I'm new here but when i was unpacking the armadillo1.x-2.xx i got the oep & i dumped it too! But the real problem is in fixing the imports.Can anybody help me?When i run the dumped file it says that it has caused an error.

i suggest you try "ImportREC",this software can help you solve that error.

First i used the olly script by Hipu.Then it gave me the oep.Then i put the child process in infinite loop using PUPE.Then i attached the process to olly.Then i tried importrec to fix the imports but nothing happens.I've heard that armadillo encrypts the imports.
I wanted some help to decrypt those imports.

you need read some tutorial is impossible explain so big theme here.

Ricardo Narvaja

We'd be very gallent if Ricardo Narvaja could help us ,
right Vix?
arjuns

right Vix?

Yeah arjuns.I've many tutorials.I've unpacked the proggy manually too! (using olly dbg) & everytime i come up to the same oep.But today when i was on that oep, i dumped the process and tried "IMPORTREC".First it gave nothing then i traced it with level1 & u wont believe it gave me some imports!!! But there were some invalid thunks.So i deleted those and fixed the file.Still it gave an error & terminated.Then again after doing the whole process as mentioned above, i used the trace level2 option.But IMPORTREC freezed!!!I gave it 5 long hours to trace the imports.but nothing.Can u help me?

i only use import reconstructor when the table is all correct with perfect entries, i donīt trust in the reparation of IMPORT RECONSTRUCTOR with trae 1 level, trace 2 level, the last version of IMP REC is more the 2 years and the programmers know how make this tracers fail.

Reconstruct the table manually and when all entries are correct use import reconstructor, only for reconstruct not trace at all this is very bad in new armadillos, asprotect and new packers

Ricardo Narvaja

Ricardo Narvaja will you please give a tutorial to manually reconstruct the table?Or will u please write in short?pls....pls...pls

the tut is writed but is in spanish

http://www.ricnar456.dyndns.org/NUEVO%20CURSO/TEORIAS%20DE%20CRACKING
("http://www.ricnar456.dyndns.org/NUEVO%20CURSO/TEORIAS%20DE%20CRACKING
")

look

http://www.ricnar456.dyndns.org/NUEVO%20CURSO/TEORIAS%20DE%20CRACKING/ 253-IMPORT%20TABLES%20A%20MANO%20(parte%201).rar
("http://www.ricnar456.dyndns.org/NUEVO%20CURSO/TEORIAS%20DE%20CRACKING/253-IMPORT%20TABLES%20A%20MANO%20(parte%201).rar
")

this is the first part are four and there are more (explained the script in)

http://www.ricnar456.dyndns.org/NUEVO%20CURSO/TEORIAS%20DE%20CRACKING/ 332-NUEVOS%20ARMADILLOS%20SIN%20COPYMEM2%20CON%20DESTRUCCION%20DE%20TA BLA%20parte%201.rar
("http://www.ricnar456.dyndns.org/NUEVO%20CURSO/TEORIAS%20DE%20CRACKING/332-NUEVOS%20ARMADILLOS%20SIN%20COPYMEM2%20CON%20DESTRUCCION%20DE%20TABLA%20parte%201.rar
")

more parts all in spanish

there are also

http://www.ricnar456.dyndns.org/NUEVO%20CURSO/TEORIAS%20DE%20CRACKING/ 375-IID_IMAGE_IMPORT_DESCRIPTOR_by_%2bNCR.rar
("http://www.ricnar456.dyndns.org/NUEVO%20CURSO/TEORIAS%20DE%20CRACKING/375-IID_IMAGE_IMPORT_DESCRIPTOR_by_%2bNCR.rar
")

also in spanish by NCR from the same theme

and teh method is used in varios tuts, in nuevo curso, the tuts WITH DESTRUCCION DE TABLA, are with this technique.

Ricardo Narvaja

Thanx Ricardo Narvaja i'll try it.And i'll download a spanish 2 english translator if possible.

there's a spanish2english translator at

http://www.paralink.com/download/mt71101.exe
("http://www.paralink.com/download/mt71101.exe
")

but its size is too large!

vix , thanks for the SPANISH 2 ENGLISH translate download link

is it better than SYSTRAN 4.0 ??

try http://www.paralink.com/download/mt71102.exe ("http://www.paralink.com/download/mt71102.exe")

this one is much more better than mt71101.exe

When i run the dumped file in ollydbg i get a message

Don't know how to step because memory at address 00c29602 is not readable.Try to pass exception to program

And if i follow the address in dump it says that it points to nothing.And in the original file if i follow it in dump then it shows the dump.What to do now????

there are two possibilities

do you use a renamed ollydbg.exe?

you need copy ollydbg.exe to other folder, rename exe: PIRULO.exe copy again to ollyfolder and use this PIRULO.exe

use HIdeDegugger1.23f

if with this the error continue in my last tut of armadillo, there are explanation of olly bug of ILLEGAL INTRUCTION and how patch.

