D2 - log [0012BC74]
006622FC - log eax

the result is:

0066220A COND: 00000000 ; nanotype
0066229A COND: 00000202 ; JumpFlags
006622D2 COND: 00000000 ; IsFlagActive
006622FC COND: 00000000 ; The jump, JUMP?

0066220A COND: 00000000 ; nanotype
0066229A COND: 00000203 ; JumpFlags
006622D2 COND: 00000000 ; IsFlagActive
006622FC COND: 00000000 ; The jump, JUMP?

0066220A COND: 00000000
0066229A COND: 00000206
006622D2 COND: 00000000
006622FC COND: 00000000
0066220A COND: 00000000
0066229A COND: 00000242
006622D2 COND: 00000001
006622FC COND: 00000001
0066220A COND: 00000000
0066229A COND: 00000282
006622D2 COND: 00000000
006622FC COND: 00000000
0066220A COND: 00000000
0066229A COND: 000007D7
006622D2 COND: 00000001
006622FC COND: 00000001
0066220A COND: 00000000
0066229A COND: 00000A02
006622D2 COND: 00000000
006622FC COND: 00000000
0066220A COND: 00000000
0066229A COND: 00000A82
006622D2 COND: 00000000
006622FC COND: 00000000
0066220A COND: 00000000
0066229A COND: 00000F57
006622D2 COND: 00000001
006622FC COND: 00000001
0066220A COND: 00000000
0066229A COND: 00000F96
006622D2 COND: 00000000
006622FC COND: 00000000
0066220A COND: 00000000
0066229A COND: 00000F97
006622D2 COND: 00000000
006622FC COND: 00000000
0066220A COND: 00000000
0066229A COND: 00000FD3
006622D2 COND: 00000001
006622FC COND: 00000001
0066220A COND: 00000000
0066229A COND: 00000FD6
006622D2 COND: 00000001
006622FC COND: 00000001
0066220A COND: 00000002
0066229A COND: 00000202
006622D2 COND: 00000001
006622FC COND: 00000001
0066220A COND: 00000002
0066229A COND: 00000203
006622D2 COND: 00000001
006622FC COND: 00000001
0066220A COND: 00000002
0066229A COND: 00000206
006622D2 COND: 00000001
006622FC COND: 00000001
0066220A COND: 00000002
0066229A COND: 00000242
006622D2 COND: 00000001
006622FC COND: 00000001
0066220A COND: 00000002
0066229A COND: 00000282
006622D2 COND: 00000001
006622FC COND: 00000001
0066220A COND: 00000002
0066229A COND: 000007D7
006622D2 COND: 00000001
006622FC COND: 00000001
0066220A COND: 00000002
0066229A COND: 00000A02
006622D2 COND: 00000000
006622FC COND: 00000000
0066220A COND: 00000002
0066229A COND: 00000A82
006622D2 COND: 00000000
006622FC COND: 00000000
0066220A COND: 00000002
0066229A COND: 00000F57
006622D2 COND: 00000000
006622FC COND: 00000000
0066220A COND: 00000002
0066229A COND: 00000F96
006622D2 COND: 00000000
006622FC COND: 00000000
0066220A COND: 00000002
0066229A COND: 00000F97
006622D2 COND: 00000000
006622FC COND: 00000000
0066220A COND: 00000002
0066229A COND: 00000FD3
006622D2 COND: 00000000
006622FC COND: 00000000
0066220A COND: 00000002
0066229A COND: 00000FD6
006622D2 COND: 00000000
006622FC COND: 00000000

etc.

Parsing with a program made by me, in my target the result is

Nanotype = Jump Type (flag condition) == JumpType for JCDN [N.Rec]

Flag Flag Flag Flag Flag Flag Flag Flag FlagsDWORD IsActive Jump?


