greetings,

plz some points to unwrap the protection, as the target the
a-dillo self since is guaranted be packed with this.
The info I've found all deal with version 1.80 or older
what seems be quite obsolete for my purpose, the .tmp image is not created anymore.

What I succeed was to dump at OEP and partially restore the IT.
They must be changing import obscuring very quickly 'cause where
my imprec plugin restored whole IT on v2.60 it failed
on some in 2.60a, at least getprocaddress seems to me fully emulated
now can be true(?)

The worst is the image at oep isn't fully decrypted yet.
I've found some info the code is unpacked part by part but not
how to restore original code..

please some input to this..?.

sounds like the copymem option is on
to get round this you either need to dump each decrypted part of memory and put it all together or alter the size of the decryption routone to do it all in one go
there is plenty of info on here about it so i suggest you search

hi,

as i noticed the code is continuously decrypted and encrypted back if not needed ;(, what makes the whole code is never decrypted as whole.

triggerrng the writeprocessmemory was hit on various user actions - mostly dlg. boxes. Is this the only way to get the decrypted section? How I figure out the current break is for decrypting.. and is there an easier way to know all the chunks were decrypted already than drawing a memory map manually.?

thanx

it decrypts in 200k (i think) chunks, all u have to do is fool it into decrypting thewhole process in one go

as i said, search this forum and all the info required is there


start by looking at this thread http://www.woodmann.net/forum/showthread.php?s=&threadid=3041&highlight=armadillo
crUsAdEr posted a nice piece on how to unpack 2.5x and 2.60 is the same apart from a few cosmetics

cyber, got it!
thankya and yes, i should search better 1st.. supply to crussader the param to decrypt is 1 not zero.

i've written a tiny plugin that but doesn't work on NT kernel since it's tuned on win98 and can't use si on wxp.
And still not certain about getprocaddress which seems be fully substituted by dillo (?).

rgrds

_Servil_

Hi _Servil_,

I don't mean to pour cold water on you but it would be nice if you upload is source code rather than dll.Coz ppl learn nothing from
your dll.

um no problem, but sorry, at the moment source is bit non-working after making it more clear it's screwed up ;-)

what it does is nothing more than looking fwd to call [address] or far JZ ...
following the call and searching known PUSH [api_addr] / JMP ...

as-is it could at least restore the imports, and it might detect the getprocaddr even, but maybe i've failed, tested only on few apps.

when i'll get source to working state again i will u/l

Post the link for an application, please. I can try to explain.

hiya, armkiller

what app did you need? the initial question was about armadillo sps self.
in fact no more i need to explain in this case, following the topic cyber spoke about, all is solved for me.
anyhow thanx -- there's never enuf knowledge...