Supported Armadillo options:
Standard Features
Debugblocker
CopyMemII
Nanomites
Import Elimination
Strategic Code Splicing
Main features:
Complete automatic recover and validation of nanomites, even the fake ones in the tables;
Complete automatic reinsertion of Strategic Spliced Code at the original location before exe was protected by Armadillo;
Complete rebuild of the dumped file, cleaning all the trash;
Complete rebuild of the IAT without the use of any extern tool;
Introduction & Disclaimer:
ArmaGUI unpacking tool for the commercial protector Armadillo from Silicon Realms Toolworks (http://siliconrealms.com/index.shtml), it supports most of the protection options offered by Armadillo since version 3.
It's coded in VC++ with MFC for GUI support with some inline asm, MFC is the explanation to the over bloated 212kb exe file, and its only tested on XP SP2, maybe it works on w2k3 too, forget anything bellow XP.
This project was started based on a "challenge" by crUsAdEr on the Woodmann excellent forum: http://www.woodmann.com/forum/showthread.php?t=6365
crUsAdEr said: "hopefully u wont spread it to everyone though cos unpackers itself doesnt teach ppl much.", and I agree with that. This tool is working for 1+ year now as private but suffered big and important updates along the way.
This tool WASN'T created to harm SRT in any way, Armadillo is a good product with some nice ideas.
It WAS created in the sequence of my desire to see if I was able to create an unpacker to some protector more complex than UPX, together with the challenge from crUsAdEr, learning was and will always be my main purpose.
I know the GUI isn’t very user friendly, but really I don't care, don't bother bashing me with that;
I know it crash's alot, my coding sucks, the code it's crappy and non optimized, really it's a mess, eventually it will hang ur PC;
If all this isn't a problem to you, then I hope you enjoy using the tool almost as I enjoyed creating it;
Why make it public?
Because today there are already several tools outside like ArmaInline or dilloDie, and it seems that SRT are updating Armadillo again, so ArmaGUI wont be useful for long;
Also Nico is no longer part of the SRT team, I know him from the RCE community and I liked him, that was a very bad move Chad;
When to use it?
This tool should ONLY be used when you own a purchased license of some product protected by Armadillo and want to rip the Armadillo from it.
Now you are wondering what is the use of the tool if you already have one purchased license. Well Armadillo protection schemes does slow down the original code, mainly if options like Strategic Spliced Code, Nanomites or CopyMemII are used, so by ripping Armadillo off, you will get the original faster code.
How to use it:
Unpacking tab:
Select DebugBlocker: If you run the app and check if there are 2 process's with the same name;
Select CopyMemII: If you choosed DebugBlocker and got an error from the tool while dumping the file from memory;
Select IAT Elim: If you get an error while dumping or fixing the IAT;
Select Spliced Code: If after a successful dump, the dump crashes because of some long jumps to non existing memory locations;
Fixing nanomites:
Select the the needed options from the unpacking tab, and UNSELECT the "rebuild file" option.
After dumping the file go into the nanomites tab, select the "edit" option and the section field will get filled with the name of the 1st section in the protected exe, change it if isn't correct, also change the name of the dumped file if you didn’t named it "dumped.exe", press fix.
After the nanomites are resolved go into the Utils tab press select file to select the dumped and fixed exe, select the "rebuild file" option, select "IAT Elimination" accordingly to what you selected in the unpacking options, finally press "do it".
