jump to navigation

All Armadillo tools 2008-04-05 April 5, 2008

Posted by reversengineering in TOOLS, UNPACKERS.
1 comment so far
hi
another package i collect them  for all reverser  .
All Armadillo tools updated till now 2008-04-05
list of tools:
ARMA.INTRUDER.0.4
ARMACRC.V1
ARMADETACH.V1
ARMADETACHME
ARMADILLO FIND PROTECTED V1
ARMADILLO KILLER 2
ARMADILLO REDUCER 1.7
ARMADILLO.DLL&OCX
ARMADILLO.SECTIONS.STRIPPER.1.22
ARMADILLO_KEY_GENERATOR 1
ARMADILLOCLEANER
ARMADILLOTOOLS V1.2
ARMADUMPER.V1
ARMAEV
ARMAUNPACK
ARMINLINE V0
DEATTACHER
HWID_CHANGER V.0
LOADER-10
MM_DILLODIE_V1
NANOMITES.KILLER.BY
UIF-FINAL-PLUS
UIF-V1.2stable
UNARM
ArmaGeddon v1.1.0 by Condzero
ArmaGeddon V1.2g by Condzero
ArmInline v0.96f (Eng)
ArmKiller v1.2.1 Tool by TLG_XQuader
link:
http://rapidshare.com/files/105113359/All_Armadillo_tools_20080405.exe
best regards
rem
dl this  and rename it to txt

Immunity Debugger 15 Scripts + 13 plugins April 5, 2008

Posted by reversengineering in Immunity Debugger, TOOLS.
Tags: , , ,
2 comments
hi
another package i collect them  for all reverser  .
15 Scripts   for Immunity Debugger
13 plugins for Immunity Debugger
list of plugins:
Analyze This 0.1  1                       Joe Stewart             22.93 kb 
Asm2clipboard 0.1                       FatMike                  18.71 kb 
Cleanup Ex 1.12.108                  Gigapede    28.36 kb 
Crypto Scanner 0.5b                   Loki     17.82 kb 
FullDisasm 1.71                           BeatriX     26.64 kb 
HideOD 0.17                                Kanxue     20.51 kb 
IsDebugPresent 1.4                      SV     4.15 kb 
ODBGScript 1.65                         SHaG & Epsylon3    70.26 kb 
OllyDbg PE Dumper 3.03             FKMA     87.96 kb 
OllyDump 3.00.110                        Gigapede    60.85 kb 
PhantOm Plugin 1.20                      Hellsp@wn & Archer    759.72 kb    
Ultra String Reference 0.12             Luo     22.46 kb 
Windows Maximizer 1.0                  BoB     9.92 kb
link:
http://rapidshare.com/files/105095669/ImDg_15_Scripts____13_plugins.exe
best regards
rem

PhantOm plugin 1.25 April 4, 2008

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
1 comment so far

— [PhantOm plugin 1.25 ]—————————————— ——–
by Hellsp @ wn & Archer

/ / spring aggravation:
/ / IHA! PEOPLE WITH ALL DAY! SPRING WALKS! BEER begins! GULYAYTE DEVUSHKAMI X!
/ / ZHIVITE FULL LIFE!

| Privety fly to:
| Bronco, kioresk, RSI, lord_Phoenix, HoBleen, Grim Fandango,
| Guru.eXe, vad8787, PE_Kill.
————————————————– —————————

The plug to hide OllyDbg (with driver).
Helps detection of the following methods:

/ / driver – extremehide.sys

[+] NtQueryInformationProcess.
[+] SetUnhandledExceptionFilter.
[+] OpenProcess.
[+] Invalid Handle.
[+] NtSetInformationThread.
[+] RDTSC.
[+] NtYieldExecution.
[+] NtQueryObject.
[+] NtQuerySystemInformation.
[+] Windows hide.
[+] GetProcessTimes.
[+] NtSetContextThread.

/ / plug – PhantOm.dll

[+] PEB BeingDebugged.
[+] PEB NtGlobalFlag.
[+] GetStartupInfo.
[+] Process Heaps.
[+] GetTickCount.
[!] Protect DRx.
[!] Hide DRx.
[!] Fake Windows version.
[!] Custom Handler.
[+] BlockInput

What’s New – 1.25

You may now ask the very name services
HIDENAME and RDTSCNAME.

