Bad news for RV from ARMADILLO 2.51

I found in ARMADILLO2.51 bad anti-resolver trick
It PUSHs export address and then jumps in some code KERNEL32.DLL!
After this code ends, RET returns to export (-was pashed).

So FINITO LA COMEDIA of RV resolving???

As VENDETA action:
Here I uploaded unpacked ARMA without resources. Attach resourse from original...

binh8!

You asked, if original IT exists in memory for dump.
No, it is stripped. I put this stripped export names in zip(from mem FC4000h).

Hi eval,

Yeah but ImpRec works great for me :>...had to resolve a couple manually only... or some dirty inline patching can do the job as well :>...

regards...

P.S : Do you know any other program packed with new Armadillo? I want to if it has any other special features?

If you still need a program protected with Armadillo, please let's me know. My email is vt0008@hotmail.com

I have this sofware that I tried to unprotect it but I cannot, so I need some help.

Thanks

Hello!
I made mistake, RV can resolve most IT:

I Resolved imports in ARMADILLO with RV in this way:
1. find in dump IAT memory range
2. select in RV FIRST(!) armadillo-process,
press "resolve", then "resolve again", then trace EXEPT some redirected
in lower address (DLL).
RV-tracer can resolave all those redirected.

Hajo,

Been bizzy with armadillo the last week(s).
Found out that r.v and imprec couldn't resolve in the normal way
(i didn't try it your way eval) so tried writing a plugin for it..
Thanks to bin81 (works great man !) my plugin can resolve "all"
except 2 calls ( which i think you don't need them.)
I must do some more testing on other apps but my hole puter
crashed and had to install a new fresh system (shit)

Keep you informed,

SpeKK

Hi SpeKKel...

I alwasy ghost my system after CloneCD f**** up my comp sometimes ago :>.... hopefully ur newly installed system will run faster :>...

Yeah, keep us informed....

cheers,

Hajo,

Finished imprec/r.v plugin for armadillo.
Tested om w98 with imprec on arm 2.51 and 2.52 and resolves
99 %.It seems that the plugin doesn't work on w2k ??
Don't know why.I compiled with tasm,.. should i gave up some extra parameters for other systems ??
Just used the buildddll.bat file (maker.exe) included by imprec's source.

TIA

Spekk

Where is it!?
We will test

okee here it is .

Spekk

somebody tried the plugin W98/w2k ........
Wants to know if it works on both systems..

TIA

Spekk

Test failed!
System W98se
RV 1.3 and 1.4
Arma 2.51, 2.52b, 2.52

Prints "error"

Or you can explane, how exactly use?

On r.v all plugins give error on a w98 system.this because r.v doesn't support w98...

Try on imprec and read pm please..

Spekk

Spek!

Sorry, but I not support IMPREC

OK.

Spekk

OK, Spekk!

I tried also IR. (tsss)
But also failed!
Write step by step, how to..

(For example I do:
(1. put power plug in AC
(2. press Power button on PC
(3. ~:

Also write IR's config I must choose.

Hahahahaha,

Eval.. did you forget to install the driver for the plug-in :>>

SpeKKel said it was a plug-in, not a plug-n-play :>>

PLUG and PRAY

When I wrote "test failed", oPh c0urse I already done this:

'1 put the arma plugin in the plugin directory from imprec.
'2 run armadillo
- 2.52b
'3 give iat lenght/oep and press get imports
- IAT 00026000; Size 2C0; OEP 0001F0C0;
'4 press show invalid
'5 do a right click on the invalid entry
'6 press plugin arma-beta2.5
'7 should resolve...

N0pe! Not resolves!
"Return value:205 Failed!"

Spekk, I asked:
"Also write IR's config I must choose."
You think, it is not IMPoRtantEC? OK!

So finally, you want 'N8 & N9'?

config ??
You mean the options of imprec?? think this isn't important, please do this set bpx readfile ,1 time F5 and 2 times f12 now you
land in plugin >> trace and watch value esi,ebx and see where
it goes wrong.

spekk

hey eval,

I was just joking... hope you are not angry

Binh

binh81!
I very like jokEr! Don't warry!

Tommorow, Spekk, maybe I db

OK, dbg your DLL.
Attemp trace thunk 00026094:A85FD2
Error occurs in KERNEL32:IsBadHugeReadPtr
BFF7BA0B: mov CL,[edx+eax-01] < A85FD5 - here is no page.
So this Function returns 01, JE at 401117 (for HIEW) not jumps..goes to ExitThread

That's all folks

H'mm i made this plug-in from the original source from telock.asm
there was an error while compiling which seems to be this
badhudgereadptr.
I thought i had solved this prob by adding the line extrn badhuggereadptrroc to the source...Well this worked for me ..
I'll look again why this goes wrong on other systems.
My earlier plugin (visuel protect) was made in hiew., where i took
an allready compiled dll which worked on all sys.

But eval big thanks, now i know where to surch..

Spekk