|
you are trying to break CopyMem II enhanced version of Armadillo. put EBFE on the start of the 1000 bytes is wrong and so you won't get OEP.
a description how it works:
the main-process act as a debugger on the second, the second process is crypted. the second process throws an exception @OEP because OEP is crypted, so the main-process decrypts it, but only 1000 bytes. now the second process will be executed till it lands again at crypted code, throws an exception and the main-process decrypts again a 1000 byte block and the other block will be encrypted which was executed before. you have to manage to decrypt the second process completely and then dump. WaitForDebugEvent is the key to get OEP and put it in a endless loop.
i think you should read Ricardos tutorial on GetRight 5. it's great for this type of Armadillo. there's also an OllyScript plugin which can do it automatically, but it doesn't work in all cases.
best regards,
MaRKuS TH-DJM
PS: WaitForDebugEvent is the communicator between main-process and second process, so it's the key for all, i think.
|