![]() |
#1
|
|||
|
|||
Dumping Armadillo protected DLL?
This is the first time I have come across an armadillo protected dll. Is dumping the dll any different than dumping an executable? PEiD tells me it is "Armadillo 2.51 - 3.xx DLL Stub". I haven't come across any tutorials that show how to do this, and as a matter of fact never dumped armadillo, but if the process is the same I will read up on the subject. Has anyone done this in the past? Just need a little guidance
|
#2
|
|||
|
|||
I think that in this case the Lunar Dust Dll Unpacker should do his job...unless dll has nanomites.
|
#3
|
|||
|
|||
i thought its its only possible to protect a dll with the protection options which require only one process?
|
#4
|
|||
|
|||
DLL's cannot have nanomites, DLL's are on the equivelent of Minimal Protection in Armadildo. They do however support Import Elimination and Code Splicing.
|
#5
|
|||
|
|||
I've read two tutorials from Unpacking Gods, one about figuring out Armadillo version (turns out to be 3.75-alpha 1), and another about dumping armadillo with debug blocker. The dll does not have nanomites and I don't think it has code splicing, but the Import table seems to be messed up as Lunar Dust's dll dumper can't rebuild it. Can anyone point me a tutorial on dumping armadillo with Import Elimination? I guess similar concepts can be applied to the dll as to a standalone executable as I did with version recognition. I would love to break my first armadillo protection manually (without automatic dumpers that is...)
|
#6
|
|||
|
|||
What is your target ?
http:// www. absolutelock.de/construction/files/infobase/New/arma_debugblocker/tutorial.html I believe covers import elimination.... |
#7
|
|||
|
|||
MrAnonymous: That is the exact tutorial I went over. I guess I'm going to have to use it, even though it goes way into detail about Debug Blocker which is way over my head for now... I'm looking for a tutorial that would actually deal with import elimination with armadillo and not too much of the other fancy stuff (like debug blocker)
[UPDATE] I put a little more effort into this and managed to follow MEPHiST0's tutorial, even though it's mostly about Debug Blocker. I manage to get "close to the oep" by patching IsDebuggerPresent and breaking on CreateThread (the first is where we need to break...), however the famous "call edi", which I gather should be the original OEP, is never reached. In this target I get to 009A891F, which is the pop/jmp just one below the "sweet spot" (call edi - 009A89CD) and wind up back in the target dll's code at 20040FF1. If anyone would be kind enough to take a look and tell me what I'm doing wrong on my first manual unpack attempt, I'd be thankfull Last edited by FEARHQ; 01-26-2005 at 14:31. |
#8
|
|||
|
|||
Could anyone give me a hand from where I'm stuck at? I've been using Lunar Dust's DLLLoad.exe to load the dll in OllyDbg, but I am stuck and cannot find OEP
![]() |
#9
|
||||
|
||||
![]() ![]() UnPacKed By heXer
__________________
UpK һ�����ꡭ����ƽ��! http://www.unpack.cn |
#10
|
|||
|
|||
this don't help for knowledge! tutorial??
|
#11
|
|||
|
|||
I'm also having problems unpacking v3.78 in an exe. It's a tough packer
![]() |
![]() |
Thread Tools | |
Display Modes | |
|
|
![]() |
||||
Thread | Thread Starter | Forum | Replies | Last Post |
[Help] Armadillo 9.66 dumping target with splices | Benten | General Discussion | 9 | 10-12-2017 00:20 |
Dumping protected DLL 'perplex' data section | grimm | General Discussion | 4 | 02-28-2005 08:19 |
Dumping Armadillo 3.0-3.6 without CopyMem II | chaboyd | General Discussion | 17 | 11-21-2004 06:20 |
Dumping protected memory? | tr1stan | General Discussion | 6 | 08-24-2004 14:37 |