Perhaps you can help me plz ?

Supose I have a target that performas as follow :

- creete thread and so on + 2 writeprocessmemory
- than shows first reminder msgbox, I click OK
- than performs setworkingprocesssetsize,
- than call edi to eip of target thread -> launches target

ater this, no more writeprocessmemory (never !)

Does it mean that the taget is fully decrypted once before launching ?

In this case, I suppose that copymemII is not used ?

Last question : I have impression that arma adds sections to the exe of the created thread, which are not in the original unprotected exe. what's the deal with these sections ?

Thx in advance

1. mostly seems there is not copymem.
just look in dump's code section with some viewer &
try with your EYES detect, if code is crypted.

Or simple run unpacked prog.

2. If sections are at the END, you can successfuly wipe them in LORDPE
& then with hex-editor.

Hi Evaluator,

In fact I wondered why I find 2 processes with copymem off ? I've found the answer : this is due to debuggerblocker (guess where I found the answer... hehe)

The code section actually IS valid (I compared with a valid dump made with armkiller...)

The pb I have is that I can not make my dumped exe work, even after fixing eop. The problem come when rebuilding the IT : most of the API pointers are valid (point to actual API adress), but some are not... and I can't find what's the deal with these invalid pointers... i'm going to try to trace these calls, but not easy...

Do you know how arma works with IT ?

you must try debug that unresolved IAT entries.
This is main unpacker's work!

Or! you can try CATCH moment, when IAT is builded by armado & look for original names

well, ok i understand how redirection works... There are even some "masked" calls, that make imprec (for example) find wrong api when tracing.... in fact I could notice and resolve all redirections manually, but I could be wrong as imprec is..

Problem now : how can I find the moment when the "new" idata section is written or modified ? I've been trying by basic tracing... painful ! what i'm sure is that IT is modified after that the target process as been launched...

Is there a way in SI to break on say : when writing in another process' .idata area ?

Sorry for my basic questions, this is my first trial on packed pgm.

yes of course, for this debugger has BreakPoints

Try for example LoadLibraryA & watch to IAT-place...

right ! finally caught the moment where all seems to be written (plenty of repz movsd)

OK I'm now going to search for all the "good" data I need, but was wondering : who could dare making his program being manipulated like this ???? Not me !

To be followed...