1、Nanomites Processing
The Nanomites provide additional protection against memory-dumping for your programs. They will protect your program even if it is somehow stripped out of the SoftwarePassport/Armadillo shell. If your program can use the Debugger-Blocker or CopyMem-II, it should be able to use Nanomites as well. Besides enabling this option, you must mark sections within your program where Nanomites are permitted to reside and won't cause any speed problems, and use a custom build of the Armadillo engine. This option can only be used with the Debugger-Blocker or CopyMem-II protections.
Nanomites Processing就是通常所谓的CC,Armadillo最让人头痛的保护措施。
2、Import Table Elimination
Import Table Elimination is another anti-dumping defense. It removes the import table of the program, making it much more difficult to reconstruct the unprotected program file. Unlike CopyMem-II and the Nanomites, this defense does not require the Debugger-Blocker, but it is only available in custom builds.
Import Table Elimination一般是把输入表放在壳申请的内存处并且乱序处理。
对于输入表乱序,以前有两种解法:①、写代码重新排序;②、直接用ImportRec“创建新的IAT”功能来构造新的输入表。
3、Code Splicing
Strategic Code Splicing is another anti-dumping defense. It removes portions of your code and places them randomly in memory, changing them so that they still operate the same but are coded differently. Unlike CopyMem-II and the Nanomites, this defense does not require the Debugger-Blocker, but it is only available in custom builds.
Code Splicing通常称为远程地址,Armadillo会把程序中的部分代码挪移到壳申请的内存段运行,普通dump会导致此部分代码丢失。以前有两种解法:①、修改VirtualAlloc返回地址,使其把挪移的代码放到无用的壳区段;②、Dmp后补上那个包含挪移代码的壳申请的内存段。
4、Memory-Patching Protections
He Memory-Patching Protections prevent an attacker from using a loader to change your program's code in memory, once it's loaded. If you handle any part of the expiration logic in your program's code, or use environment variables to control features that are only allowed in the paid-for version, then your program might be vulnerable to a memory-patching attack.
If you use this option, you MUST use either CopyMem-II or the monitoring thread (or both), or it won't be able to do anything.
The only time this option can cause a problem is if your program uses self-modifying code -- this option would consider that an attack, and would deliberately crash your program to stop it.
内存校验。
0161980C 2BCA sub ecx,edx
0161980E FFD1 call ecx ; fraps.0040C434
//飞向光明之巅
01619810 8945 FC mov dword ptr ss:[ebp-4],eax
01619813 8B45 FC mov eax,dword ptr ss:[ebp-4]
01619816 5F pop edi
01619817 5E pop esi
01619818 C9 leave
01619819 C3 retn
ArmInline is an Armadillo unpacking tool designed specifically to deal with the many antidump features available with private builds of Armadillo 4.x. Features:
* Code Splicing:
ArmInline 'revirgin's code protected by 'Strategic Code Splicing' by recursively identifying and removing the redundant opcodes, rather than dumping and patching in a VirtualAlloc, and so it adds nothing to the size of your dump.
* Import Elimination:
ArmInline is capable of consolidating DLL imports that have been shuffled by Armadillo's 'Import Elimination' and can generate a new IAT, which can then be used by ImpRec (or any other import table reconstructor). Any references to the old IAT are automatically redirected to the newly created, streamlined IAT. Note that ArmInline cannot retrieve Armadillo's stolen imports, so you will have to fix this prior to rebasing the IAT if you want a working dump.
* Nanomites:
Locates all of the nanomites in a dump and uses the packed exe to analyse them, generating a Nanomite table containing all the necessary information to produce a working dump. ArmInline can patch a small piece of vector exception handling code into your dump which will deal with the Nanomites on the fly.
It's not the fastest tool you're ever going to see - it can take a few seconds to work a large 'Dillo (due to the recursive nature of its Code Splicing redundancy algorithm, the brute-force Nanomite debugging and the fact that I took the liberty of using Visual Basic to write much of it) and although it hasn't failed me yet (much), it has certainly not been thoroughly tested, and is provided without any guarantees whatsoever. So use this software at your own risk.