About Armadillo unpacking..

[hobgoblin]

Greetings on the board,
I have just spent some time trying to unpack a program called Newsleecher 1.0 beta 18. (I have a few weeks a go unpacked beta 15 without problems). Now, when I use same method as last time, I get problems. This is the kind of arma that uses WriteProcessmemory with 2 bytes and so on. I manage to dump it, and to fix the IAT table ( at least that's how it looks to me). The problems occur when I try to run the dumped file. The program stops when it arrives at some strange jumps. When I trace this jumps in the original file, the program executes some code that looks quite uneccessary ( it looks unecessary to me), then it jumps back to the code location right after the jump instruction. The jump leads to a location in the arma code, I believe. But since it jumps right back, it can be skipped. (Again, that's how it looks to me).
My question is: Can someone interested in Arma stuff please take a look at this program, and (hopefully) tell me what seems to be the problem?
If the interested person(s) prefer to communicate via mail, this is my address:
hobgoblin.at.chello.no
The program can be found at hxxp.www.newsleecher.com.

For the record: I don't care about the program, I'm just interested in unpacking it.

regards and TIA,
hobgoblin

Hello

Have that same problem. Trying to unpack dilled target writen in VB. Everything was Ok- succesfully detached from parent, fixed IAT and dumped. When trying to run dumped.exe, program simply crashes. When reviewed dumped.exe in debugger, found problems with calls to IAT. In IAT, without calls to dll's, was addresses in programs address space, whose did checking 5 bytes in standard dll function for 0cch and simply redirecting. But what i must do with calls tu 3 closed circle jumps? I have deleted. Was i wrong?
One more question- where are calls to msvbm5.dll? Or i find wrong OEP?

Thanx
and sorry for bad english knowledge

I have the same thing and with the tut of MEPHiST0 to detect armadillo's version, my program was protected by armadillo 3.75b.

So there is WriteMemory with 2 bytes protection and after You can rebuild IAT finding magic jmp but after it seems to have anti dump with jmp in armadillo code which is not in dump(code splicing) and perhaps nanomites.

Someone did he already have this protection?

hashshah > How did you rebuild IAT?

I'm new in this forums and can't get attachments, so don't know how to find exact version. What i now about my program:
1. was writen with VB;
2. calls WriteProcessMemory 2 times with 2 bytes;
3. can't run detached process without renaming olly;
4. rewrites calls to some functions with antidebugging code;
5. has strange anti disassembling code jumping into commands middle.

What i did:
detached with ActiveProcessStop;
breaked in .text section at push ebp... and dumped;
used ImpRec to change unknown functions with +64h to original dll's
deleted calls to {a: jump b; b: jump c; c: jump a} and others whose, i think, does dillo work to unpacking(?) or was to hard to understand for me becouse they must not be called if program is working without shell?

I'm newby;
don't beat me hard- i can't connect to ricnar (DNS reports IP 0.0.0.0)
and the Internet gives nothing usefull, Olly scripts crashes, Armadumpers/killers is writen for earlier versions.
So trying forums

hobgoblin: any news on that newsleecher program? I just downloaded the 1.0final version... and I have no idea where to start

[ricnar456]

use your mind is very easy repair all programs mentioned in this thread.

Imagination please.

Ricardo Narvaja