Hello,

I have an app that is about a year old I decided to take a look at. PEID reports Armadillo 1.xx - 2.xx. StubPE reports as 2.75a. I have read through Mephisto's information on 3.xx unpacking as well as some of Ricardo's tutorials which were in English that may have given me insight on this.

What I do know of the app is the following:

1. App uses Copymem (dual processes)
2. The ONLY thing I am able to break on is CreateThread and not WriteProcessMemory with which I can Ret F9 2 times and scroll down to CALL EDI to get the OEP.
3. If I clear all breakpoints hard/soft in Olly as well as uncheck ALL Exceptions I can run the app with just F9. There are no exceptions at all even through the enter key/continue evaluation screen all the way to the full app window.
4. Dumping process after copying parent PE Header and looking for Imports with IMPRec I can find almost all Imports in all modules with 14 reported invalid.

I guess at this point I don't know which way to go. The child process seems to be unencrypting itself and I am not completely versed in nanomites which I am guessing is the issue at this point. The dumped child process like I said has most Imports intact and deleting the 14 invalids as well as rebuilding with LordPE of course it will not run. Any help or direction would be greatly appreciated.

Wackyass