hi,

I try to manually unarmadillo a app and I don't understand one think :

I have the X.tmp0 file and a dump file of X application and when I see the section (code segment) I have theses differents offset and size :

Voff Vssize Roff RSize
.tmp0 : 1000 286CA8 400 286E00
dumped : 1000 286CA8 1000 286CA8

I don't understand why the the Roff is differnt and the Rsize ?

So What I have to Do? take in the dumped file from 400 (size 286CA8) and paste into the tmp0 file start a 1000 ?

thanks in advance

I dont know... sometimes Proc dump adjust the section alignment by automatically i think, just try partial dump section by section if ur full dump is messed up... Use Lord PE... nice program except lots of feratures are stripped off...

Hello slide97 !

ProcDump has two options which are turned on by default.
"Recompute Object Size" and "Optimze PE structure".
So if ProcDump cuts the real Size, it means that there is nothing important in it.
The real Offset is different because from 00400000 to 00401000 there are 1000h bytes, and if you do a full dump, the additional bytes are also dumped.
(And there is some more space to insert the nice "Unpacked with ProcDump32..." message into the header )

Thanks a lot binh81 and DakienDx!

Now It works and I have successfully unarmadillo my application. I think I will write a new thread to explain how to do.

bye

hiya,
"Use Lord PE... nice program except lots of feratures are stripped off...". Well worth the $10.00 for the full version.
regards

Hi ya,

I think it is 25 dollars, well worth it if I am working and earning money... I dont even have a credit card :<.. how do I buy it?

Most of features are available in some other freewares...

I dont know if it is possible but at least I do not attempt to disassemble or crack the program :>.. with all my respect to Yoda :>

cheers,