Hi all, I am currently unpacking PIMOne software.
While PasswordCoffer was a piece of cake to unpack.
With the other 3 it is more complicated: once copymem is gone(ricardo script), i detach with armadetach or arma find protected and land on ep of armadillo shell.
From there, i should launch armadillo 4.40 standard unpack, but this script does not work anymore on 4.4x targets.
So back to arma_getmodule this fixes succesfully the magic jump and the next step is to BP on create thread 2 times, then ctrl+f9, f8, search for CALL ECX, set bp on CALL ECX, f7 and we are at the crypted oep, ready to steal the right IAT.
This works only in theory because if i set bp on createthread and give shift+f9, the program throws an exception and quits.
If i use one of the debuggers/inline patchers of arteam, i get an error right in that place:
InstallKey function of ArmAccess.dll not found. and another text.
It is now clear that it has troubles finding the virtual armaccess.dll
I followed 3 tutorials(2 about diary one and 1 about pimone) and in one happened that the program crashed. after reloading the program in the debugger all went ok.
This time instead, everytime i do the same operations(arm_getmodule + bp on createthread) the program crashes and quits.
Any suggestions? (Ran out of ideas
)
Thanks to all
TmC