Dumping OverlayData of Armadillo with ollydebug

 

 

RE-Pack with ollydbg & winhex

http://free.pages.at/pepspace/myTools.exe

 

 

1. Enable the Protection against ‘OutputDebugString exploit’ option in

Hide Debugger v1.2.3f by Asterix(Plugins\HideDebugger.dll) as you see below

 

 

…else armadillo will make ollydebug to crash when you run it.

If you don’t see the ‘Plugins’ in the menu bar, check the path to the

Plugin Dir in Options\ Appearance\[Directories]

 

2. Load the Exe that is packe by armadillio by dragging it into ollydbg, File/Open or with F3. Then press F9 to run it.

Incase you get an exception like this press Shift+F9 several time to pass it to the program

Until the program runs(runs&quit)

To avoid pressing Shift+F9 all the time open the options(alt+o)/[Exception], Enable ‘ignore the following exceptions’ and then click on the ‘Add Last Exception’

 

3.Press Alt+M to open the Process Memory Window.

Double click on the .text section of the Exe you loaded(it’s nearly always loaded at address 0x00401000) . Ensure that there is something else than only 00’s… to ensure that app was successfully unpacked. Close this dump window.

 

In the Process Memory Window press Alt+L to bring up the search window
 
Enter ‘EA06’ as search string. Then press ctrg+L to find next .(Don’t miss to switch back from the dump window to the Process Memory Window before you press ctrl+L) until there are no more matches.

For dumping use the last dump windows there you found ‘EA06’ as you see on the screenshot. The type of that memory region should be ‘Priv’ate.

 

4.Dumping(Saving the RAM data to disk) is done like this:

Right click in the dump window and choose Backup/Save data to file.

Now the save as dialog box come up, where you can save the data.

 

That’s drag the *.mem into myAutToExe and hope that now it can be decompiled correctly.

 

… and with Winhex

 

Dump with Winhex only works if the app stays open and don’t quit right after it was started.

 

1. When the app is running start Winhex. Press alt+F9 to bring up the RAM tab.

open the entired RAM of the process(in case there are two the one with the higher PID)

 

2. press ctrl+PageDown to go to the very end of the RAM. Press ctrl+F to bring up the Text search dialog and enter “EA06” and as direction search “upwards”.

 

3. Press Alt+2 to mark the end of the selection as you see in the screenshot

Press F3 to find next EA06. From ‘EA06’ got back 16(=0x10) Byte to include normal AutoIt signature that looks like this:
0003DBF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0003DC00 A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D £HK¾˜lJ©™LS.†ÖH}
0003DC10 41 55 33 21 45 41 30 36 AB 99 D0 DE 88 5E 49 DF AU3!EA06«™ÐÞˆ^Iß

There press Alt+1 the mark the beginning of the selection.

 

4.Press ctrl+shift+n to save the selection to a new file. Name it ‘dump.a3x’ and you should be able to run it with AutoIT if you have installed it (and associated it with *.a3x files)