Hi, i can't unpack armadilled when IT Elimination is used. It's new feature since v3.60 beta1.
Like, Strategic Code Splicing (i can deal with it), i've added a new section from dumped region.
This target only using standard protection + IT Elimination.
i've changed the long JNE to long Jmp in IT rebuilding,
but there's still problem in Indirect Jump.
The Indirect Call is OK (of my dumped file).
Code:
004E8140 PUSH EBX
004E8141 PUSH ESI
004E8142 PUSH EDI
004E8143 MOV DWORD PTR SS:[EBP-18],ESP
004E8146 CALL DWORD PTR DS:[D885B4] ; kernel32.GetVersion
004E814C XOR EDX,EDX
As you can see, the indirect CALL is OK.
But there's problem in Indirect Jump (my dumped file)
Code:
00548F50 JMP DWORD PTR DS:[D88904]
00548F56 JMP DWORD PTR DS:[D888FC]
00548F5C JMP DWORD PTR DS:[D888F8]
And the value of [D888F8] is 77C0167D, but there's no such memory of that address (77C0167D).
And i could not go there.
But in protected file, the code is like this:
Code:
00548F50 JMP DWORD PTR DS:[D88904] ; VERSION.VerQueryValueA
00548F56 JMP DWORD PTR DS:[D888FC] ; VERSION.GetFileVersionInfoA
00548F5C JMP DWORD PTR DS:[D888F8] ; VERSION.GetFileVersionInfoSizeA
And the value of [D888F8] is 77C0167D (wich is same with mine). But i can go there.
==================================================================================
Weird, There's no module VERSION.dll in my dumped file. Anyone know how to deal with this new feature?
Sorry for poor english
Hypersnap-DX 5.50.01
Kyrios