All Armadillo tools 2008-04-05 April 5, 2008Posted by reversengineering in TOOLS, UNPACKERS.
1 comment so far
All Armadillo tools updated till now 2008-04-05
ARMADILLO FIND PROTECTED V1
ARMADILLO KILLER 2
ARMADILLO REDUCER 1.7
ArmaGeddon v1.1.0 by Condzero
ArmaGeddon V1.2g by Condzero
ArmInline v0.96f (Eng)
ArmKiller v1.2.1 Tool by TLG_XQuader
Immunity Debugger 15 Scripts + 13 plugins April 5, 2008Posted by reversengineering in Immunity Debugger, TOOLS.
Tags: DEBUGGER, Immunity, plugins, Scripts
15 Scripts for Immunity Debugger
13 plugins for Immunity Debugger
Analyze This 0.1 1 Joe Stewart 22.93 kb
Asm2clipboard 0.1 FatMike 18.71 kb
Cleanup Ex 1.12.108 Gigapede 28.36 kb
Crypto Scanner 0.5b Loki 17.82 kb
FullDisasm 1.71 BeatriX 26.64 kb
HideOD 0.17 Kanxue 20.51 kb
IsDebugPresent 1.4 SV 4.15 kb
ODBGScript 1.65 SHaG & Epsylon3 70.26 kb
OllyDbg PE Dumper 3.03 FKMA 87.96 kb
OllyDump 3.00.110 Gigapede 60.85 kb
PhantOm Plugin 1.20 Hellsp@wn & Archer 759.72 kb
Ultra String Reference 0.12 Luo 22.46 kb
Windows Maximizer 1.0 BoB 9.92 kb
PhantOm plugin 1.25 April 4, 2008Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
1 comment so far
— [PhantOm plugin 1.25 ]—————————————— ——–
by Hellsp @ wn & Archer
/ / spring aggravation:
/ / IHA! PEOPLE WITH ALL DAY! SPRING WALKS! BEER begins! GULYAYTE DEVUSHKAMI X!
/ / ZHIVITE FULL LIFE!
| Privety fly to:
| Bronco, kioresk, RSI, lord_Phoenix, HoBleen, Grim Fandango,
| Guru.eXe, vad8787, PE_Kill.
The plug to hide OllyDbg (with driver).
Helps detection of the following methods:
/ / driver – extremehide.sys
[+] Invalid Handle.
[+] Windows hide.
/ / plug – PhantOm.dll
[+] PEB BeingDebugged.
[+] PEB NtGlobalFlag.
[+] Process Heaps.
[!] Protect DRx.
[!] Hide DRx.
[!] Fake Windows version.
[!] Custom Handler.
What’s New – 1.25
You may now ask the very name services
HIDENAME and RDTSCNAME.
Some minor bugs.
Fixed bug with memory breakpoints.
What’s New – 1.20
Added own processing exceptions (C0000005).
Added the title change of the main window.
Added own processing exceptions (OUTPUT_DEBUG_STRING_EVENT).
int 3 at EP correctly removed if the stop
at the point of the system failed.
Added BlockInput interception. (WinXP only)
Added own processing exceptions (C0000094).
Added hide from GetStartupInfo.
Fixed bug with the settings plug.
Added protection from detection drivers.
What’s New – 1.15
What’s New – 1.10
hook GetProcessTimes – moved to the driver.
hook NtSetContextThread – moved to the driver.
The bug and removing the “EP break.”
Several bugs related to downloading options.
In ini added “DELTARDTSC which will regulate the spread RDTSC.
What’s New – 1.04
Fixed bsod while loading drivers.
What’s New – 1.03
Fixed bug with windows.
What’s New – 1.01
Fixed bug in the driver.
What’s New – 1.00
Added protection OllyDbg windows.
Now OllyDbg patchitsya regardless of ImageBase.
What’s New – 0.60
Added own processing exceptions (C000001E, 80000001, C000001D).
Added removal int3 with EntryPoint.
Fixed bug with GetTickCount.
Added methods in anti-detekta driver.
