Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-25-2005, 02:56
FEARHQ FEARHQ is offline
Friend
 
Join Date: Mar 2002
Posts: 73
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
FEARHQ Reputation: 0
Dumping Armadillo protected DLL?

This is the first time I have come across an armadillo protected dll. Is dumping the dll any different than dumping an executable? PEiD tells me it is "Armadillo 2.51 - 3.xx DLL Stub". I haven't come across any tutorials that show how to do this, and as a matter of fact never dumped armadillo, but if the process is the same I will read up on the subject. Has anyone done this in the past? Just need a little guidance
Reply With Quote
  #2  
Old 01-25-2005, 09:42
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 329
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 22 Times in 16 Posts
TmC Reputation: 15
I think that in this case the Lunar Dust Dll Unpacker should do his job...unless dll has nanomites.
Reply With Quote
  #3  
Old 01-25-2005, 14:25
Eggi
 
Posts: n/a
i thought its its only possible to protect a dll with the protection options which require only one process?
Reply With Quote
  #4  
Old 01-25-2005, 15:47
MrAnonymous
 
Posts: n/a
DLL's cannot have nanomites, DLL's are on the equivelent of Minimal Protection in Armadildo. They do however support Import Elimination and Code Splicing.
Reply With Quote
  #5  
Old 01-26-2005, 03:50
FEARHQ FEARHQ is offline
Friend
 
Join Date: Mar 2002
Posts: 73
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
FEARHQ Reputation: 0
I've read two tutorials from Unpacking Gods, one about figuring out Armadillo version (turns out to be 3.75-alpha 1), and another about dumping armadillo with debug blocker. The dll does not have nanomites and I don't think it has code splicing, but the Import table seems to be messed up as Lunar Dust's dll dumper can't rebuild it. Can anyone point me a tutorial on dumping armadillo with Import Elimination? I guess similar concepts can be applied to the dll as to a standalone executable as I did with version recognition. I would love to break my first armadillo protection manually (without automatic dumpers that is...)
Reply With Quote
  #6  
Old 01-26-2005, 04:34
MrAnonymous
 
Posts: n/a
What is your target ?
http:// www. absolutelock.de/construction/files/infobase/New/arma_debugblocker/tutorial.html
I believe covers import elimination....
Reply With Quote
  #7  
Old 01-26-2005, 05:43
FEARHQ FEARHQ is offline
Friend
 
Join Date: Mar 2002
Posts: 73
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
FEARHQ Reputation: 0
MrAnonymous: That is the exact tutorial I went over. I guess I'm going to have to use it, even though it goes way into detail about Debug Blocker which is way over my head for now... I'm looking for a tutorial that would actually deal with import elimination with armadillo and not too much of the other fancy stuff (like debug blocker)

[UPDATE]
I put a little more effort into this and managed to follow MEPHiST0's tutorial, even though it's mostly about Debug Blocker. I manage to get "close to the oep" by patching IsDebuggerPresent and breaking on CreateThread (the first is where we need to break...), however the famous "call edi", which I gather should be the original OEP, is never reached. In this target I get to 009A891F, which is the pop/jmp just one below the "sweet spot" (call edi - 009A89CD) and wind up back in the target dll's code at 20040FF1. If anyone would be kind enough to take a look and tell me what I'm doing wrong on my first manual unpack attempt, I'd be thankfull
Attached Files
File Type: zip target.zip (280.0 KB, 38 views)

Last edited by FEARHQ; 01-26-2005 at 14:31.
Reply With Quote
  #8  
Old 01-28-2005, 14:44
FEARHQ FEARHQ is offline
Friend
 
Join Date: Mar 2002
Posts: 73
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
FEARHQ Reputation: 0
Could anyone give me a hand from where I'm stuck at? I've been using Lunar Dust's DLLLoad.exe to load the dll in OllyDbg, but I am stuck and cannot find OEP
Reply With Quote
  #9  
Old 02-04-2005, 16:22
fly [CUG]'s Avatar
fly [CUG] fly [CUG] is offline
UpK
 
Join Date: Jul 2004
Location: һ������
Posts: 153
Rept. Given: 3
Rept. Rcvd 3 Times in 1 Post
Thanks Given: 5
Thanks Rcvd at 3 Times in 2 Posts
fly [CUG] Reputation: 3
Arrow UnPacKed.target.By.heXer



UnPacKed By heXer
Attached Files
File Type: rar UnPacKed.target.By.heXer.rar (67.5 KB, 12 views)
__________________

UpK

һ�����ꡭ����ƽ��!
http://www.unpack.cn
Reply With Quote
  #10  
Old 02-04-2005, 22:40
Crk
 
Posts: n/a
this don't help for knowledge! tutorial??
Reply With Quote
  #11  
Old 02-09-2005, 11:08
AdamD
 
Posts: n/a
I'm also having problems unpacking v3.78 in an exe. It's a tough packer
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[Help] Armadillo 9.66 dumping target with splices Benten General Discussion 9 10-12-2017 00:20
Dumping protected DLL 'perplex' data section grimm General Discussion 4 02-28-2005 08:19
Dumping Armadillo 3.0-3.6 without CopyMem II chaboyd General Discussion 17 11-21-2004 06:20
Dumping protected memory? tr1stan General Discussion 6 08-24-2004 14:37


All times are GMT +8. The time now is 01:24.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2025 )