If you cannot patch download from mi FTP folder HERRMIENTAS the file

OLLYDBG CAMUFLADO PARA VPROTECTOR.rar

this has the bug patched

Ricardo Narvaja

Renaming the file doesnt work!!What's the name of ur last tutorial?

you rename the file letting the ollydbg.exe in the same folder and using pirulo.exe, and add hide debugger 1.23f and donīt work?

armadillo is the number 332 tutorial

Ricardo Narvaja

No it didn't work! I'll try the tutorial.

Yeah PeID 0.92 might say: Armadildo 1.xx - 2.xx
But PeId is sometimes wrong especially in Armadillo case.

When target is running ,
run Winhex -> Open Ram -> target.exe (Entire memory)

Find text : armVer

003E300F 3C 61 72 6D 56 65 72 73 69 6F 6E 20 78 73 69 <armVersion xsi
003E301E 3A 74 79 70 65 3D 22 78 73 64 3A 73 74 72 69 :type="xsd:stri
003E302D 6E 67 22 3E 25 73 3C 2F 61 72 6D 56 65 72 73 ng">%s</armVers
003E303C 69 6F 6E 3E 0A 00 00 00 33 2E 37 36 ion>....3.76

-> Armadidlo v3.76

@ViX




Ussualy it help is you press shift+F9

no is a olly bug, if you press shift +f9 in a ILLEGAL INSTRUCTION EXCEPTION the messagebox is repeated but donņt pass the exception, and there are no changes.

Ricardo Narvaja

Sorry , i didn't read ViX post accuratelly enough 1st time -> didn't noticed he's talking about dumped file.

oghh i donīt read this too ahh i think he is talking of the original armadillo donīt run, the dumped file tell you this message for the iat is bad reconstructed or there is a antidump for repair.

Sorry
Ricardo Narvaja

no is a olly bug, if you press shift +f9 in a ILLEGAL INSTRUCTION EXCEPTION the messagebox is repeated but donņt pass the exception, and there are no changes.


ricardo do you mean opcodes like ffffffff ??
did you try options --> security allow stepping into unknown commands

can you get me the instruction which is illegal ??

lea eax,eax is the most used, but any illegal instruction exception olly donīt handle the exception well.

the problem of VIX is a dumped bad or no competely repared

Ricardo

Yeah my dumped file gives that message bcoz the address which it gives is missing.

1. When i dump the file with the new PEdumper plugin in olly,i select the whole memory map including the address( which the error gives).But when i run the dumped file in WinXP it says it is not a valid W32 application.

2.And if i run in windows XP the file which is dumped with LordPE it gives the message:

World Online TV has encountered a problem and needs to close. We are sorry for the inconvenience.

And when i run it in ollydbg it give the message:

Don't know how to step because memory at address 00c29602 is not readable.Try to pass exception to program

I hope u understand what i mean to say!!The problem is of the DUMPED file and fixing the IAT.

I tried the hex way to find the version but the last line looks like :

00C47060 69 6F 6E 3E 0A 00 00 00 20 20 20 3C ion>. <

Version's not present!!

well what type of armadillo is?

is a copymem2? with two process running? one process only running?

if is a one only process running obviously they have import table elimination (in my tuts DESTRUCCION DE TABLA) and is not posible repair with Import reconstructor in the usual way(look my tuts of armadillo with destruccion de tabla and import table by hand)

the problem say is not a valid 32 bits application, well armadillo change some bytes of the header in execution, when you reach the oep the header is corrupt for this reason this message.

look the program in the start in other olly compare the header with the program stopped in the oep, i generally copy and paste all the header of the original program without run, to the program stopped in the oep before DUMP and the dumped, is dumped correctly, generally armadillo change in execution time the number of sections or 2 or 3 bytes for corrupt the header.

My armadillo uses debug blocker with debugoutputstring exploit.It has two processes.No copymem2.PEID says its 1.xx-2.xx

ViX

If two processes running then copymem2 (father+son).
But if has debugoutputstring exploit then it probably has nanos too.

Oh! now wat should i do? But that debugoutputstring does not give me errors when i use the hidedebugger plugin.And how can i get the version?

if exploit this bug is version 4 or more, previous version donīt use this bug.

Ricardo Narvaja

OK then i'll use the unpack armadillo4 tutorials.Even u have the tutorials on ur website.

In Kagra's tutorial armadillo4unpack i did'nt understand the new section(segment) part.What to do to the rawsize and virtualsize of that segment?And how to calculate the size of the dummy section?