Exetools - Question about Armadillo 3.76

Hi~

Happy New Year!!

I have some Question about armadillo 3.76
I had dumped app by version 3.76

It used IAT elimination & COPY MEM2 & something (I think it's not nanomite)

Code:

.text:00401000 sub_401000      proc near               ; CODE XREF: sub_402D70+46p

.text:00401000                 mov     eax, ecx

.text:00401002                 mov     dword ptr [eax], 0

.text:00401008                 retn

.text:00401008 sub_401000      endp

.text:00401010 sub_401010      proc near               ; CODE XREF: .text:00402845p

.text:00401010                 jmp     loc_1FF0000        <--- Jump to outside of PE IMAGE.

.text:00401010 sub_401010      endp



.csdata:01FF0000                 jns     short $+2

.csdata:01FF0002                 push    0FFFFFFFFh

.csdata:01FF0004                 push    offset loc_42A57B

.csdata:01FF0009                 jmp     loc_401015

.csdata:01FF000E loc_1FF000E:                            ; CODE XREF: .text:0040101Dj

.csdata:01FF000E                 push    eax

.csdata:01FF000F                 mov     large fs:0, esp

.csdata:01FF0016                 push    ecx

.csdata:01FF0017                 xchg    edx, ebx

.csdata:01FF0019                 xchg    dx, bx

.csdata:01FF001C                 xchg    ax, cx

First,I dumped 1FF0000 to file by ollyscript

Code:

<ollyscript>

dpe "c:\olly_dumped.exe",eip

mov mem0,401011

mov mem0,[mem0]

mov mem1,401015

ADD mem1,mem0

DM mem1,20000,"c:\olly_csc_dumped.bin"

MSG "ENTRY POINT!!"

<ollyscript>

And Add it a section In unpacked file.
Then I ran APP.
APP showed error.
I traced it and found some difference.

Code:

.text:0040BDC0 sub_40BDC0      proc near               ; CODE XREF: start+186p

.text:0040BDC0                 jmp     loc_1FF7711        <-- Jmp to outside of PE IMAGE

.text:0040BDC0 sub_40BDC0      endp

.text:0040BDC0

Code:

.csdata:01FF7711 loc_1FF7711:                            ; CODE XREF: sub_40BDC0j

.csdata:01FF7711                 xchg    dx, cx

.csdata:01FF7714                 jnb     short $+2

.csdata:01FF7716                 xchg    edi, edx

.csdata:01FF7719                 pop     ebx

.csdata:01FF771A 

.csdata:01FF771A loc_1FF771A:                            

.csdata:01FF771A                 jmp     loc_40BDA4        <--- Jump to Illegal Instruction.

Code:

.csdata:01FF7704 loc_1FF7704:                            ; CODE XREF: .csdata:01FF7700j

.csdata:01FF7704                 xchg    dx, cx

.csdata:01FF7707                 jnb     short $+2

.csdata:01FF7709                 xchg    edi, edx

.csdata:01FF770B                 pop     ebx

.csdata:01FF770C 

.csdata:01FF770C loc_1FF770C:                            ; CODE XREF: .csdata:01FF7702j

.csdata:01FF770C                 jmp     loc_40BDA4

.csdata:01FF7711 loc_1FF7711:                            ; CODE XREF: sub_40BDC0j

.csdata:01FF7711                 push    esi

.csdata:01FF7712                 mov     esi, [esp+8]

.csdata:01FF7716                 not     edx

.csdata:01FF7718                 push    esi

.csdata:01FF7719                 jnz     short loc_1FF771D

Second Dump is good to run!!

I want know Why it differents? :confused:

And Does my dumping script correct? :confused: