OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Monday, March 3 2008 15:23.29 CST

Modified: Monday, March 3 2008 15:51.29 CST

Printer Friendly ...

Armadillo v.5 x64 Unpacking tutorial

Author: Pnluck

# Views: 14654

I believe, I'm the first one who write a tutorial about x64 unpacking: http://quequero.org/Armadillo5_x64_Unpacking.
With the article there's a demo of my ItRebuilder x64: I'm developping it for myself (at least for the start) an ImpRec-like software for Win x64, so for PE+ files, which I should release soon.

I hope to be useful.

Blog Comments

NeOXQuiCk	Posted: Monday, March 3 2008 20:10.17 CST
nice tut... keep a good work... bye

morel	Posted: Tuesday, March 4 2008 04:53.25 CST
thumbs up. are you also amused by the fact, that it took few years and 5 versions, to bring Armadillo to a decent level? damn, authors of exe protectors seem to learn their business _during_ the development, not before..

nico

Posted: Tuesday, March 4 2008 09:35.37 CST

I am also amused to read comments like this one.

First of, I was the co author of Armadillo a few years ago.
I started unpacking PE files 10 years ago, and wrote packers/unpackers for x86, x64 and ARM cpu.

so i doubt your "they seem to learn their business _during_ the development, not before" is actually true. Most of the protections were written by people with years of unpacking experience.

Regarding your "It took a few years and 5 versions to bring Armadillo to a decent level", Armadillo's internal haven't changed for 2 versions, so your wrong. Very few changes were made.

Take any of the current best protection systems, you will see that all of them took a few years of updates too, and are still cracked nonetheless. Some of them even changed their names, to look like brand new protections and hide their past.

It's a lot harder to write a protection that will work for all your customers (and all their BIG applications) even on old Operating Systems than actually unpacking one.

Of course, if your protections will never be executed
on more than a few thousands customers' computers, almost stable protectors can do the trick. You have better protections, but it's not going to be used by hundreds of thousands computers without complaints everywhere.

And if you only pack small, not very complex applications, the chance of seing problems are low.

I can't speak for current Armadillo, but when i left, we were still supporting Windows 95 because a LOT of customers were still using it, and customers' customers too.

We couldn't just add some cool tricks without hardcore Quality Assurance, because we can't just write almost stable security features, and ship it to customers. (Some protectors do, they test it on their computers, and release to the public, with relative success).

Nowadays, there are better protections out there, for sure.
A lot of them have blatent stability problems and fail to run on computers for unknown reasons (clean computers).

Most of them aren't widely used, so they don't really care, and prefer to use "almost stable" features, that work most of the times to bring better protections, but more compatibility problems.

They rely on their anti debugging techniques and bloated ofuscations to prevent analysis, and very little is done against rebuilding in a lot of cases.

VM protections aside, it doesn't take much coding to rebuild them.

This x64 version of Armadillo is using minimum protections. With due respect to the author, This is trivial to unpack.

The wrappers aren't import protections but were created because of the way the wrapping works.

This x64 target is far from decent, and is more of a joke than anything else. The only difference between 32 bit and x64 in this case is the lack of tools. The same protection on a Win32 executable would take 5 minutes to be unpacked by the average joe.

Still, it's good to see unpacking tutorials on x64 platform, because this isn't really documented,so good work Pnluck.

morel

Posted: Tuesday, March 4 2008 10:07.27 CST

so can you please explain why the cryptography scheme was breakable for so much time? first versions were a joke, then the scheme was changed, but again skamer delebre / dT completly owned it. i don't know what's the situation now, but it seems strange people that apparently know their businees fail to implement a simple RSA / DSA signature for so much time. rather than using scheme of mathematically proven strength, you used some shit straight from space or did some trivial implementation error.

for readers that aren't familiar with history of armadillo:
it's an exe protector that allows users to protect their soft with name / serial combination. for long time it was possible to keygen such apps without patching them.

shure, even RSA-1024 can be keygenned if the public key is patched, but the sad part is that arma developers needed quite some time to understand cryptography.

nico

Posted: Tuesday, March 4 2008 10:41.08 CST

The licence and the packing are two different parts.
I didn't work on the licensing at all. Are you a friend of skamer ? I'd like to know if your opinion is biased.

