Thread: Dumping Armadillo protected DLL?
View Single Post
  #7  
Old 01-26-2005, 05:43
FEARHQ FEARHQ is offline
Friend
  
Join Date: Mar 2002
Posts: 73
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
FEARHQ Reputation: 0
MrAnonymous: That is the exact tutorial I went over. I guess I'm going to have to use it, even though it goes way into detail about Debug Blocker which is way over my head for now... I'm looking for a tutorial that would actually deal with import elimination with armadillo and not too much of the other fancy stuff (like debug blocker)

[UPDATE]
I put a little more effort into this and managed to follow MEPHiST0's tutorial, even though it's mostly about Debug Blocker. I manage to get "close to the oep" by patching IsDebuggerPresent and breaking on CreateThread (the first is where we need to break...), however the famous "call edi", which I gather should be the original OEP, is never reached. In this target I get to 009A891F, which is the pop/jmp just one below the "sweet spot" (call edi - 009A89CD) and wind up back in the target dll's code at 20040FF1. If anyone would be kind enough to take a look and tell me what I'm doing wrong on my first manual unpack attempt, I'd be thankfull
Attached Files
File Type: zip target.zip (280.0 KB, 38 views)
Last edited by FEARHQ; 01-26-2005 at 14:31.
Reply With Quote