Thread: Armadillo DLL unpacking
View Single Post
  #2  
Old 11-17-2005, 06:54
deroko's Avatar
deroko deroko is offline
cr4zyserb
  
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 33 Times in 16 Posts
deroko Reputation: 30
here is oep:
10015910 6A 0C PUSH 0C
10015912 68 E8C80110 PUSH Core.1001C8E8
10015917 E8 20010000 CALL Core.10015A3C

and stack:
0006F9A0 2B 72 05 10 00 00 00 10 01 00 00 00 EC 34 08 10 +r......��4

retaddr, imagebase, reason (1 dll_process_attach), if you set bpm x on that address and run trough sice you'll see how reason are changing (process_attach, thread_attach, thread_attach, thread_deattach and finaly process_deattach) so it has to be dllentry.
For me IAT starts from FF6000 but still I'm working on code to eliminate iat elimination =)
Reply With Quote