The first shemes were weaks, it was not RSA though. Nothing created by the author , but badly implemented crypto.

On the other hand, a lot of the levels weren't made to be totally secure, but rather, to offer small keys to customers, since they didn't want to have very long keys.

Armadillo uses Elliptic Curves for more than 2 years now, i haven't seen any keygens from skamer since then. (or whoever was making them, according to scene rumors.

Even the ECC have had some problems, pointed by TMG, but
it requiered more than a computer to take advantage from it.

Asprotect had weaknesses when it introduced his RSA based licenses. It was keygenned and fixed. At some point they introduced a new sheme, for shorter keys (sounds familiar?) and they were keygenned too. But i suppose this was expected.

Most of the time, people don't use the licensing properly, so the registration sheme doesn't really matter, unless the protection is implemented correctly.

My main point morel was, stop attacking protection authors (at least on the packing level), because most of the time they have been reversing for years, but they have to offer stability, rather than crazy security.

There were other protections that got keygenned, i won't cite them.

Every protections were broken, nonetheless, as long as the skills needed to unpack/keygen a given application is high enough, and doesn't crash on your customers computers, it makes its job.

I am not looking for a fight here, i am just tired of the protection authors bashing

morel

Posted: Tuesday, March 4 2008 11:24.36 CST

>
Are you a friend of skamer ? I'd like to know if your opinion is biased.
<

i don't know skamer personally. what opinion? skamer keygenned arma at some stage, it's a fact, not an opinion. note that your opinion is more likely to be biased, since you, not me, was personally involved in developing arma.

>
My main point morel was, stop attacking protection authors (at least on the packing level), because most of the
time they have been reversing for years, but they have to offer stability, rather than crazy security.
<

i never attacked protection authors (on any level). it's your impression. by 'decent protection' i meant protection that takes more than 5 minutes to unpack, and first arma versions didn't meet this requirement afair.

i think my expression of thoughts was a bit more polite than yours on a different forum, regarding different protector (assuming that it was you). here is your post:

"""They don't support dll at all i believe. This protector is a joke the only fun features i could see, is replacing the libC with their own lib, but i haven't checked how they implemented that."""

how would you comment this? isn't this a contradiction to what you wrote above?

>
There were other protections that got keygenned, i won't cite them.
<

that's true, but arma was among them.

>
Every protections were broken, nonetheless, as long as the skills needed to unpack/keygen a given application is high enough, and doesn't crash on your customers computers, it makes its job.
<

fully acceptable. that brings us to the question what is the main purpose of a protector? i think the correct answer is slowing down the attacker / stopping the kids.

>
Believing in a cracker proof protection is rather naive.
<

i agree.

again, i mean no disrespect. some things about arma are good, some are bad. my opinion is that bad things dominated in early versions.

Pnluck

Posted: Tuesday, March 4 2008 11:32.53 CST

[quote nico]
This x64 version of Armadillo is using minimum protections. With due respect to the author, This is trivial to unpack.

The wrappers aren't import protections but were created because of the way the wrapping works.
[/quote]
Yes, I know that this unpackme is trivial to unpack: there aren't nanos, copy-mem, Import table elimination,etc...
I wrote this article beacause I wanted to be the first one to write on x64 unpacking, and to take attention on x64 reversing, infact as you said: "The only difference between 32 bit and x64 in this case is the lack of tools": for this reason that I, jstorme and TiGa are developping, separately, an imprec-like softwar; and feryno is developping an x64 portable debugger like this http://fdbg.x86asm.net/index.html.
that's all, I don't want take part in your discussion.

nico

Posted: Tuesday, March 4 2008 12:24.12 CST

>i don't know skamer personally. what opinion? skamer
>keygenned arma at some stage, it's a fact, not an opinion.
>note that your opinion is more likely to be biased, since
>you, not me, was personally involved in developing arma.