Some minor bugs.

Fixed bug with memory breakpoints.

What’s New – 1.20

Added own processing exceptions (C0000005).

Added the title change of the main window.

Added own processing exceptions (OUTPUT_DEBUG_STRING_EVENT).

int 3 at EP correctly removed if the stop
at the point of the system failed.

Added BlockInput interception. (WinXP only)

Added own processing exceptions (C0000094).

Added hide from GetStartupInfo.

Fixed bug with the settings plug.

Added protection from detection drivers.

What’s New – 1.15

Several bugs.

What’s New – 1.10

hook GetProcessTimes – moved to the driver.

hook NtSetContextThread – moved to the driver.

The bug and removing the “EP break.”

Several bugs related to downloading options.

In ini added “DELTARDTSC which will regulate the spread RDTSC.

What’s New – 1.04

Fixed bsod while loading drivers.

What’s New – 1.03

Fixed bug with windows.

What’s New – 1.01

Fixed bug in the driver.

What’s New – 1.00

Added protection OllyDbg windows.

Now OllyDbg patchitsya regardless of ImageBase.

What’s New – 0.60

Added own processing exceptions (C000001E, 80000001, C000001D).

Added removal int3 with EntryPoint.

Fixed bug with GetTickCount.

Added methods in anti-detekta driver.

What’s New – 0.58

Fixed bug with Hide from peb on some systems.

What’s New – 0.57

Fixed bug with the attachment to the process.

Added protection from GetProcessTimes.
[-] Removed option Fake Windows version (at the time).

What’s New – 0.55

Improved imulyatsiya GetTickCount.

Added emulation RDTSC.

Fixed bug with not zeroing ServicePack.

A bit optimized code.

What’s New – 0.53

Now the driver is in resources.

NtSetInformationThread added protection.

Fixed bug with Fake Windows version.

What’s New – 0.51

Fixed bug in the GetTickCount

Fixed bug with a patch PEB ‘and

/ / Notes:

– if you have changed the settings in the plug, but you open any file in OllyDbg,
necessarily have to restart it (Ctrl-F2) program.

– plug-in displays debug messages Log (Alt + L), so the first run
advised to put all the options and examine the Log for errors.

– tested only on Windows 2000 SP4, XP SP2.

– with the plug, it is recommended to turn off programs that can prevent
loading drivers (Antivirus, PC).

– incorrect in the work are encouraged to try to plug the “native” OllyDbg,
without extraneous plugins.

/ / Contact author:
www: hellspawn.nm.ru
mail: for.hellspawn @ gmail.com
file here:rar file

Armadillo Crc Finder V1.4 April 4, 2008

Posted by reversengineering in OTHER, TOOLS.
add a comment
Armadillo CRC Finder shows the whole batch of CRC checksums Armadillo protected files, this with the merely purpose of inline patching.
Since the previous version of this tool, the protector has changed a lot so your v1.3 looks good in the recycle bin.Anyway this new version
is really special, because it doesnt do a memory search for the CRCs instead it emulates the whole Armadillo CRC generation routine so the
protected file is not executed at all! :-) Also with this big change the CopyMem-II is now supported and the probability of getting a bad CRC due to a wrong memory location is
completely nulled.

Version history:
—————-
v1.4 [04/03/08]
- Recoded from scratch.
- Copymem-II support.

v1.3 [06/21/06]
- Fifth CRC added.
- Additional search method added.

v1.2 [06/08/05]
- Some bugs fixed.

v1.1 [05/12/05]
- Fourth CRC added.
- Minor code improvements.

v1.0 [04/14/05]
- Initial release.

