Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Armadillo Import Elimination (https://forum.exetools.com/showthread.php?t=5522)

Eggi 09-26-2004 21:45
Armadillo Import Elimination
 
Im trying to unpack an arma protected program (one process). It uses import elimination... so first i used a script (so that it does not detect the change) to patch the iat so that there are no invalid pointers left, but after the patch the first iat call goes to RegQuerryValueEx... so the functions are not in the correct place. How can i solve this? (I have only patched this jump and then i let the protected program run with the patched iat...)
Target:
Code:
http://activeurls.com/en/download.htm

xzz 09-26-2004 23:47
....
 
if its only one api call, wrong placed you can fix it simple,
look your last iat area find the "ReqQuerryValueEx" where placed (on rva)
then patch islike this (opcode)
FF25xxxxxxxx (the xx is rva + imagebase then inverted e.g FF25B3A14000)

Eggi 09-27-2004 02:02
no... its not only one function...


All times are GMT +8. The time now is 01:47.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX