Hi everyone.
I am dealing with a prog packed with armadillo (from PEiD 1.xx-2.xx). i am new in armadillo unpack and tried follow some tuts, but sometimes i cannot apply in this app.
It has Copymen2 so i tried the folowing approach:
a) bp WriteprocessMemory - at 2nd break, the father writes 2 bytes into son... i followed address in dump and patched with EBFE. The removed bp and let it run
b) bp WaitForDebugEvent - and olly breaks, then goto the ret, and landed in a test eax, eax (eax==0)
c) checked the PID of son, then assemble the PUSH and DebugActiveProcessStop and trace over this instructions
d) open a new olly and attached the son, F9, F12, then reverte the patched bytes and Bp CreateThread..... It breaks at SetProcessWorkingSetSize and after exit the call and trace down a bit i find the "Call EDI" but seems not to be the OEP :-(
(Also in the son process, the IAT is not completed yet)
Anyway son doesn't run and stop if we hit F9.

Well.., i must miss something! (lol) Some magic jump, almost for sure.. or something more complicated as nanomites?? Please give me some hints from the above description.
Thanks in advance.

you have differents types of armadillo and you mix all types hehe.

Ricardo

Thanks for replying Ricardo..

I mixed all!! (LOL) So it was a bad approach..... :-s
I deal for sure with Copymem II and import table in son have that 'strange' calls for Import API's... In your opinion, what methods shall i do not mix from my approach????

The RDG gaves me Armadillo 2.85, but i cannot found any good tute to aply my app.......
I have some tuts (some from yr site;-) ) but in this particular app, i cannot follow some important steps of them. I mean, the 'father' seems to be a good guy, but the 'son' is a «son of»..... :-)

Use "Armadillo Process Detach 1.1" (google) to detach son from parent process. Don't close Detacher while debugging son process. Attach debugger to child process will break at son's EP (not OEP).

Thanks Lord_Looser.

I only found ArmDetach v1.1 in a toolkit for crackers but its a rar with password encrypt..... (the given password doesn't work)
Anyway, my intention is learn the process of detach and unpack armadillo(educational proposes)!

It seems to be easy unpack, but i must be missing some trick.... Also the ollyscripts seemed to patch a wrong address in the child process :-(

The app is packed, but it doesn't have any restrition or time limite, so i would not cause a big trouble if saying its name: Docucabinet
(erase the post if compromise something).

If possible, have a try and please tell me what i doing wrong (in my 1st post).
Thanks.
Hands

first step locate what type de OLLY is

1) if have two process and have a 3er stop in writeprocessmemory (take care with this armadillo protect writeprocessmemory against BP and don´t stop the third time, put HE or put the BP in the RET of the API), if armadillo stop a 3 time in writeprocessmemory is a tradicional copymem2.

2)Ir armadillo stop only 2 times in writeprocessmemory and don´t stop, putting HE, BP in the Ret of the api, is a non copymem2, two process armadillo.

3)one only process is a 3er type

What type of arma is

Ricardo Narvaja

Hola Ricardo...

It is a first one type of armadillo...
It can stop several times in WriteProcessMemory... (copying/writting the sections for the child)!
Anyway the Ollyscripts and my tries to find the EP of child and then the OEP seemed out of place or something still need to decrypt! :-(

Was my approach right? or needed to wait till 3rdt Bp on WriteprocessMemory (i put hardware bp or bp at end of call)?

More... This type of protection has <u>usually</u> 'Magic Jump'?
or/and IAT elimination? ...nanomites?

Thanks again.
Hands

ream my old tutorials (there are english version) of armadillo with copymem2 GETVERSION PROGRAM and you understand how armadillo work in copymem2, is a old version of armadillo but the work continue being the same, only was added more proteccion against BP and ollydbg, the general wprk is the same for find the oep.

Ricardo

Armadillo Process Detach 1.1
hxxp://sosrock.free.fr/forum/lire.php?msg=7363

a) don't patch EBFE in dump, patch in child process memory with e.g. WinHEX

I have to correct my 1st declaration:
Close Detacher after attaching to son process.
(Parent process must continue after step c) DebugActiveProcessStop.)

parent EP 0060E0B9
child EP 0060E0B9
chilld OEP ?

Thanks to both...
I'll give a try!