Armadillo, compendio de - Tomo I
How to unpack & inject code to armadillo & how to defeat the armadillo expiration system

Armadillo, compendio de - Tomo II
How to unpack & inject code to armadillo with Nanomites, no CopyMemII

Armadillo, compendio de - Tomo III
How to unpack & inject code to armadillo with Nanomites + CopyMemII

Armadillo, compendio de - Tomo IV
How to unpack & inject code to armadillo with CopyMemII + CodeSplicing + IATScrambler

Download
http://www.geocities.com/tlatoanimt002/ArmadilloTomoI.zip
http://www.geocities.com/tlatoanimt002/ArmadilloTomoII.zip
http://www.geocities.com/tlatoanimt002/ArmadilloTomoIII.zip
http://www.geocities.com/tlatoanimt002/ArmadilloTomoIV.zip

Mirror
http://softcomx.spymac.net

Spanish only, sorry =(

Wait for V & VI

Tomo V: 19 - V - 2005

I will rather w8 if someone will translate this to eng.I wouldnt like to learn spanish now so i would be able to read it ...


By the way good work anyway tut looks very good as your privious 2..
Keep a good work



Bye

good work

I do speak very little spanish...will try to rewrite the tut and post it somewhere.

Thanks, this might help.

Thanks for the tut tenketsu!

I have succesfully inline patched older versions of Armadillo but the target i'm working on now is using version 3.78 which uses sh!t loads of selfmodifying code shortly after EP, so the VirtualAlloc CALL's isn't hardcoded!

Is there any easy way to get the bytes after VirtualAlloc patches? I'm not asking for the solution, rather some hint's

The way i'm proceeding now is gonna take like forver as i have to patch an address shortly after EP to jump to my cave which will patch next present address etc. etc. and there's extremely many patches that have to made!

JW.

I know there are a few people who have successfully unpacked Arma 3.78 with the Olly script..have you tried that?

_http://ollyscript.apsvans.com/showScript.php?id=75

Also, if you ID'ed your target with PEiD, and it says version 3.78, it could also be version 4.XX...as is the case in a target that I am trying to unpack at the moment.

Hope that helps ya..!

Thanks for the reply bro

I know this is the packing/unpacking forum but i sneaked in my post as it was regarding to the tenketsu tutor!

The thing is that i'm not really into unpacking stuff, i like to patch

P.S. could you PM me a link to the app your working on, would like to check it out!

The only self-modifying code [EP] that I have seen is

The EP this in .adata, this code *decrypt* the code of the section .text [static way], you can copy the code *decrypted* of .text and change the EP


This case is discussed in the tome III

Thanks for your input, it's really appreciated

Tomo III...? Great...where can I find it?

In this thread [first post], maybe... 4 or 6 days

Can you tell me if one of your tuts (TOMO III or TOMO IV) will discuss a case of COPYMEM II + Nanomites?

I think my target has that...and I can not get to OEP in the son or child process.

BPX WriteProcessMemory will break, and first writes two bytes (EB FE) and on the second break it writes another 2 bytes (60 E8). After that, it will write in 1000 byte sections.

I have separated the child from the parent, fixed the loop, but can not locate OEP.

Tomo III: CopyMemII + Nanomites

Tomo IV: CopyMemII + Nanomites + CodeSplicing + IATScrambler

Tomo V: Reversing Armadillo 4.10

Excellent....looking forward to this....thanks!

Tomo III: ready, check the firts post

Sorry for the wait

Right on time, as promised! And I am sure it is worth the wait, thanks!

amazing work nice to see some new methods to take out old enemeys

guys, i'm following TOMO-II , but i'm stuck at some point.
could anyone please explain, how can i find the MAGICAL JUMP 2 ??

"Busquemos el segundo salto mágico que esta en ...."

i'm stuck at that point of the tutorial SECOND MAGICAL JUMP , how do i find that jump ??

Tomo IV ready, check the firts post

CopyMemII + CodeSplicing + IATScrambler

Unpack & patch

well done

Hey tenketsu,

thanx for the clear tutorials, it's much appreciated !
Altough my Spanish is quite bad, it taught me some new tricks and
confirmed some of my findings when tracing an Arma 4.xx protected program
manually ... (for the better understanding of the protection)

But: http://www.geocities.com/tlatoanimt002/ArmadilloTomoIII.zip
seems to be corrupt. I tried & downloaded it on 2 different PCs on 2 different
networks, but both times I get a CRC error from WinRar. Can anyone verify this ?

ArmadilloTomoIII.zip ; filesize is 639650 bytes ,work fine for me. Maybe you have old Winrar ?

I tried it with both IE and Mozilla (both newest versions) , using WinRAR v3.42 for unzipping; the filesize of my download is 639.651 bytes. Tried cleaning my cache, etc, but no luck so far ...

But anyways it seems I'm the only one with this problem, so never mind ;-)

hey,

i am having problems with this one too!!

ancev

UPDATE: the tutor #3 is only corrupt on the geocities mirror; the one on:
http://softcomx.spymac.net

works great.

/me feels rather STUP!D ...

I will not make more tutes until further notice

Greetings

your tuts are great it´s a pity, verdaderamente espero que puedas volver a escribirlos, son muy muy buenos.

Mucha suerte
Ricardo Narvaja

Many gracias. De hecho, entre tu y K0rt me hicieron decidirme a hacer esta serie de tutes, en lo personal tus tutes me parecen los mas amenos del medio.

Saludos

I am just curious if anyone is working on translating these documents into
english? I would loved to be able to read, and understand it - so if anyone
have, or is working on translating them, it would be great if you'd either share
the work here so more could enjoy reading and learning it. If not then PM
is always a sollution as well.

// Mr. Red