First I've tryed to apply Ricardo methode with Oly to unpack armadillo packed

prog.

I bp on WriteProcessMemory and I've seen that BytesToWrite = 2 ( only).And
any thing similar to Ricardo great tut.

Secondo I've applyed Crusader approach .

I bpx on SetProcessWorkingSetSize and Hitting F12 on SI, I land here:


01B76005 8B351852B801 MOV ESI,[01B85218]
01B7600B 50 PUSH EAX
01B7600C FFD6 CALL ESI ==>First call to

SetProcessWorkingSetSize
01B7600E A11819B901 MOV EAX,[01B91918]
01B76013 3BC3 CMP EAX,EBX
01B76015 7407 JZ 01B7601E
01B76017 57 PUSH EDI
01B76018 57 PUSH EDI
01B76019 FF7004 PUSH DWORD PTR [EAX+04]
01B7601C FFD6 CALL ESI ==>second call to

SetProcessWorkingSetSize
01B7601E 8B45F0 MOV EAX,[EBP-10]
01B76021 5F POP EDI
01B76022 5E POP ESI
01B76023 5B POP EBX
01B76024 C9 LEAVE

I can't find any call EDI

And then the prog. is exit with the following error
" General extraction error : location ES1 "

Tertio I've used the Dillodumper255 unpacker. The target prog display that
it need a valid key ( normaly it does not because it is demo prog in default

mode ). Ignoring this, I let dillo continue and launch ImpRec to reconstruct the

IAT tables. Finally I execute the Dump prog it crash ( try to read a bad

location).

I've localised where the decrypte/encrypte routine is. And i've tryed to skip

the encrypte part by patching but it crash also the prog.

After all these, is there anyone who can give some help and advices to break

this unbreakable one. Thanks for all reply who can lead me to the good solution.
Regards