Thread: Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay] < Unpackable??????
View Single Post
  #14  
Old 08-30-2004, 09:26
MrAnonymous
 
Posts: n/a
First a note PEiD Picks up All Delphi I tried Packing (Delphi 7-8) as Arma 1.xx - 2.xx Overlay so look at section names, if it looks like a Delphi you can bet its alot newer Arma version than PEiD thinks, if you need the exact version there's a tutorial on how to get it posted

As for your question paul when you break on Create Thread you may see somethin like this (This is Arma 3.75-Test1 posted by Scratch on a Delphi Using Minumum Protection)

7C81082F > 8BFF MOV EDI,EDI --> Land Here
7C810831 55 PUSH EBP
7C810832 8BEC MOV EBP,ESP
7C810834 FF75 1C PUSH DWORD PTR SS:[EBP+1C]
7C810837 FF75 18 PUSH DWORD PTR SS:[EBP+18]
7C81083A FF75 14 PUSH DWORD PTR SS:[EBP+14]
7C81083D FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C810840 FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C810843 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C810846 6A FF PUSH -1
7C810848 E8 D9FDFFFF CALL kernel32.CreateRemoteThread
7C81084D 5D POP EBP
7C81084E C2 1800 RETN 18 --> F8 To Here

00AFF79B 5E POP ESI --> Return to here
00AFF79C C9 LEAVE
00AFF79D C3 RETN --> F8 Over the Ret

once you return look down for a Call EDI such as:

00B184B1 FFD7 CALL EDI

click on it and hit F8 to make a breakpoint, F9 to goto it than F7 to Step in and your at the OEP. There's detailed tutorials on Non-Copymem2 Armadildo's so I wont post any more details, better just to consult those documents.
Reply With Quote