Strange Crash in Armadilled Program

[TmC]

Hi all, I am currently unpacking PIMOne software.

While PasswordCoffer was a piece of cake to unpack.

With the other 3 it is more complicated: once copymem is gone(ricardo script), i detach with armadetach or arma find protected and land on ep of armadillo shell.

From there, i should launch armadillo 4.40 standard unpack, but this script does not work anymore on 4.4x targets.

So back to arma_getmodule this fixes succesfully the magic jump and the next step is to BP on create thread 2 times, then ctrl+f9, f8, search for CALL ECX, set bp on CALL ECX, f7 and we are at the crypted oep, ready to steal the right IAT.

This works only in theory because if i set bp on createthread and give shift+f9, the program throws an exception and quits.

If i use one of the debuggers/inline patchers of arteam, i get an error right in that place:

InstallKey function of ArmAccess.dll not found. and another text.
It is now clear that it has troubles finding the virtual armaccess.dll

I followed 3 tutorials(2 about diary one and 1 about pimone) and in one happened that the program crashed. after reloading the program in the debugger all went ok.

This time instead, everytime i do the same operations(arm_getmodule + bp on createthread) the program crashes and quits.

Any suggestions? (Ran out of ideas )

Thanks to all
TmC