00 = 74 - 0F84 JZ Jump if equal (Z=1) == 0A

C 0 P 0 A 0 Z 1 S 0 T 0 D 0 O 0 00000242 00000001 00000001
C 1 P 1 A 1 Z 1 S 1 T 1 D 1 O 0 000007D7 00000001 00000001
C 1 P 1 A 1 Z 1 S 0 T 1 D 1 O 1 00000F57 00000001 00000001
C 1 P 0 A 1 Z 1 S 1 T 1 D 1 O 1 00000FD3 00000001 00000001
C 0 P 1 A 1 Z 1 S 1 T 1 D 1 O 1 00000FD6 00000001 00000001

C 0 P 0 A 0 Z 0 S 0 T 0 D 0 O 0 00000202 00000000 00000000
C 1 P 0 A 0 Z 0 S 0 T 0 D 0 O 0 00000203 00000000 00000000
C 0 P 1 A 0 Z 0 S 0 T 0 D 0 O 0 00000206 00000000 00000000
C 0 P 0 A 0 Z 0 S 1 T 0 D 0 O 0 00000282 00000000 00000000
C 0 P 0 A 0 Z 0 S 0 T 0 D 0 O 1 00000A02 00000000 00000000
C 0 P 0 A 0 Z 0 S 1 T 0 D 0 O 1 00000A82 00000000 00000000
C 0 P 1 A 1 Z 0 S 1 T 1 D 1 O 1 00000F96 00000000 00000000
C 1 P 1 A 1 Z 0 S 1 T 1 D 1 O 1 00000F97 00000000 00000000


02 = 71 - 0F81 JNO Jump if not overflow (O=0) == 02

C 0 P 0 A 0 Z 0 S 0 T 0 D 0 O 0 00000202 00000001 00000001
C 1 P 0 A 0 Z 0 S 0 T 0 D 0 O 0 00000203 00000001 00000001
C 0 P 1 A 0 Z 0 S 0 T 0 D 0 O 0 00000206 00000001 00000001
C 0 P 0 A 0 Z 1 S 0 T 0 D 0 O 0 00000242 00000001 00000001
C 0 P 0 A 0 Z 0 S 1 T 0 D 0 O 0 00000282 00000001 00000001
C 1 P 1 A 1 Z 1 S 1 T 1 D 1 O 0 000007D7 00000001 00000001

C 0 P 0 A 0 Z 0 S 0 T 0 D 0 O 1 00000A02 00000000 00000000
C 0 P 0 A 0 Z 0 S 1 T 0 D 0 O 1 00000A82 00000000 00000000
C 1 P 1 A 1 Z 1 S 0 T 1 D 1 O 1 00000F57 00000000 00000000
C 0 P 1 A 1 Z 0 S 1 T 1 D 1 O 1 00000F96 00000000 00000000
C 1 P 1 A 1 Z 0 S 1 T 1 D 1 O 1 00000F97 00000000 00000000
C 1 P 0 A 1 Z 1 S 1 T 1 D 1 O 1 00000FD3 00000000 00000000
C 0 P 1 A 1 Z 1 S 1 T 1 D 1 O 1 00000FD6 00000000 00000000

And all the Nanotypes are retrieved to a real JUMP type

See you soon

Thanks for keeping us updated on packer internals tenketsu. Please just don't identify the target of any explicit code you post, it might get us in trouble (I removed the identifying info in your post).

I'm sorry. I copy it directly from my notes, and I did not become aware of the TARGET.ADDR

I will publish an tutorial in some days of how defeat ALL tricks and the Armadillo's protections.

Cool, we're looking forward to see it.

Of course once your tut is published, they will change some of "the tricks."

Regards,

has the tut published??

Now don't you think that if it had been published, there would be some mention of it here? Or did you just want to see your nick on a post?

Regards,

dELTA: You might want to look at tenketsu's post "This code is 2 or 3 weeks ago [my mid too..]" again. Could be that "SomeTarget" references still exist...

Ok, thanks, fixed.

hi, some one
could better explain the code posted by
tenketsu i can't understand it very
much and i've a target that is
very similar....
please help!!!
thank you

> i can't understand it very much
What, all the code??? Or something in particular?

hi Zairon
i'm interested "only" in the method on how to solve
this kind of nanomites. where i have to look for the
fantomatic tables and where i have to patch
could you help me?