What’s New – 0.58
Fixed bug with Hide from peb on some systems.
What’s New – 0.57
Fixed bug with the attachment to the process.
Added protection from GetProcessTimes.
[-] Removed option Fake Windows version (at the time).
What’s New – 0.55
Improved imulyatsiya GetTickCount.
Added emulation RDTSC.
Fixed bug with not zeroing ServicePack.
A bit optimized code.
What’s New – 0.53
Now the driver is in resources.
NtSetInformationThread added protection.
Fixed bug with Fake Windows version.
What’s New – 0.51
Fixed bug in the GetTickCount
Fixed bug with a patch PEB ‘and
/ / Notes:
– if you have changed the settings in the plug, but you open any file in OllyDbg,
necessarily have to restart it (Ctrl-F2) program.
– plug-in displays debug messages Log (Alt + L), so the first run
advised to put all the options and examine the Log for errors.
– tested only on Windows 2000 SP4, XP SP2.
– with the plug, it is recommended to turn off programs that can prevent
loading drivers (Antivirus, PC).
– incorrect in the work are encouraged to try to plug the “native” OllyDbg,
without extraneous plugins.
/ / Contact author:
mail: for.hellspawn @ gmail.com
file here:rar file
Armadillo Crc Finder V1.4 April 4, 2008Posted by reversengineering in OTHER, TOOLS.
add a comment
Armadillo CRC Finder shows the whole batch of CRC checksums Armadillo protected files, this with the merely purpose of inline patching.
Since the previous version of this tool, the protector has changed a lot so your v1.3 looks good in the recycle bin.Anyway this new version
is really special, because it doesnt do a memory search for the CRCs instead it emulates the whole Armadillo CRC generation routine so the
protected file is not executed at all! Also with this big change the CopyMem-II is now supported and the probability of getting a bad CRC due to a wrong memory location is
For more information visit : N/A
Stud PE v 18.104.22.168 + PE Detective V.22.214.171.124 April 4, 2008Posted by reversengineering in DETECTOR, TOOLS.
v 126.96.36.199 [2 apr 2008]
-fixed a bug with imported functions name lenght;
-added external signature verifier; writed a note about signatures;
-fixed RVA2RAW for UPACK which has EP inside PE HEADER; now imports are shown fine;
-added basic disassembler from hexeditor right click menu;
-fixed showing which export is in fact a forwarder to other dll; like HeapAlloc in kernel.dll;
-added process memory dumper/viewer; right click on the process you want to inspect; you can
use dissasambler (from right click menu inside the hexeditor) to see how the code looks at
certain VA; the difference from other (dumpers LordPE, ProcDump, PETools) is that it can dump/view
code blocks protected with PAGE_GUARD or NOACCESS flags.
Note about external signatures
Signature rules:-sections with different names; section is ie:”[Name of the Packer v1.0]“
-when you fix external signatures file, you must fix first!!, section names (otherwise will
Created by Daniel Pistelli, a freeware PE identifier. This tool was originally designed to be part of the Explorer Suite II, but it can be downloaded separately as well. The PE Detective can scan single PE files or entire directories (also recursevely) and generate complete reports. The PE Detective is deployed along with the Signature Explorer, which is an advanced signature manager to check collisions, handle, update and retrieve signatures.
To scan a file is very easy with the PE Detective tool: just drag & drop a file on the interface and press scan. If there are multiple results, all of them will be listed in descending priority. The data for each result shows the signature name, the number of matches (meaning how many bytes in the signature match, wildcards aren’t counted) and possible comments regarding the signature.
Exeinfo PE ver.0.0.1.8 F ( sign 375 ) April 2, 2008Posted by reversengineering in NEWS.
add a comment
Summary of defects in Syser April 2, 2008Posted by reversengineering in RCE.
1 comment so far
Summary of defects in Syser
I’m using the Syser 1.96 trial version (1.96.1900.939) available since the 03/08/2008. My only goal is to help in the development of this product. Some complain of not having feedback, so here it is :
I would like to start by saying that Syser is evolving and despite this, it already offers a good quality.
