Target (version 4.02) is at :
h**p://www.iopus.com/password_recovery.htm

There is no problem to register it with Softice (or with the keygenerator available on the Web).

My problem is to disable the Armadillo two anti-Softice protections. With Icedump on there is no problem, but I would like to run the prog without having to mask Softice's presence.

The two Softice detections are:
int 3 at cs:00a1e7fe
int 68 at cs:00a1eb7d

One way is to dump the target. i tried (OEP is at 410a5e) but I failed restoring the IAT eventhough I read pertinent messages.

Second way could be to patch the Armadillo, but adresses a1e7fe and a1eb7d seem to be in a crypted or packed part, and I could not access to them (except live in Softice).

TIA for informations.
Artifex

1. Download ArmKiller
http://www.woodmann.net/protools/files/unpackers/armkiller.zip

2. Run it and wait for the second messagebox.

3. Don't close that messagebox, run imprec and restore the IT:
Import Table RVA - 2c000 Size - 594 OEP - 10a5e
Write the IT to dump.exe

4. Fix the dump.exe to Full version
RVA 7e34 : sete al -> mov al,1 + nop

5. Compress the final EXE by ASPack (UPX can't compress it)
if it doesn't work.

That's all.

Hi, Armkiller, and many thanks for the informations.

Artifex

Hi ArmKiller,

Tried your techique on BearShare 4.0.2 (all PE scanners identified as Armadillo 2+) - no luck. last ArmKiller doesn't do no dumps to disk (win2000) -seems like EIP guessed wrong in that case cause Imprec in auto mode can't resolve 4 pointers - against 17 with ofered OEP - could you please check how it works with bearshare?

OK. I'll check it soon.

Use the latests build 4, it works fine:

hxxp://unpacker.narod.ru

Parameters for BearShare 4.0.2 Import Table.
RVA 00183000 Size 00000928