Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 09-08-2005, 06:37 PM
gotofbi gotofbi is offline
Junior Member
 
Join Date: Sep 2005
Posts: 3
Default

Hello.Im kinda newb at unpacking....

I want to unpack armadillo to use this program..

PEiD saids it is packed with armadillo 3.78...

I tried to use Olly script but I couldnt unpack it...

Can someone please provide unpack tut or unpack it for me?

Thank you
Reply With Quote
  #2  
Old 09-08-2005, 06:43 PM
gotofbi gotofbi is offline
Junior Member
 
Join Date: Sep 2005
Posts: 3
Default

Code:
/* 
.:TEAM RESURRECTiON:. 
Armadillo Standard+Strategic Code Splicing Script by AvAtAr 
Tested on WinXP Pro SP2, OllyDbg v1.10, OllyScript v0.92 
NOTES: 
- Remove all hardware breakpoints before run the script. 
- Add the following custom exceptions on OllyDbg: 
C0000005(ACCESS VIOLATION), C000001D(ILLEGAL INSTRUCTION) 
C000001E(INVALID LOCK SEQUENCE), C0000096(PRIVILEGED INSTRUCTION) 
*/ 

var CreateMutexA 
var CreateThread 
var GetModuleHandleA 
var OpenMutexA 
var VirtualAlloc 
var JumpLocation 
var JumpLength 
var adata 
var regESP 
var OEP 

gpa "CreateMutexA", "kernel32.dll" 
mov CreateMutexA, $RESULT 
gpa "CreateThread", "kernel32.dll" 
mov CreateThread, $RESULT 
gpa "GetModuleHandleA", "kernel32.dll" 
mov GetModuleHandleA, $RESULT 
gpa "OpenMutexA", "kernel32.dll" 
mov OpenMutexA, $RESULT 
gpa "VirtualAlloc", "kernel32.dll" 
mov VirtualAlloc, $RESULT 

gmi eip,MODULEBASE 
find $RESULT,#2E6164617461# 
mov adata,$RESULT 
add adata,0c 
mov adata,[adata] 
gmi eip,MODULEBASE 
add adata,$RESULT 

bp OpenMutexA 
esto 
exec 
PUSH EDX 
PUSH 0 
PUSH 0 
CALL CreateMutexA 
JMP OpenMutexA 
ende 
bc OpenMutexA 

bphws GetModuleHandleA, "x" 
label1: 
esto 
rtu 
find eip, #0F84????????????????????74??????????EB??# 
cmp $RESULT,0 
je label1 
bphwc GetModuleHandleA 

mov JumpLocation, $RESULT 
mov JumpLength, JumpLocation 
add JumpLength, 2 
mov JumpLength, [JumpLength] 
inc JumpLength 
mov [JumpLocation], 0E9 
inc JumpLocation 
mov [JumpLocation], JumpLength 

msgyn "Resolve Strategic Code Splicing?" 
cmp $RESULT,0 
je label3 
bphws VirtualAlloc, "x" 
label2: 
esto 
mov regESP,esp 
add regESP,0C 
cmp [regESP],1000 
jne label2 
add regESP,4 
cmp [regESP],40 
jne label2 
rtu 
mov eax,adata 
bphwc VirtualAlloc 
label3: 

bp CreateThread 
run 
cob 
bc CreateThread 
rtu 
rtr 
sti 

find eip, #2B??FF??8?# 
mov OEP, $RESULT 
add OEP, 2 
bp OEP 
run 
bc OEP 
sti 
cmt eip, "<- OEP" 
msg "You're at the OEP, now dump with LordPE and fix the IAT with ImpRec. =)" 
ret
This is the script that I used in Olly.
I added those exceptions
Ignores memory access violation in KERNEL32.DLL
C0000005(ACCESS VIOLATION),
C000001D(ILLEGAL INSTRUCTION)
C000001E(INVALID LOCK SEQUENCE),
C0000096(PRIVILEGED INSTRUCTION)
Reply With Quote
  #3  
Old 03-02-2006, 07:31 PM
sawa sawa is offline
Junior Member
 
Join Date: Mar 2006
Posts: 1
Default

hi Kinda, This site can help u unapckin' Armadillo v3.xx
http://www.absolutelock.de/construction/fi...r/tutorial.html
Reply With Quote
  #4  
Old 03-04-2006, 01:11 PM
cucat cucat is offline
Junior Member
 
Join Date: Mar 2006
Posts: 1
Default

Help me unpack this file ( protect with ARmadillo 3.78 )
Target here : http://www.cucat.net/aikido/Aikido3D.exe
Thanks! ( I cannot do any things with the tutorials above )
Reply With Quote
  #5  
Old 05-03-2006, 10:33 AM
decocero decocero is offline
Junior Member
 
Join Date: May 2006
Posts: 1
Default

Hi, about aikido3d... have anyone solved the problem with fingerprint? Ive bought it, its really interesting, but I want to have it in all my computers, portable, at home, at work... and I would like to have a copy with no restrictions due to fingerprints... I found nothing with emule, nobody seems to be successful...

Ive been told that there is someone who avoided all restrictions, but he denies to share it... :angry:

Maybe a program that change all information so the program sees the same fingerprint that in the computer where it was first installed?
Reply With Quote
  #6  
Old 05-04-2006, 01:23 AM
gotofbi gotofbi is offline
Junior Member
 
Join Date: Sep 2005
Posts: 3
Default

Quote:
Originally posted by cucat@Mar 4 2006, 09:11 AM
Help me unpack this file ( protect with ARmadillo 3.78 )
Target here : http://www.cucat.net/aikido/Aikido3D.exe
Thanks! ( I cannot do any things with the tutorials above )
[snapback]1301[/snapback]
Hello cucat.
In order to unpack this target, you need valied Hardware Fingerprint, Name, and key.
Without that, this target is impossible to unpack.
Reply With Quote
  #7  
Old 06-09-2006, 03:46 PM
atlantaazfinest atlantaazfinest is offline
Junior Member
 
Join Date: Jun 2006
Posts: 3
Default

HI guys this is packed with minunum protection could someone unpack it for me because i use that script and nothing happens but the enter name and key box comes up am i doing it righT?
Or do i suppose to get that im at the OEP
Reply With Quote
  #8  
Old 06-10-2006, 01:28 PM
IronMan IronMan is offline
Junior Member
 
Join Date: Jun 2006
Posts: 2
Send a message via AIM to IronMan
Default

Quote:
Originally posted by atlantaazfinest@Jun 9 2006, 03:46 PM
HI guys this is packed with minunum protection could someone unpack it for me because i use that script and nothing happens but the enter name and key box comes up am i doing it righT?
Or do i suppose to get that im at the OEP
[snapback]1439[/snapback]

I cant get anywhere with this. Hopefully someone else can help.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.