For more information visit : N/A

Stud PE v 2.4.0.1 + PE Detective V.1.2.1.1 April 4, 2008

Posted by reversengineering in DETECTOR, TOOLS.
4 comments
v 2.4.0.1 [2 apr 2008]
-fixed a bug with imported functions name lenght;
-added external signature verifier; writed a note about signatures;
-fixed RVA2RAW for UPACK which has EP inside PE HEADER; now imports are shown fine;
-added basic disassembler from hexeditor right click menu;
-fixed showing which export is in fact a forwarder to other dll; like HeapAlloc in kernel.dll;
-added process memory dumper/viewer; right click on the process you want to inspect; you can
 use dissasambler (from right click menu inside the hexeditor) to see how the code looks at
  certain VA; the difference from other (dumpers LordPE, ProcDump, PETools) is that it can dump/view
  code blocks protected with PAGE_GUARD or NOACCESS flags.

Note about external signatures
——————————
-we have 2 kind of signatures : 
  1. relative to entry point (ep_only=true); a number of bytes searched only at a location;
  2. absolute (ep_only=false); a number of bytes searched in entire file;
-relative signature can start with an offset (negative or positive) specified by
 (offset=x , x can be ie. 5 or -7 relative to entry point); in addition the relative
 signature can start with a number of unknown bytes (?? ?? ?? 3E 45 etc), in this case,
 the starting number of those bytes will be considered as an positif offset; but remember, 
 this is only for (ep_only=true);

 Signature rules:-sections with different names; section is ie:”[Name of the Packer v1.0]“
     -sections with different signatures; for not wasting time;
     -signature bytes must be hex represended (0-9,A-F);
     -each signature lenght must be a multiple of 2;
     -you can use as separator an empty space between each byte (2 hex char)
      for good understanding (like: ”signature = 00 A2 3F” , the same as
      ”signature = 00A23F”;
     -you can use wildcards as ”??” if the byte can be everething inside a signature;
     -only relative signatures (ep_only=true) can start with ”??”;

-when you fix external signatures file, you must fix first!!, section names (otherwise will 
 have checking mistakes for next verifications!!),then signature correctitude,then overlaping
 signatures; you will have on clipboard the section’s name or signature when an error is 
 found; just paste it to search box in notepad; if you have multiple sections with the same 
 name and different signatures, just rename it like mepacker_s1, mepacker_s2 etc.;
-avoid adding large signature; it will be a time killer; be smart!
-add signature at the end of the file (EOF) then see if your file is detected, for avoiding 
 signatures overlaping;
-the signatures verification is done only for those signatures starting at entry point! for
 different offsets ( ie signatures starting with ”?? ?? A2″ etc. or offset=x) the code it 
 becomes to complicate, so it is easy to add those signatures at the EOF and see if it works;
-what is overlapping: look next 2 signatures ”EB 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? F6″ and
 ”EB 02 ?? ?? EB 02″; it covers the same range of bytes; the short one is covered by longest;
 in this case you may escape a packer because of this, depending of which is searched first;
 it’s recommended to put the longest first;-

————————-
+
————————-
Created by Daniel Pistelli, a freeware PE identifier. This tool was originally designed to be part of the Explorer Suite II, but it can be downloaded separately as well. The PE Detective can scan single PE files or entire directories (also recursevely) and generate complete reports. The PE Detective is deployed along with the Signature Explorer, which is an advanced signature manager to check collisions, handle, update and retrieve signatures.

To scan a file is very easy with the PE Detective tool: just drag & drop a file on the interface and press scan. If there are multiple results, all of them will be listed in descending priority. The data for each result shows the signature name, the number of matches (meaning how many bytes in the signature match, wildcards aren’t counted) and possible comments regarding the signature. 
PASS:http://reversengineering.wordpress.com
LINK:DownloadLink: http://rapidshare.com/files/104873813/2_IN_ONE.rar

Exeinfo PE ver.0.0.1.8 F ( sign 375 ) April 2, 2008

Posted by reversengineering in NEWS.
add a comment
hi
like always u know where find that:)

Summary of defects in Syser April 2, 2008

Posted by reversengineering in RCE.
1 comment so far

Summary of defects in Syser

I’m using the Syser 1.96 trial version (1.96.1900.939) available since the 03/08/2008. My only goal is to help in the development of this product. Some complain of not having feedback, so here it is :

I would like to start by saying that Syser is evolving and despite this, it already offers a good quality.

1) No support for “azerty” keyboards
Users come to use it anyway, but it’s not very comfortable.

