Hi all
When I start reading tutorials about armadillo,I were easily be able to unpack them due good tutorials and I had no problem with Code Splicing too.
When I see a Code Spliced exe file,I normally dump Spliced code and attach them to rebuilt dump exe(from rebuilt, I mean dump and rebuilded IAT one) in a new section and change the VA of it new section to what it should be and exe file works like piece of cake.The reason of this very easy way is that address of spliced codes in exe file in normally over ImageBase,then I can address it without any problem and changing SectionHeader of it.
But When I started to unpack a DLL with code splicing,I got an small problem:
Because ImageBase of DLLs are too big,normally address of spliced codes are less than ImageBase.Then I can't rebuild my PE in the same way of exes,beacuse I can't set a negative VA.
What is the best way for attaching spliced codes from a DLL to it?
(I didn't see any tutorial for unpacking DLLs with code spilicing and there is no problem with any other aspect of its unpacked except connecting these dumped spliced codes to DLL)

Regards

The best way is to fix the splices with Arminline, but if you really want to attach a section you can change where Armadillo is allocating. Set a breakpoint on msvcrt.time and fix the return values of the VirtualAlloc's.

See this tutorial by Haggar: http://tuts4you.com/download.php?view.293

Hi
I should say before I post this,I tried Virtual Alloc,but It didn't work(or I'm doing something wrong).
For example,Spliced code length is 128k,and its begining address should be 0xf40000.
I tried VirtualAlloc in this way(write it down in C format but it is ASM in real):
p = VirtualAlloc(0xf40000, 0x20000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
But this command always return 0 for an error and GetLastError returns ERROR_INVALID_ADDRESS.
I should say OllyAdvance can allocate my required memory in correct address like piece of cake,but I don't know why I can't allocate it by VirtualAlloc.
Do you know the problem with my API calling?

Regards

OH,Sorry
I find out the problem,calling should be like this:
p = VirtualAlloc(0xf40000, 0x20000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);

But here is 2 small question about virtual memories:
1-Is there any guarantee that I can always allocated this memory in specific address from one computer to another?
2-does system garbage collector collect the allocated memories using VirtualAlloc but not freed after termination of execution? or I should do this myself?

Regards

you could check this tut: http://arteam.accessroot.com/tutorials.html?fid=141
it deals with rebasing code splices so they will work even from a dll