I am trying to disassemble an app which looks like it is packed in some way. I have examined it with PEiD but reports it is NOT packed and have examined it with File insPEctor and this reports it is packed with Armadillo 1.80.

I have tried a ton of automatic armadillo unpackers and NONE of them work. I have also tried to unpack it manualy but I get seriously lost as this is a bit beyond me. I have read some tuts on the net but still got no further forward.

Does anyone know of a better tool to correctly identify the packer or have any other ideas ?

Try RDG Packer Detector it seems to be one of the more accurate ones I've tried, I think you can find a link at the bottom of the page to the ARTeam site, you should be able to find a link in the forum, but....... if you are having problems with tuts, you are way over your head trying to unpack Arma, there are certain implementations that give the best fits - I've got 1 or 2 that I've been working on for over a month - no luck yet - but that's supposed to be the fun part............I think

SiGiNT

Could you give a list of sections in the file? All the Armadillo I've seen have a .adata and .pdata section in them. Other packers have their own characteristic sections.

List of sections:
.text
.rdata
.data

Tried using RDG and it reports 'nada'

TRY to use PEID:....


bye

Already used PEiD 0.93 and is doesn't report anything.

Does anyone have a link for PEiD 0.94 beta ? as this one is supposed to detect much more.

Mark,

In the ARTeam forum there is also a link for .94 Beta, (in the Tools of the Trade Section), I'm surprised that JMI has not reminded you about the not asking for tools rule - you should sharpen your search skills.


SiGiNT

Well I wasn't up that early on my local time. So now I'll remind both markh51 AND sigint33 that our Rules prohibit the asking of where to find the Tools of the Trade here and sigint33 you do not help enforcement of that Rule by reminding him of the Rule but still giving him the answer to the question he shouldn't have asked. How about BOTH of you not doing this again.

Regards.

Sorry guys...

I had already looked in the ARTeam forums but sine it was late last night when I looked, I thought I would look again... but still can't find it. I type peid into the forum search, but nothing is returned.

sigint33, you have PM.

Absolutely! HUA!!!!! (Heard Understood and Acknowledged).

SiGiNT

And by the way I come up with 6 pages of hits there markh51.

markh51:

Are you a complete Dunce or what? STOP ASKING WHERE TO FIND THE TOOLS OF THE TRADE and do your own damn searching or you will join the ranks of the "Goners" and be banned from these Forums.

Last warning.

Regards,

JMI: I thought I could ask these 'types' of questions via PM

I think this and my earlier recommendation, along with the info on where I thought you might find it are the problem, I know in the future, I will pass along this kind of info via PM.

SiGiNT

markh51:

You MAY ask for things by PM which you are NOT permitted to be posted, but your post, #9 in this thread, certainly appears to be asking someone to continue helping you find the tools and THAT is NOT permitted in the Forums, except in very limited circumstances not relevant here.

sigint33: Did you spend time in the First Cav.? They seem to be very fond of saying "HUA" after anyone says almost anything.

Regards,

Unfortunately not, but in spirit and heart I'm with them!

SiGiNT

Me as well, although my own militay service was more than 30 years ago in that "other" conflict in a place called Viet Nam. Sometime it's hard to believe how long its been and how fast those 30+ years have gone by.

Regards,

That certainly does not look like a Armadillo to me. If it was Armadildo, it'd have a .pdata and a few other sections. Maybe it's a custom-made unpacker/drop-to-disk sort of thing. Make sure you can see hidden files, then run the program and see if it drops a hidden file into the same directory. You may also wish to use a Dumper on it.