2) Can’t trace INTxx. Syser doesn’t emulate this case
Not practical when hooking IDTs with dispatches everywhere.

3) No real time display of 64-bit MMX registers
there’s a “static” possibility with the “wf1″ command but a real time display would be a plus.

4) No real time display of the active processor
You must type each time the “cpu” command in the command window. This isn’t practical when you are in a system information loop scan with a KeSetAffinityThread in the loop.
A real time display would be a plus.

5) Sofware keyboard
The colon punctuation sign (‘:’) is missing and you need therefor to type it on the keyboard.
Slash (‘/’) and backslash (‘\’) are inverted.

A truly effective soft keyboard would solve the first point (azerty keyboard).

6) The CodeView window doesn’t display modification in real time.
db cs : offset … and you change this or that opcode by hand, the “code” window doesn’t display the modification in real time. You need to issue a “one_step” command to see the modification or redo a “u cs:eip”. Same thing apply to the “zap” command and the replacing “nop”.

No real time feedback in the “code” window.

7) The “pointed content” window is ineffective.
On the top right in the task bar, there’s a little and narrow window preceded by a question mark (“?”).
This window lets you view the “pointed content”.

Example:
Mov eax, [ebx + 08] —–> you’ll have the actual content of ds: [ebx +08] in the window… For example: 0044001Ah
This content is displayed during a “step by step”. But if you are doing other things, it doesn’t work.
If you change manually (through a db cs: eip), the “+08″, in a “+xx”, the window fails to refresh.

You could redo a “u cs: eip”, or whatever you want, … Nothing happens!
You will have to manually issue a “dd ds: x” to see your new “pointed content” !

Incidentally, we have changed manually one “opcode”! … The “[ebx + 8] in [ebx + XX]
There’s no update in the opcode! you necessary need to scroll the “code window” to force the update!

There’s too many “real time” and “update” problems in Syser.

8 ) Scrolling problem in the “System explorer” window.

In the “system explorer” window, type “IDT”. The IDT vector list of the active processor is then displayed. This list has 0xFF vectors, so the window has to scroll, but the window only displays the last 64 vectors and even if you scroll up, it stops at 0xC0 !

A complete display is possible in the “Command Console” window, but not in the “System explorer” window. The main problem is that you are currently working in the “System Explorer” window !

Identical bug for the “GDT” and “MSR” commands

source:http://reverseengineering.online.fr

PEunLOCK 0.9 April 2, 2008

Posted by reversengineering in TOOLS, UNPACKERS.
2 comments
v0.9

+ fix code redirection delta

link:dl it and rename to *.zip :)

Quick Unpack v2.1 April 2, 2008

Posted by reversengineering in TOOLS, UNPACKERS.
3 comments
History of the versions
———————–
v2.1
[!] fixed many bugs like crash on some applications while restoration of resources
[!] multithreaded applications are now handled properly
[+] added ability to set end of module when tracing import functions. When a reference to import is found it’s analysed if it leads to some space outside of the module (not to trace some internal functions). But some packers redirect import to the last section. This option is intended to aid this problem. This is RVA
[+] added ability to put import table at given RVA instead of adding extra section
[+] added ability to set RDTSC delta for RDTSC hook (see more on rdtsc_delta in Scripts.eng.txt)
[+] Load libraries only option added to import recovery methods. this option doesn’t actually recover import it just puts 1 import function from every loaded DLL into the import table. thus dump will be loaded with all the necessary libraries and will use old addresses for import functions which were set by a protector. this option can be used if import redirection is too complicated but the dump will stop working after service pack or some other patch installation
[+] Execute functions while tracing import option is added. by default while tracing import functions are not executed but some protectors need result of these functions to operate correctly so this option can be used
[+] Process call xxx/jmp xxx option is added. some protectors change import calls and jumps from call [xxx]/jmp [xxx] to call xxx/jmp xxx. this option is intended to work also with these redirections
[+] added several new functions and variables for the scripts
[+] UsAr’s generic OEP finder now supports DLLs
[+] new Vista manifest added
link:http://rapidshare.com/files/104264619/qunpack21.zip