Hello there,
also i decided to enter the project, 1st because i never coded anything at a so "high" level as an unpacker, and second because iam also a arma lover .
I started last week when i seen this post, and my aproach has been unpack it as if i would unpack it manually. So my unpacker ill be some kinda of a debugger that allows me to do everything as if i would do it manually. So i have been packig some small exe's that i coded, and study them, fortunally i have been greatly helped by a friend that its "hyper" advanced at arma, and have been giving me some lights.
I started by the easiest protection of them all the standart+debugblocker, as its my plan to work in one protection option at a time. Currently my unpacker seems being able to dump standart+debugblocker only with help of imprec.
I started today to study the cm2 option, since i had unpacked many targets using that option before, i know +/- how it works, so i started to code, in a way that the unpacker would do the same things i would if doing it manually, at the end of the day, well everything looked ok, i sucessfully completely dumped an exe process to disk. I have to admit i was happy, hehe but not for long , when analysing the dump i could see that all the pages had been decrypted, but still the code appears to be encrypted i checked, and checked, step by step, everything seems to be ok, and when i say step by step i really mean line by line, i dont understand why it dont decrypts correctly, while trying to find what was going wrong i steped into the decryption routine, it xor the code first with a constant byte, 59 in my case, and then with a dword key, that changes every page he writes, i didnt entered in detail on this dword key because it looks like it was being calc on a very long table. I even thought that it could be the detection of some of my inject code, but then i thinked about it, and i just do what i do manually, and when i do it manually, well everything runs like it should, i tried everything i could remember, at middle i even found a way to fix all the pages whitout restarting the process, but the bad decryption continues, its 1:18am now, i coded the algo in some 3hours and been trying to fix it for some 6h... and i would be more time gladly if i knwe there were more options, but i think i tried them all, its just so fuc... weird, i dont set any breakpoints, i dont pacth anything that i wouldnt pacth when doing manually, everything equal, and still it decrypts correctly manually, and not when u use the unpacker.
So i hope someone outhere can give me some light why is this happening, specially u Crusader, because it seems u overwalmed all those things, even if u used an different aproach than me, what i sincerelly believe u did, i still hope u can give me some explanation on this matter.

thx,
Spec0p

P.S. Btw i was dumping using my own function, but just to post that i also thinked it could be some problem at it, and then i used LordPe several times, but everything keeps the same...

hi SpecOp,

Great to have u onboard... sorry for the late reply, was away on Thanksgiving holiday

If u could provide a bit more info on where you dump, what is encrypted what is not (whole exe or just .code section) then perhaps i could guess what went wrong...

I suppose you can try comparing the output of manual unpacking with your unpacker output to see where things go wrong...

Hi there crUsAdEr,
thx 4 replying, and yes i noticed the late reply , but thats not a problem , hope u had some nice hollidays .
I was dumping at the same place, that i think everyone dumps when doing manually, after the jmp that checks if the maximum pages as been reached, inside the decrypt/encrypt loop.

Well all exe was decrypting badly.

Since all exe was badly decrypted they were diferent from the beggining, and to make things worst, everytime i did a dump all bytes where diferent . But no problem, really have to thx Chad, because that that way he forced me to explore how cm2 works, i analyzed, analyzed and analyzed again, during 3 days (on a 5 days week hollyday ) i studied and finally compreended how cm2 works, hows keys are hashed, how they are used, even how protector knows if its a cm2 protected app, eventually i have found the problem, the dump could never be good, because arma was creating dummie keys to decrypt it, yes he was decteting my unpacker, and instead of saying it, like with that beautifull textbox saying, that a debugger was detected on sytem blablabla, he just silently hashed bad keys and do everything like normal, so i was looking for errors on my unpacker... So i have now stepped over that problem .
And how is going everyone outhere who started also the project, any news??

great to hear that

keep up the good work... the fun has only just begun

Are you guys having fun ? :-)

Yep, hehe we always like to have fun

-nt20

Lol, nice to see silicon realms watching the board so closely... it is funny though...

seriously? Nope... i havent had fun with armadillo for ages... why? cos nothing has changed with armadillo for the last 6 months or so... only the Version number of course ...

ah ah ah
yes now arma is very fun
and solving nanos too :-P

Wait a minute. You guys aren't supposed to be having fun, just hard work and making life easier for those of us who do not have the time to have fun either.

Regards,

i need an Armadillio Unpacker 3.36

Please feel free to make one for yourself and then distribute for others to enjoy.

Regards,

And what would that teach you?

Nothing.

I guess you missed the point of this thread, if you even read it. This thread exisits to learn about and to understand Armadillo.

And then if possible to engineer a program to automate the unpacking process, while learning how, why, where, when!

I don't believe that there was even mention of releasing to the public any pre-compiled lamer machine.

Where is the bus when you need it?

Contact me ;-)

Edit: I actually got contacted by another board member ) Fun

Did someone call for the bus ???

h**p://www.barp.ca/bus/coach/coach-l/lamer680.jpg

Protection authors too can have humor ;-)

Nice photo, I think I saw a friend of mine in the window...

Anywho, is there anything new on this topic?

