This Tool can strip Armadillo Protection from protected Exe's / Dll's
Tested on: Various applications protected by versions 3.78 through 6.62. Limited or no support for Win2k (due to use of DebugActiveProcessStop API) Support for win2k3 Server, XP SP1/SP2/SP3 and Vista 32 bit. If you experience any problems running the program, you may need to download and install Microsoft Visual C++ 2005 Redistributable Package (x86) available here: http://www.microsoft.com/downloads/details.aspx?familyid=32bc1bee-a3f9-4c13-9c99-220b62a191ee&displaylang=en
What's New
The program has been recoded to the extent possible to increase stability and reduce maintenance and errors. + A new option for ignoring the PE header 2nd .text section, that, if exists, the tool will sometimes use for finding the OEP which may cause problems. + All known bugs have been corrected. + A new bitmap caption replaces the Window text. + The process of logging nanomites has been modified to include loading / saving logged entries. This is necessary for detaching from a process using the copymem2 option when "Resolving" any nanomites. This is optional for "Resolving" nanomites in a dumped file. + Fixed some problems related to using the nanomite "Repair" and "Resolve" options for targets rebuilt using the "Minimize size" option. + A new option "ArmAccess.dll" allows for the loading of the ArmAccess.dll in the process (if required) to resolve import issues due to ArmAccess functions being called by the target application. This option is rarely needed. + hide tool from PEB NTGlobalFlags. The nanolib.dll is now a fully external process. No more does it use the OpenProcess API to open the existing child process from Armageddon, but instead, gets passed the number of potential nanomites found with a pointer to an array which is used in the analyze process. Armageddon terminates the father / child processes before calling the nanolib.dll. The nanolib.dll has been further enhanced for security. Special thanks to NeVaDa UnReal-RCE PersianCrackers for finding a bug in the nanolib.dll specifically as relates to the IdentifyNano() function. + The condition table of possible jumps reflected inaccurate information resulting in incorrect jump determination. This has been resolved and should produce more accurate analysis of nanomites. + The parsing of potential nanomites has been improved. Special thanks to Nacho_dj for improving upon the ARTeam ARImpRec.DLL which includes: + Fixed a bug when rebuilding imports by using relocations + Added overlay detection for newest version of Armadillo + Fixed a couple of bugs when searching for any possible overlay + Improved code when rebuilding imports using relocations data + Fixed bug when rebuilding imports using relocations data + Fixed some bugs when rebuilding Visual Basic targets + Fixed a bug when rebuilding imports using relocations data + Added analysis of imports using relocations data + Fixed some bugs when rebuilding imports + Added support for zlib packed overlays + Improved rebuilding of imports, now based on relocations data, if they exist + Added rebuilding of VC++ 3.0 targets + Fixed rebuilding of Export Table + Improved the speed of processing imports, changed the way of accessing the data and the algorithms. + Improved the rebuilding of section names for Armadillo 6 when using MinimizeSection. + Fixed some bugs for overlay targets. Special thanks to Admiral for improving his Nanoviewer tool and his VEH loader for Vista. Armageddon contains both the original Rwb32.bin file plus the newer Rwb32_vista.bin file for the "Repair" option. Armageddon will choose the appropriate file based on your OS, if used. +30/11/08 - v0.96ff +Bugfix: A couple of bug reports filtered in over the years, all pertaining to the Nanomite loader. Two fairly important fixes were made, so I thought I'd publish the minor changes that were necessary to make the Nanomite handler Vista compatible.
Key features
Standard Protection Minimum Protection Memory Patching Debugblocker CopyMemII Import Elimination Import Redirection (Emulation) Strategic Code Splicing Nanomites Randomized PE section names Shockwave Flash + applications that utilize overlays (minimize size option required) Hardware locking (Standard / Enhanced Fingerprint support) DLL support: Requires included dll loader.exe to load the target dll Open / Save dialogs updated for exe / dll, plus, resolve relocations.
Full imports rebuilding: ARTeam Import Reconstructor ARImpRec.DLL - 1.4.6 by Nacho_dj ---- Updated 2009 July. Coded in Delphi 7 Enterprise. It rebuilds imports in a file previously dumped. IAT gets rebuilt in the same place where it has been found, and Import Table is built in a new section, pasted at the end of the file. The PE header is fixed for some needed data. The main feature is that it ignores all thunks not valid found between valid ones, and then it rearranges the imports found, rebuilding for every module an only array of thunks. Thus, it can rebuild shuffled IAT.
