|
MrAnonymous: That is the exact tutorial I went over. I guess I'm going to have to use it, even though it goes way into detail about Debug Blocker which is way over my head for now... I'm looking for a tutorial that would actually deal with import elimination with armadillo and not too much of the other fancy stuff (like debug blocker)
[UPDATE]
I put a little more effort into this and managed to follow MEPHiST0's tutorial, even though it's mostly about Debug Blocker. I manage to get "close to the oep" by patching IsDebuggerPresent and breaking on CreateThread (the first is where we need to break...), however the famous "call edi", which I gather should be the original OEP, is never reached. In this target I get to 009A891F, which is the pop/jmp just one below the "sweet spot" (call edi - 009A89CD) and wind up back in the target dll's code at 20040FF1. If anyone would be kind enough to take a look and tell me what I'm doing wrong on my first manual unpack attempt, I'd be thankfull
Last edited by FEARHQ; 01-26-2005 at 14:31.
|
01-26-2005, 05:43
Similar Threads
Threaded Mode