I have a target file and when I run DilloDumper, I get this:

Loading victim process...
Error 3200

What does this mean? Can this target file still be dumped? If so, how?

READ the FAQ, linked at the bottom, then do some of your own homework, such as searching this Forum for information on Armadillo and THEN come back, show some of your OWN work and ask a question that shows something other than than you want someone to GIVE you a way to remove the protection from your TARGET.

Regards.

JMI: While I agree with you that ppl should search the board and learn on their own, I think this is a valid question....


First off, I put numerous error codes throughout DilloDumper, instead of using error strings, to help keep Chad and his buddies from figuring out what DilloDumper was doing. The error codes are completely random and have no pattern. When I encounter an error, I simply look thru the source code to find it.

Error 3200 means DilloDumper had a problem with it's CreateProcess hook for some reason. Chances could be that the file is not protected with CopyMemII or Debug-Blocker (in other words, its just standard protection). Best way to check is if the program has two instances running in the Task Manager. If so, it IS using Debug-Block at least.

Other than that, I don't know what else would create this failure, except an incorrect IAT table read, etc, etc.

I am hesistant to release error codes for DilloDumper since it reveals DilloDumper's method of gaining access to the protected application.



-Lunar

Hi lunar ! ;o)

I suspect they can reverse engineer it as well if they really need to.
I don't see much problems of releasing such error codes.

just my 2 cents.

HopCode.

btw, answer my email please :>

whats the error code 4404 in dillodumper means and why is it displayed 5-6 times on every target.exe win win xp?

Are you sure it's not error 4444?

error 4444 means that DilloDumper couldn't repair the bad thunks in the IAT table. What it means is you should use ImpREC to look at the IAT, just as usual, and then cut out the bad thunks yourself using ImpREC. The whole IAT will be correct, it will just have bad thunks in between DLL's.

-nt20

here is the screenshot with dillodumper 2.55(i have got this version onyl but looking hard to get 2.80 after reading on the forum. but till now no success)
http://www.geocities.com/thematrixzone2002/dillo
and click these images
dillodumper.jpg
imprecdillodumper.jpg(screenshot of imprec)
imprecdillodumper2.jpg(screenshot of imprec)

and with dillodumper 1.8 more promissing but still the dump.exe after using imprec was corrput(errors) even after on errors in imprec

http://www.geocities.com/thematrixzone2002/dillo/dillo18

Sure enough, those first screenshots in ImpREC with 2.55 look like what will happen when you get a 4444 error. What you need to do is expand each of those trees until you find some valid imports. Once you find them, you'll see that all the imports are there but every so often there's a bad thunk. All you need to do is trim this bad thunk out by using "Cut thunks". Then ImpREC will see the whole DLL correctly. Normally DilloDumper tries to clean these thunks.

However, I think I see the REAL problem: DilloDumper doesn't know where your IAT table is! See it says in the output window that the location is zero. So my guess is that this is either a VB program, or a delphi program. VB programs ALWAYS give dillodumper problems with the IAT.

If it is a VB program, be assured that the IAT is CORRECT AND VALID in memory, you just have to find it! That's why DIllodumper is giving 4444 errors, it's trying to access bad memory locations since it doesn't know the right location of the import table to begin with. You'll have to find it manually. If it's VB you'll have to do some more work. If it's another type of program just open it up in LordPE or PEditor and note where the ".rdata" or ".idata" section is, and start from there in ImpREC...

As mentioned before, sorry for the problems but even using DilloDumper you usually still have to do a few things by hand, it mainly dumps the program, building the IAT can still always be a tricky process hence it lets you have more manual intervention ...

One more thing, I see the program you are trying to unpack - I've tried this one as well and I've never gotten it work either. Haven't traced down why tho.

-nt20