Hi!1.. i really desperate! .. i can't find the fucking OEP !!.. i read this topic in unpacking forum "Armadillo and CopyMem II decryption " .. i put bpx SetProcessWorkingsetSize .. and trace ..i go to CALL EDI , he's show OEP!!! =-D ... i put bpx..08-) ...Woppss!! ..




004DD5CC MOV AH,CB ^ <-- ..what is this shit?กกก .. i find the address and show me this -->>55 PUSH EBP
004DD5CE AAM ^
004DD5D0 AND EAX,AD4A6BB0


Please help me i really not understand .. how i can go to the OEP..

Thank u =-)

hi,

arma seems be in the fashion at this time ;-)

the oep is at 22966 rva

instead wot you mentioned try to look for a common post-oep apis called -

getversion
getstartupinfoa
getcommandlinea
or
getmodulehandle

btw. the latest armkiller is able to find the oep for a while aswell

Hey hey,

read and learn.. do you know what the hell is copy-mem?

Yes !1 is CopyMem II ...=8-P

>Yes !1 is CopyMem II ...=8-P

Nope CopyMem II is !1

Yes is COPY Mem II ...create 2 processes
..Sorry this one --> 1 ..finger error..=8-|