Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 01-27-2011, 12:42 AM
scriptkiddy scriptkiddy is offline
Junior Member
 
Join Date: Jan 2011
Posts: 1
Default [Help] Having difficulty with armadillo, what is it doing?

Armadillo 8:

1: Tries to debug itself, creates a mutex when this happens. I counter this by forcing OpenMutexA to return 1

2: I have found the entrypoint and put a hardware breakpoint on it. Several IAT jumps are redirected by the protector, such as GetModuleHandleA.

3: I put a hwbp on GetModuleHandleA address and here is what happens:

Packer makes memory with VirtualAllocEx and VirtualProtect to write to it

Packer uses GetProcAddress to fill up a different address which I have found does not effect the IAT whatsoever.

Packer then wipes the memory it allocates

Packer then creates the memory it allocates again

Packer then creates the memory it allocates

Packer then calls the OEP and my hardware breakpoint address is completely different and rendered useless.

What can I do? Can someone give me advice? I have spent the last 8 hours trying to unpack this unpack me, but ive been having no luck, I have also checked out tutorials and in the tutorial their HWBP is accessed and they see where it is redirected. But mine just deletes itself, recreates itself, deletes itself again throws a bunch of exceptions, calls CreateThread and then goes to the OEP.
Reply With Quote
  #2  
Old 04-10-2011, 02:20 PM
apuromafo apuromafo is offline
Junior Member
 
Join Date: Apr 2011
Posts: 2
Arrow

armaggedon 1.9 can unpack, but post that must add the environment variables(bp in getenvironmentVariableA/W), are some secured section( check many nop area) not is easy do full that..

1: when try to debugblocker not are only 1, must have a dword value in stack

2) have too copymew2, firts step is check with armafp2, normally have a crypter call, must nop , and post fight with nanomites+codesplicit+bad pe+import destruction+check if can pack app.

check a write apendix that was do in v8, this are in spanish, with script of fungus of Tuts4you.com

My English is so poor,I hope you can understand what i'm talking about.
here are some ref:
http://forum.tuts4you.com/index.php?showtopic=24247

original link in spanish:

http://ricardonarvaja.info/WEB/CURSO...0Apuromafo.pdf


greetings Apuromafo
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2023, Jelsoft Enterprises Ltd.