Once you fix magic jmp set hardware breakpoint on read on instructio above it, then later during some checkum check your hardware breakpoint will be hit, change fixed jmp to old value and continue to oep. Also armadillo has 0xcc check in first few bytes of api during virtual.dll initialization. But after that there are no check so when you hit magic jmp set bpx on CreateThread and it should work. Also you may set bpx on 2nd layer API (that's how I call them - situation when some API is wrapper for other API - VirtualAlloc -> VirtualAllocEx or CreateThread -> CreateRemoteThread for example) and that will solve any int3h detection in all protectors so far
Usually I use expresion in sice to solve this problem by simple typing:
bpm magic_jmp x do "r eip good_place;x;" and let sice to popup a few times till iat isn't fixed
I hope this helps