Hi all, i need help unpacking an application that uses Armadillo 2.xx in combination with Aspack 2.xx.

The name is Mail Direct Pro 1.7.0.20.

Following Crusader's tutorial i was able to reach the OEP, (54c001) but those address lands directly in an ".aspack" section and if u look at the code:

.aspack:0054C001 public start
.aspack:0054C001 start:
.aspack:0054C001 pusha
.aspack:0054C002 call near ptr loc_54C007+3
.aspack:0054C007

Those pusha and jmp XXXX it really looks like the EP of aspack.
Theoretically i must be able to dump Armadillo and then use some automatic tool to unpack aspack. (like yoda's aspackdie). But im having problems bcoz the app hangs up.

i guess the app is completely desencripted by the armadillo layer.

greets and thanks in adv.

ps: sorry the mistakes, bocz english isnt my mother language.

once you get into the .aspack section bpx getprocaddress
then look for the

popad
mov eax, OEP

hope this helps
tame
p.s this aint the best explanation but its off the top of my head

Today discovered a strange thing,
The Armadillo protection writes in the EntryPoint (with WriteProcessMemory), the opcodes EB FE, and then 55 8B.

As anyone knows, EB FE is the opcode of "jmp eip", it looks like Armadillo dumps his own protected app!!.

Maybe is a new version of Armadillo. The proggie is from 2003.

Greets.

ps: Hey Crusader, can u take a look of the program, and maybe u can update a little the Armadillo essay.