Dillo protected DLL

[Archer]

Error while unpacking usually happens, when Arma detects debugger. Maybe it sees installed SoftIce or IceExt (it can detect even, if SIce isn't running). Maybe some breakpoints set (software or hardware). Maybe something else (found Olly in some other way, don't know exactly, because mine Olly is all patched with hands, renamed and even packed with ASPack). For example HideDebugger plugin for me doesn't work properly, so I use IsDebuggerPresent plugin instead.

[5Alive]

Hi Archer, thanks for replying. This is driving me crazy, I never had this problem before when looking at this DLL.

Quote:

Originally Posted by Archer

Error while unpacking usually happens, when Arma detects debugger. Maybe it sees installed SoftIce or IceExt (it can detect even, if SIce isn't running).

Yes, I would agree it appears to be detecting something. I have both SoftIce and IceExt installed. When I first got this file it would not run under normal conditions (no debugger loaded), so I edited the IceExt registry entry. Then it ran okay.

Quote:

Originally Posted by Archer

Maybe some breakpoints set (software or hardware). Maybe something else (found Olly in some other way, don't know exactly, because mine Olly is all patched with hands, renamed and even packed with ASPack).

I don't have any software or hardware BPs set, and it still gives this error message.

Quote:

Originally Posted by Archer

For example HideDebugger plugin for me doesn't work properly, so I use IsDebuggerPresent plugin instead.

[/QUOTE]
I typed BP IsDebuggerPresent and pressed Shift+F9 and the API returns 0 as expected. I'll try the IsDebuggerPresent plugin anyway to see if this might help.
Can you send me a copy of your patched and packed Olly and .ini file via rapidshare (PM me with details). Thank you appreciate it.

UPDATE 1: The IsDebuggerPresent plugin doesn't change anything unfortunately.

UPDATE 2:Okay I've made some good progress since my last post.
I tried Archers packed and packed Olly (thanks) but the error remained.
In the end I gave up trying to load the DLL directly with LOADDLL.EXE and thought I'll just run the main EXE and debug the DLL from there.
That seems to work well. (phew)

I've found what I think is the OEP although I'm not certain does this look correct?
017E6221 55 PUSH EBP <--OEP?
017E6222 8BEC MOV EBP,ESP
017E6224 53 PUSH EBX
017E6225 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
017E6228 56 PUSH ESI
017E6229 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]
017E622C 57 PUSH EDI
017E622D 8B7D 10 MOV EDI,DWORD PTR SS:[EBP+10]
017E6230 85F6 TEST ESI,ESI

I found the IAT table, and patched the two jumps. I set a hardware BP on what I thought was an invalid entry(intuitive guess) and it broke in the IAT.

My question is what do you guys do to identify an invalid entry what are the "rules". My method was that I noticed pattern of the form XX XX DX 77 when this deviated I assumed it to be invalid.

This leads me to my next question. What am I looking for to find the start of the table? Again a break in the pattern or something else?

Thanks 5Alive.