My MASM project needs to go into the recycle bin...I haven't made any progress...Damn COPYMEM keeps me at bay again...but its enough to piss me off to try, and try again

Peace

Hi there arma lovers,
i now also have something that looks like an unpacker to armadillo its not MASM or TASM or anything xASM coded, i have some snipets of inline ASM but nothing special..., its C++ but well its works anyway, it has been very, very fun (yeah Nico lots of FUN )coding it. So fun that now that i finished it, well i dont know to do with my life, ill prolly suicide myself . If my experience on it can help someone, ill gladly share it, since it was based on experience that others shared, that i managed to do it... Keep going guys thats the spirit

Before you decide to kill yourself ;-) you can email it to me, and i will make sure to call Emergency in return ;-)

I am glad you had fun

Cheers,

Nico Asleep

How about using that quote Nico? "Armadillo - any unpacking attempt may be fatal"

Sounds like nice work anyway SpecOp.

Like this dELTA ? ;-)

Or perhaps:

"Armadillo - not attempting to unpack may be fatal".

Regards,

Any progress? Need help?

Hehe, for reference...

http://www.woodmann.com/forum/showthread.php?t=9307

omg )

Delta,

You forgot DilloDIE - up to version 1.6 - still doing an admirable, (Admiral?), job.

SiGiNT

I didn't forget anything. I just thought it was nice to link to this new tool, which was a result of this > 1 year old thread/challenge, that's all.

And an excellent tool at that, I haven't had as much time to play with it as with DilloDIE but the couple of times I've tried it, the results were comparable, seems I'm running into a lot more aspr than arma targets lately - probably coincidence, been running in to a lot of off the wall stuff also - UltraProtect (with Perplex!), and a couple others that even I don't need a tool for.

SiGiNT

Message by Nico 1 year ago, it's here for the posterity
Remember Nico?
Shame its no use for you now

@SpecOp

I tried ArmaGui 1.5 on a target which is packed with Armadillo 2.01
(PEID says Armadillo 2.01 -> Silicon Realms Toolworks [Overlay])

WHen you then try to load it into ArmaGui this comes with the
following info:

[11:22:23]: INFO - Starting father process...
[11:22:23]: INFO - Entry point bytes: 0x55, 0x8B
[11:22:24]: INFO - Searching for ghost process's...
[11:22:46]: ERROR - Unable to terminate process
[11:22:46]: INFO - Fixing IAT...
[11:22:46]: ERROR - Unable to get a handle to the main process...
[11:22:46]: ERROR - Unable to get a handle to the main process...
[11:22:46]: INFO - IAT Elimination is used!
[11:22:46]: ERROR - Unable to find the end of the IAT routine...
[11:22:46]: ERROR - Unable to fix IAT...
[11:22:46]: ERROR - Failed to fix IAT...
[11:22:46]: ERROR - Failed to unpack...


a TMP0 file is created however not very usefull at this point


any clue?

thx

Hi, ArmaGUI only supports armadillo versions above V3, unless PEiD its mistaken, it will not support your target.
Current version of ArmaGUI is 1.5.3 and not 1.5.

[11:22:24]: INFO - Searching for ghost process's...
[11:22:46]: ERROR - Unable to terminate process

This means that my tool is unable to close already running process(s) of your target, make sure it isn't loaded in memory by any other tool, like OllyDbg...

Cheers,

Hi SpecOp,

Well, that's not the case (or it's hidden although I can see it when I run
the application in the windows taskmanager).
I also checked if it was running when trying to unpack it with ArmaGui and
only the process of ArmaGui with this target is running.
(Tried ArmaGui on other Cr@ackme target and it worked for that.)

Found a different application, same problem, other version of Armadillo used.

Got the same problem now with Arma 2.01 and 3.76.

Managed to get a dump of the 3.76 with other tools only that's to much corrupted to repair.

Looks like I have to do it all manually for every new release of the target

PM targets name, and i will check what is going on when i have the time.

Cheers,

I updated the tool and it now should support the target u PM me.
It was failing indeed but only while trying to find the OEP. I was unable to get the error u posted above, where the tool says that it's unable to close the process, so something else isn't right on your machine. Make sure you dont have the target exe running on any debugger, or opened on any app that have some exclusive handle on it.
And btw, you should use the ArmaGUI thread to post this kind of situations.

Cheers,

@SpecOp

Thx, works. Also the errors disappeared on both version :-)

Thanks again (and sorry it's in the wrong thread, I'll use that
next time)