Risotto
May 29th, 2002, 22:26
Salutionz!
I've got a prob while unprotecting proggie protected with Armadillo 2.5*. Actualy i unprotected it, but Armadillo's code is still in the very prog. I've done it this way:
1. bpx GetProcessWorkingSetSize
2. tracing awhile:
018F:0089FE49 50 PUSH EAX
018F:0089FE4A FFD7 CALL EDI ;jump to OEP
018F:0089FE4C 8BF8 MOV EDI,EAX
018F:0089FE4E 8BC7 MOV EAX,EDI
018F:0089FE50 5F POP EDI
018F:0089FE51 5E POP ESI
018F:0089FE52 C3 RET
3. trace into call edi and dump the file.
4. rebuilding PE header and IAT and OEP.
5. and it works.
But i'd like to remove Armadillo. How to do it? I failed to find decrypting routine. BTW break point at WriteProcessMemory doesn't work at all.
Agur.
I've got a prob while unprotecting proggie protected with Armadillo 2.5*. Actualy i unprotected it, but Armadillo's code is still in the very prog. I've done it this way:
1. bpx GetProcessWorkingSetSize
2. tracing awhile:
018F:0089FE49 50 PUSH EAX
018F:0089FE4A FFD7 CALL EDI ;jump to OEP
018F:0089FE4C 8BF8 MOV EDI,EAX
018F:0089FE4E 8BC7 MOV EAX,EDI
018F:0089FE50 5F POP EDI
018F:0089FE51 5E POP ESI
018F:0089FE52 C3 RET
3. trace into call edi and dump the file.
4. rebuilding PE header and IAT and OEP.
5. and it works.
But i'd like to remove Armadillo. How to do it? I failed to find decrypting routine. BTW break point at WriteProcessMemory doesn't work at all.
Agur.