Log in

View Full Version : Armadillo 5.x 6.x IAT problem (oep OK)


squalito
October 5th, 2008, 13:19
Hello,

I have a target protected with armadillo 5.xx or 6.xx (I don't have last signature for arma so I just know it is > 4.x)

So far I've been able to detach the process to bypass the debugBlocker then to find the OEP

In this version of Armadillo the CALL to OEP is made with a CALL EDX

My problem is about the IAT

To find it I do this :
- Once detached (and loop removed) I create a BreakPoint on VirtualProtect
- My app size is 4MB
- I'm looking for something like PUSH 14 --- PUSH 100 to patch the CALL just after PUSH 100 with a RETN

So far I didn't find this kind of data :\

(ps I've also looked the heapdestroy memory but there is missing dll)

I'm looking for the arma stub to patch it with a RETN to let the IAT clean.
After this I'd be able to change the PE HEader with a good one, dump it, and fix the dump

The Magic Jump solution doesn't work (or at least I didn't find it).

Do you have some news on how to find the stub to patch to have a clean IAT on last ARMA version ?


Others way to reconstruct the IAT ?

Thanks by advance
sQuaLiTo