1) No support for “azerty” keyboards
Users come to use it anyway, but it’s not very comfortable.
2) Can’t trace INTxx. Syser doesn’t emulate this case
Not practical when hooking IDTs with dispatches everywhere.
3) No real time display of 64-bit MMX registers
there’s a “static” possibility with the “wf1″ command but a real time display would be a plus.
4) No real time display of the active processor
You must type each time the “cpu” command in the command window. This isn’t practical when you are in a system information loop scan with a KeSetAffinityThread in the loop.
A real time display would be a plus.
5) Sofware keyboard
The colon punctuation sign (‘:’) is missing and you need therefor to type it on the keyboard.
Slash (‘/’) and backslash (‘\’) are inverted.
A truly effective soft keyboard would solve the first point (azerty keyboard).
6) The CodeView window doesn’t display modification in real time.
db cs : offset … and you change this or that opcode by hand, the “code” window doesn’t display the modification in real time. You need to issue a “one_step” command to see the modification or redo a “u cs:eip”. Same thing apply to the “zap” command and the replacing “nop”.
No real time feedback in the “code” window.
7) The “pointed content” window is ineffective.
On the top right in the task bar, there’s a little and narrow window preceded by a question mark (“?”).
This window lets you view the “pointed content”.
Mov eax, [ebx + 08] —–> you’ll have the actual content of ds: [ebx +08] in the window… For example: 0044001Ah
This content is displayed during a “step by step”. But if you are doing other things, it doesn’t work.
If you change manually (through a db cs: eip), the “+08″, in a “+xx”, the window fails to refresh.
You could redo a “u cs: eip”, or whatever you want, … Nothing happens!
You will have to manually issue a “dd ds: x” to see your new “pointed content” !
Incidentally, we have changed manually one “opcode”! … The “[ebx + 8] in [ebx + XX]
There’s no update in the opcode! you necessary need to scroll the “code window” to force the update!
There’s too many “real time” and “update” problems in Syser.
8 ) Scrolling problem in the “System explorer” window.
In the “system explorer” window, type “IDT”. The IDT vector list of the active processor is then displayed. This list has 0xFF vectors, so the window has to scroll, but the window only displays the last 64 vectors and even if you scroll up, it stops at 0xC0 !
A complete display is possible in the “Command Console” window, but not in the “System explorer” window. The main problem is that you are currently working in the “System Explorer” window !
Identical bug for the “GDT” and “MSR” commands
PEunLOCK 0.9 April 2, 2008Posted by reversengineering in TOOLS, UNPACKERS.
+ fix code redirection delta
Quick Unpack v2.1 April 2, 2008Posted by reversengineering in TOOLS, UNPACKERS.
[!] fixed many bugs like crash on some applications while restoration of resources
[!] multithreaded applications are now handled properly
[+] added ability to set end of module when tracing import functions. When a reference to import is found it’s analysed if it leads to some space outside of the module (not to trace some internal functions). But some packers redirect import to the last section. This option is intended to aid this problem. This is RVA
[+] added ability to put import table at given RVA instead of adding extra section
[+] added ability to set RDTSC delta for RDTSC hook (see more on rdtsc_delta in Scripts.eng.txt)
[+] Load libraries only option added to import recovery methods. this option doesn’t actually recover import it just puts 1 import function from every loaded DLL into the import table. thus dump will be loaded with all the necessary libraries and will use old addresses for import functions which were set by a protector. this option can be used if import redirection is too complicated but the dump will stop working after service pack or some other patch installation
[+] Execute functions while tracing import option is added. by default while tracing import functions are not executed but some protectors need result of these functions to operate correctly so this option can be used
[+] Process call xxx/jmp xxx option is added. some protectors change import calls and jumps from call [xxx]/jmp [xxx] to call xxx/jmp xxx. this option is intended to work also with these redirections
[+] added several new functions and variables for the scripts
[+] UsAr’s generic OEP finder now supports DLLs
[+] new Vista manifest added