[Release] [INT] Engine unpacked 4.2.2010

02/04/2010 23:34 Thiesius#1

Hello again,

I decided to simply release this because: Maybe some of you wanted sometimes actually disassemble engine, but you found out that it is protected with Armadillo.

Some of you knows, that it isn't really difficult to unpack it [5-10 minutes max].

I hope somebody will find it useful. You don't basicly need unpacked engine when you are debugging, but when you are using IDA, it might come handy.

Happy disassembling ;)

#EDIT: Oh I forgot: It is unpacked on Windows 7. If you ave any compatibility troubles, I can unpack it on Windows XP.

02/05/2010 07:31 nidecker#2

amazing:D but wtf i can do with it:D?

02/05/2010 09:20 ILikeItEasy#3

Thanks, my last unpacked engine.exe was a bit older. Saves me the trouble to unpack a new one myself. btw.. It takes me a lot more time then 5~10 mins LOL

02/05/2010 15:20 Thiesius#4

Place of interest

00627566 - Something new
00572800 - Engine's recv
0055A8D0 - Engine's send
etc.

02/05/2010 20:50 Doctor2#5

Hi,

maybe can you tell me how to detect how the file is packed, and when you know ... how to unpack it?
Maybe can you record and upload video?

Sorry, I know it's stupid question .. but ...

02/05/2010 22:33 Thiesius#6

You can use PEiD to see what was the exe packer (or atleast if it's packed or not). Then you can download additional scanners to get more accurate version of packer. In this case it was ArmadilloFindProtected.
I'm not sure if I should record a video... I'm pretty sure that it would get fixed by Silicon Realms (Armadillo creators) soon. Tools used: Olly, Universal Import Fixer, Import Reconstructor.

02/06/2010 10:53 Doctor2#7

In my case there is a problem ... PEiD cannot recognize packer ... it just says "Nothing found [Overlay] *"
But I know that this file is packed, because I cannot open it in olly ..

02/06/2010 14:38 Thiesius#8

Dunno, I use PEiD v0.95b with standard plugin set. Use Hardcore scan. It shows Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks. And use also Extra information to see if it is packed.

And by the way, there isn't only one packer detector :P.

#EDIT: Actually version of Armadillo is higher

02/06/2010 14:42 meak1#9

yust use [Only registered and activated users can see links. Click Here To Register...] there stand with what its packed^^

02/06/2010 15:38 bloodx#10

006C5D28 should be EncryptTable.. but hmm it's kinda smaller than before o.O

02/11/2010 11:25 Thiesius#11

Somebody want a newest engine (11-02-2010 update)? I haven't noticed any change in protection, but it's always good to work with newest one :).
Strange that today Win7 unpacked executable wasn't able to run, I had to unpack it at WinXP.