I am not involved anymore for 2 years and a half.
For the same reasons, i said the x64 version presented was a joke. I left the company because i wasn't happy with the path it took, and the protection level wasn't good enough and couldn't be changed as i wanted, and therefore, presented little interest.

>i never attacked protection authors (on any level). it's
>your impression. by 'decent protection' i meant protection
>that takes more than 5 minutes to unpack, and first arma
>versions didn't meet this requirement afair.

Saying we were learning how PE protections work as we develop them, was one in my opinion.

>i think my expression of thoughts was a bit more polite
>than yours on a different forum, regarding different
>protector (assuming that it was you). here is your post:

That was me.

>how would you comment this? isn't this a contradiction to >what you wrote above?

According to your standard, a decent protection takes more than 5 minutes, their packer didn't and therefore is a joke.
As i said earlier, this is another case of "use a driver to prevent debugging, and the rest can be as complex as upx"

By using int 1 and 3 hooking (system wide, not even protected process only), they pretend no debugger can be used on their system, it's totally wrong.

Add that driver to upx, and you basically get the same amount of protection. You can't call that a protection.

The only interesting feature, is the libc replacement, but unfortunately, this is only useful if you use the original libc, otherwise, the sole protection is that packer.

I never said anything bad on any serious protections with serious developpement.

>that's true, but arma was among them.
Yes, among a lot of them.

>fully acceptable. that brings us to the question what is
>the main purpose of a protector? i think the correct answer
> is slowing down the attacker / stopping the kids.

Exactly. nothing else :)

>i agree.
>again, i mean no disrespect. some things about arma are >good, some are bad. my opinion is that bad things dominated >in early versions.

That's pretty much the case with any protection out there.
Arma has a lot of bad things and since they couldn't be fixed mostly because it needed to stay stable at some point, i left the company. I am not saying Arma is the top quality protection, i am well aware of the problems ;)

And we don't need tutorials to see where the problems are, most of the time. (Of course some people come with creative attacks, and can provide nice information).

I think we should stop it here, we agreed on the main points :-)

Cheers

nico

Posted: Tuesday, March 4 2008 12:32.27 CST

@PnLuck

>Yes, I know that this unpackme is trivial to unpack: there
>aren't nanos, copy-mem, Import table elimination,etc...
>I wrote this article beacause I wanted to be the first one
>to write on x64 unpacking, and to take attention on x64

I know the feeling, i tried to do the same for ARM packing/unpacking. It's good to see contributions to the x64 platform, and your tutorial is a first step.
But it shouldn't be seen by some people as Armadillo's protection, but minimal protection.

>reversing, infact as you said: "The only difference between
>32 bit and x64 in this case is the lack of tools": for this
>reason that I, jstorme and TiGa are developping,
>separately, an imprec-like softwar; and feryno is
>developping an x64 portable debugger like this
>http://fdbg.x86asm.net/index.html.

Good to see people writing tools for other platforms.

NeOXQuiCk

Posted: Tuesday, March 4 2008 22:13.12 CST

hehehe nico i see arm stuff really fired you up..

never the less the article is nice contribution .. never the less if you like it or not tutorials will be made about arm,execryptor ,aspr and others since they are mostly used.Until ppl start to use something else.

There is only one RULE which really counts IF you can RUn it you can unpack it.Never the less what you think or do.

About arm i dont want to fire you up.BuT i was reversing it back in the days and sometimes i check it also now.If they owners would want better protection they should recoded all from 0.Not adding stuff.

That i think its major flaw of arm.

sorry for bad eng

nico	Posted: Wednesday, March 5 2008 09:54.56 CST
NeoxQuick, It's not the tutorial that fired me up. I don't mind the tutorials, nor any tools you know. I even posted a congratulation message for Armageddon on Woodmann. I don't agree with you regarding the full rewrite from scratch, but you are invited to write your own one from 0 ;-) Cheers! :)

NeOXQuiCk	Posted: Wednesday, March 5 2008 21:13.16 CST
hehe i dont make living off it so i dont need to but revering was alwasy fun.. i meant if you want to make it harder like themida or execryptor they should.. nothing else.. but as you know 1000 ppl 1000 appinions..

There are 31,322 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit