Edit: (Original description hardly applies anymore)

ArmInline is a tool for dealing with the various antidump tricks or Armadillo including:

-= Code Splicing (Complete removal)
-= Import Elimination (IAT Rebuild)
-= Nanomites (In-process on-the-fly nanomite handler patch)

See the readme for details.

Take it easy
Admiral

EDIT Updated version below

Err... Me again.
Sorry to the 32 of you who downloaded the first version - guess I didn't test it thoroughly enough .

Just found a bug where it fails to find a jump shortly following another instruction containing 0xE9. It's all fixed now though, so you may want to ditch the old download in favour of the current one.

Nice little tool, thanks for sharing.

thanks for this nice tool but i found a little problem when recovering the following code

here is the spliced code
0069D460 XCHG ECX,EDX
0069D462 JPE SHORT 0069D464
0069D464 NOT ESI
0069D466 PUSH EDX
0069D467 XCHG EDI,EDI
0069D469 XCHG DX,SI
0069D46C XCHG AX,DI
0069D46E XCHG AX,DI
0069D470 XCHG DX,SI
0069D473 POP EDX
0069D474 NOT ESI
0069D476 XCHG ECX,EDX
0069D478 PUSH EBP
0069D479 MOV EBP,ESP
0069D47B PUSH EBX
0069D47C MOV EBX,DWORD PTR SS:[EBP+8]
0069D47F MOV DWORD PTR DS:[EBX],EAX
0069D481 MOV DWORD PTR DS:[EBX+4],EDX
0069D484 MOV EAX,DWORD PTR SS:[EBP+C]
0069D487 MOV DWORD PTR DS:[EBX+C],EAX
0069D48A MOV DWORD PTR DS:[EBX+8],ECX
0069D48D POP EBX
0069D48E POP EBP

here is the code ur program recovered
0040780C MOV EBP,ESP
0040780E MOV EBX,DWORD PTR SS:[EBP+8]
00407811 MOV DWORD PTR DS:[EBX],EAX
00407813 MOV DWORD PTR DS:[EBX+4],EDX
00407816 MOV EAX,DWORD PTR SS:[EBP+C]
00407819 MOV DWORD PTR DS:[EBX+C],EAX
0040781C MOV DWORD PTR DS:[EBX+8],ECX

in fact the correct code should be

0069D478 PUSH EBP
0069D479 MOV EBP,ESP
0069D47B PUSH EBX
0069D47C MOV EBX,DWORD PTR SS:[EBP+8]
0069D47F MOV DWORD PTR DS:[EBX],EAX
0069D481 MOV DWORD PTR DS:[EBX+4],EDX
0069D484 MOV EAX,DWORD PTR SS:[EBP+C]
0069D487 MOV DWORD PTR DS:[EBX+C],EAX
0069D48A MOV DWORD PTR DS:[EBX+8],ECX
0069D48D POP EBX
0069D48E POP EBP

Right you are.
Thanks for pointing this out. And for locating the problem (instead of simply telling me 'it doesn't work' ).

My intended design should not have removed those PUSHes and POPs, but of course, in practice, theory is never the same as practice. I'll get to work and upload the bugfix as soon as I'm done.

Out of curiosity, how did you manage to find this idiosyncracy? This is the sort of error that always slipped through my net when writing/debugging the first version (the PUSHes and POPs (or lack thereof) all match up, and the redundant code was in one contiguous block, etc etc.).

Cheers
Admiral

Edit: Okay... I think that's fixed now. The new version's uploaded.
It also has a (superficially) spankier interface. I advise you to resist the temptation to reverse engineer the interface to enable the Nanomite recovery and IAT rebasing options, 'cause they don't do anything yet .
Thanks again, stephenteh.

i found that problem when i unpacking a target and after fixing the dump using ur tool it's giving me error..
so i unpacked the program without using ur program to fix the CS and the program work...
i confirmed that the error is coming from ur tool so trace where the error from...and found that location...

thanks for this nice tool

Hi Admiral,

i found a problem when fixing CS of a program...

i got Run-time error '6':Overflow error....

check pm for the target..

hope u have time to look into this problem..

thanks...

stephenteh is the target f...b.ss?, I got the same error, if not the tool auhor may be interested in another target.

u have a different target...

I haven't had time to properly test all the targets (it's a bit too much effort to deal with all these Copymem-IIs just to see if it can do its thing without crashing), but I've located the source of the overflow and neutralised it. Version 0.4 (see first post) managed to deal with a Code-Splicing and Import-Elimination target I was sent (no Debug-Blocker) to the point of a complete functional unpack, making for a 'three-minute and forty' unpack .

I didn't fully unpack the first target you sent me, stephenteh, but as far as I can see, it's now only the Nanomites holding me back (They're next on the list for ArmInline, by the way). It doesn't overflow anymore, so I hope you have better luck with it this time.

I've also added a tool to deal with Armadillo's 'Import Elimination', which seems to be working a charm. In theory, it should work for just about any anti-ImpRec trick imaginable (on non SMC), so feel free to try it against other targets. Just as before, the more testing it gets the more reliable it will be, so don't hesitate to PM me if you find a problem.

Details are in the readme.

Admiral

I'm back with a new version.

ArmInline v0.7 can now deal with Nanomites (as discussed in another thread). It worked fine on a couple of targets of mine. Testers (and bug reports) welcome.

I've also fixed an error ('Non-contiguous code generated') some people have been getting when spliced code contains the instruction 'MOV EDI, EDI' (which was being identified as junk when it shouldn't be).

It seems that I can no longer edit the original post in the thread, so I'll attach v0.7 here. Perhaps a moderator would be so kind as to remove the first attachment and direct readers to the most recent post.

Have fun
Admiral

I tried to use ArmInline to defeat nanomites, but i get an error :

http://xthost.info/stoneidiot/image/err.png

Can you tell me the reasons?

Any way, thanks for your GREAT tool!
Regards.

Hi theMyth.

That error occurs, as one might have guessed, when the sequence of hooks that is expected of the (induced) on-the-fly Nanomite fixing fails to trigger.

If you're sure that the target has Nanomites (gotta check these things ) and that the file you're loading on the 'Locate' dialogue is the packed exe (not your dump) then perhaps you'd like to PM me with the name and/or URL of your target so that I can look into it myself.

Regards
Admiral

Ps: Is there any chance that one of the powers that be could remove that redundant v0.6 attachment from the first post in the thread, and perhaps direct readers to the latest version? Thanks.

Thanz Admiral for sharing the nice tool. But many ones don't fix right nanomites with ArmaInline . Everyone hope that adminral will fix this bug.
benina.

Duly noted, benina.

I'm getting quite a few bug reports coming in and I'm doing what I can (in my limited free time) to get this sorted.
If anyone else wants to report a problem they're having with the Nanomites, could they please email me with the details rather than filling this thread up with similar posts.

Thanks
Admiral

It's been a while, but I have another update. This one's a bit more substantial:

ArmInline v0.9:
-= Import Elimination working 100%
-= Nanomites working 100%
-= Code Splicing working 99%
(on what has been tested)

-= New Process/Module viewer added
-= Compatible with SP1/SP2 and modified Kernel32.dll
-= Code Splicing can now deal with already inefficient code
-= Import Elimination copes with importing the last API in the last DLL
-= Nanomites no longer give 'Process didn't attempt to repair Nanomites'
-= Nanomite file viewer added
-= .nan format documented

Link: http://arminline.byethost22.com/

Great Work

Hello,

I'm not sure if its advisable to upload an unpacker here(commerical related).If possible upload somewhere and provide a link?

Admiral, thank's a lot for Your splendid work

maxximumm

Sorry to be spamming the board, but I like to work in batches, so I offer some more fruits of my labour. ArmInline v0.93 addresses all the bugs of v0.91 as well as:

-= Advanced heuristics for locating IAT and Code Splice section
-= Smarter interface
-= Less crash-happy

(So you need not touch your keyboard for many targets)

http://arminline.byethost22.com/

Admiral

Excellent !

ArmInline v0.95 has some minor improvements over v0.93.
Thanks to Hiei, it is now available for those who prefer to work in Spanish.
Get it from the usual place:

http://arminline.byethost22.com/

May I ask why it has been discontinued? (Anyway, it's great that you have released the source code.)

Indeed ArmInline has been discontinued. The last official release will be 0.96f.

I have received a few emails regarding Armadilloed targets with Nanomites that ArmInline can't detect. Although I've done little to confirm it, I suspect that SRT have updated again.
Chances are that circumventing this new protection would be simple enough, but I don't have the time or motivation to keep the project up to date anymore, so I thought it better to thrown down the gauntlet than to do a bad job by myself.

I should also mention that I am not without conscience and that my work is appreciably making life more difficult for SRT. Information should be free and all that but I wouldn't want to hold any responsibility for ruining a small company (consisting of good-natured people).

As for releasing the source; I would have done it much earlier (I'm all for open-source) but I'm a little ashamed of the state the code is in. Although reasonably efficient, it is untidy and uncommented. Hopefully, somebody will find it useful all the same. All the ideas are documented in the readme and the implementations are right there in the source.

I suppose, this way, I'll have more time to devote to dabbling in other RCE techniques. Tackling ring0 has been on the todo list for a long time.

Thanks for all the support I've had over the life of the project. I'm a better reverser for it. If anyone has any specific questions, I'm certainly not 'retiring' and will still be available through the usual media

Regards
Admiral

Excellent!
And source is coded in VB.
VB never dies.

Hi.
Admiral Thanx for the ArmInline it is an excellent tool that is useful to many people.


Thanks for everything .
Regards
Hiei.-