Special Thanks:
c0n3r0n3(sometimes supports me, sometimes fu** my head, love him anyway), Melvill, Forgetoz, Portuogral, Eddie, Crusader(The challenger), Ricardo Narvaja(Excellent tuts), tenketsu (amazing investigation job in your compendiums)
Shouts to:
CrkPortugal RCE community;
Woodmann RCE community;
Exetools RCE community;
All those deserve respect in the RCE scene;
uP Clan (www.upgaming-hq.com) for helping me relief the coding stress;
You for reading this;
Note:
*It's funny and confusing at the same time, how some people are able to say that something is trash just because they didn't readed the instructions or know what they are doing, just using the tools as scripties kids... This tool doesn't unpack all the 100% targets existing because of some custom stuff, but give me a break.. at least 1%. I have been reading that it doesn't unpacks zit, fail in every atempt.. I love those people.. Learn what you are dealing before using a tool, there will be sometime in your life where you won't have a tool with nice and shinny buttons to press.. So if you were one of those smurfs, you are FORBIDDEN to use my work anymore;
*For all other people that supported me, sending bug reports and friendly words, tank you and here is a new version, enjoy;
30/07/2006 - V1.3.6:
*There are several problems with the spliced code engine, seems that some apps use code that is very hard to not understand as trash, despite my best efforts there will be sometimes were it will fail, added an option to redirect the code instead of reinserting;
29/07/2006 - V1.3.5:
*Several bugs fixed on the spliced code engine;
27/07/2006 - V1.3.4:
*Rewrote a big part of the IAT Elim recover engine, it should be a little faster now;
*Fixed an important bug on the IAT engine, some import's weren't resolving correctly, other didn't resolved at all, some speed is lost;
25/07/2006 ? V1.3.3:
* Added support for some new custom versions I found, this included updates in the IAT/SPC engine;
21/07/2006 - V1.3.2:
* Fixed a bug that was causing the IAT rebuilding engine to crash;
21/07/2006 - V1.3.1:
* Fixed a bug in the Spliced Code Engine, were it sometimes cleared trash code that actually wasn't trash. But really, why would some code have instructions like *mov eax, eax* on it? Anyway it should be kind of fixed now, needs more testing;
* Fixed a bug where false nanomites were being fixed under specific conditions, needs testing;
20/07/2006 - V1.3:
* Rewrote the Spliced Code engine, it now fully parses all the striped code and inserts it at the original position before it was ripped and obfuscated by armadillo, from now on its impossible to identify were the spliced code was, or I risk to say, to even guess that the dumped file was ever protected by the Spliced Code option, this makes our analyze work much easier, and allows to clear one more section that was before used to keep the ripped code, this means that together with the improvement I did a few days ago in the IAT Elim engine, after the file rebuilding, the dumped file will almost identical to what it was before being protected in code and in size;
18/07/2006 - V1.2:
* Wrapped part of the disasm engine source code from Ollydbg into a class, and I will use it from now on;
* Nanomites are now fully parsed automatically, no more need to parse the nanomites one by one to validate them;
* Small update to IAT Elim recover engine, the section size of were new iat VA is saved will be the IAT size itself, that reduces the dumped file size after the rebuilding;
16/07/2006 - V1.1:
*Fixed the way to detect the IAT elimin fixing routine, arma was clearing all my breakpoints, cant say if was custom code;
*Small change on how loading libraries are detected;
June 2006:
*World of Warcraft rocks :x, and its also destroying my life;
May 2006 - v1.0:
*Added support to unpack dll's, it can now really be called an unpacker (tm);
April 2006:
v0.8:
*More bugs fixed
v0.7:
*Implemented engine to completely rebuild the IAT without use of any external app;
*Implemented engine to completely rebuild the dumped file without use of any external app;
About 10 months later, February 2006 I decide to get back on RCE:
v0.6:
*Added support for version 4.xx
V0.5:
*Completely rewrote the application;
Sometime in 2005:
v0.4:
*Lots of bugs fixed;
*Added support to Nanomites;
v0.3:
*Added support to IAT Elimination;
Sometime in 2004:
v0.2:
*Some bugs fix;
*Added support to Spliced Code
*Added support to CopyMemII;
v0.1:
*First release;
*Unpack single process protected apps;
*Unpack double process protected apps;
11 November 2004:
Started the project on a challenge by Crusader:
http://www.woodmann.com/forum/showthread.php?t=6365
It's v1.5, the detection stuff it's a major upgrade, the about box and title bar aren't updated as it seems, i don't look to much at them. Thank you for the tip fly, i updated the link to avoid confusion.
09/08/2006 - V1.5.2:
*Dll's unpacking fixed, this option wasn't working at all since my last modifications;
*Several stuff added to spliced code and nanomites engines;
