Armadillo Informant 0.9.6 (Beta) Static Armadillo Scanner

Hmily

Hi to all,

After a long and fruitful investigation of The Armadillo Protection System internals I am able to show to you the some of the results of my research. I am presenting a public beta version of AI 0.9b (Armadillo Informant), which at present has been tested on files protected with Armadillo from version 4.00 up to current 9.00 only.

Note:

* All operations are performed on static files, this tool doesn't execute any processes.
* Versions lower than 3.75 are not supported currently, please note this.
* Unpacked or modified files are unsupported and i have no plans to ever support them.
* Feature requests and bug reports can be posted in this thread and i'll answer them as soon as i can.
* When completed, the tool will be accompanied by a full tutorial explaining how the tool works with Armadillo protected files.

File:                   Armadillo.exe
Path:                   C:\Program Files (x86)\SoftwarePassport

-> newer .text entrypoint signature found.
-> Locate compression options.
-> Locating pointer to application matrix.
-> Get dword from Armadillo code.
-> Get dword from Armadillo code.
-> Skip pdata pre-security.dll portion.
-> Skip tail portion(s).
-> Extract security.dll.
-> Packed size before: 0009951B
-> Packed size after: 0009951B
-> CRC32 Matches!
-> Locate Armadillo version.

* Scan Results *

Detected version:               9.00

* Compression Option *

Compression level:              Best/Slowest

* Protection Options *

CopyMem-II & Debug Blocker
Enable Import Table Elimination
Enable Nanomite Processing
Enable Random PE Names

Armadillo sections:             5

-> Name:                        .whilcb
-> Raw offset:          0x00001000
-> Raw size:            0x000B7000
-> Virtual address:             0x00703000
-> Virtual size:                0x000C0000
-> Characteristics:             0xE0000020

-> Name:                        .otpey
-> Raw offset:          0x000B8000
-> Raw size:            0x0000D000
-> Virtual address:             0x007C3000
-> Virtual size:                0x00010000
-> Characteristics:             0xE0000020

-> Name:                        .cwlot
-> Raw offset:          0x000C5000
-> Raw size:            0x00021000
-> Virtual address:             0x007D3000
-> Virtual size:                0x00030000
-> Characteristics:             0xC0000040

-> Name:                        .toip
-> Raw offset:          0x000E6000
-> Raw size:            0x0000A000
-> Virtual address:             0x00803000
-> Virtual size:                0x00010000
-> Characteristics:             0x42000040

-> Name:                        .avorgb
-> Raw offset:          0x000F0000
-> Raw size:            0x003BA000
-> Virtual address:             0x00813000
-> Virtual size:                0x003C0000
-> Characteristics:             0xC0000040

Text section encrypted: No
Dword shuffling used:   Yes
Number of dwords:               208
Real size of pdata:             0x003B930C
Compression type:               0x2

Raw options value:              0x3DC30A5E
Call exe OEP:           0x00B1F44F
Call dll OEP:           0x00B1DC31
Offset to Security.dll: 0x00000012
Security.dll size:              0x00157000
Security.dll base:              0x10000000
CopyMem-II decrypt:     0x10067CD0

-> Free file buffer.
-> Free .text buffer.
-> Free pdata buffer.
-> Free security.dll buffer.

Alar30

谢谢分享工具哈

网络小牛

顶，需要用到的好工具

yuyuchun

老在的工具都要收藏

jimshicard

支持一下好工具，去试试