LordPE Problem
 

Hi, it is a stupid question, but I can't see Armadilled processes with LordPE on XP (SP2). I can see loads of processes but when i need to dump with LordPE like in this tutorial (Unpacking_Armadillo_v4.x_With_PE_Header_Trick.rar_by_MaDMAn_H3rCuL3s.rar) i can't see the process, so i can't dump it.

I followed the tutorial and everything is like described, except that when i go to fix the imports with imprec and click on fix dump, it says "Not enough space, can't add new section").

I think this is because i dumped it with olly dump.
With procdump it crashes.

Does anyone know solutions for this issue?

Do a Test with Armadillo Dumper v1.0 or ArmInline v0.1

you can find them in Forum's Postz or Crackers Kit 2.0

hi,
yeah you get that error with ollydump. This might be a dumb question, you have the newest lord-pe? Also did you try with wark?

I never had any of your problems , i use LordPE Deluxe.

Try with downloading new LordPE zip archive from official site.

Are you loged as admin ?

Can you see armadillo processes within Ollydbg (menu File -> Attach) ?
Can you see armadillo processes in any other Dumping tool ?
Ollydbg plugin IsdebugPresent has some tiny dumper too.

You can dump with ImpRec too (1st attach to process)
Right click -> Advanced commands -> Select code section

, with PEditor 1.7 by yoda or PE Tools v1.5 [hxxp://www.uinc.ru/files/neox/PE_Tools.shtml ]

Well , wipe armadillo EP section out of dumped file , rebuild , then use Imprec.

I downloaded the newest lordpe from the site but it is the same.

Done, same problem

Yes

Yes i can, i succesfully detatched father/son of other protected programs with olly and it sees everything.

Procdump can see the process but it crash when dumping.

I will try, but it is realy odd that lordpe doesn't work :(

Hello!

Do you understand spanish?

If so, try this one (very good process dumper):

hxxp://www.terra.es/personal/guillet/archivos/pupe2002.zip


Good luck

Nacho_dj

What is this strange target (direct link please) ?

pupe english:
hxxp://sr2.mytempdir.com/157052

It's not a strange target it's a problem i have with ALL armadilled programs.

Have you checked how many processes are running on your machine? I've noticed that LordPE won't list more than 60 processes. That sounds like a lot, but if you're doing your cracking from a server, it's not entirely uncommon to have more than 60 processes going at once.

Yeah that's it. thankyou ;)

There is also another way to repair your dump. You just need to decrease the VOffset and the ROffset of the first section to 0x1000. Then you need to add the value you decreased to VSize and to RSize. Make sure SizeOfHeaders now is 0x1000. This should also fix the dump.