Billy[23]
November 28th, 2003, 03:48
Hi again 
Iam working at removing Armadillo 3 at a Program!
Program is written in Visual Basic, i have it dumped and Rebuiled (IAT) that is, and now i work at the Nanomites, iam guessing the Armadillo version is Recent due to i having the new Crypted Table and the the crappy pushad / popad stuff.
Iam able to find All 4 Tables but iam stuck with what to do with them , i read Ricardo's tut about eStOP and followed same patch but i didnt get nothing, from Reading Code Raptors Tutorial about Lydia Email Agent, i got the following Patch
Program Always Loops to:
So it never checks really anything.
Maybe a messed up Table ?
Any idea to kick me in the right direction would be great.
-Billy
Iam working at removing Armadillo 3 at a Program!
Program is written in Visual Basic, i have it dumped and Rebuiled (IAT) that is, and now i work at the Nanomites, iam guessing the Armadillo version is Recent due to i having the new Crypted Table and the the crappy pushad / popad stuff.
Iam able to find All 4 Tables but iam stuck with what to do with them
, i read Ricardo's tut about eStOP and followed same patch but i didnt get nothing, from Reading Code Raptors Tutorial about Lydia Email Agent, i got the following PatchCode:
006CD000 60 PUSHAD
006CD001 33F6 XOR ESI,ESI
006CD003 33C9 XOR ECX,ECX
006CD005 8B048D 00E06C00 MOV EAX,DWORD PTR DS:[ECX*4+6CE000]
006CD00C 0FB691 44126D00 MOVZX EDX,BYTE PTR DS:[ECX+6D1244]
006CD013 8B1C8D D81E6D00 MOV EBX,DWORD PTR DS:[ECX*4+6D1ED8]
006CD01A 0FB6B9 1C516D00 MOVZX EDI,BYTE PTR DS:[ECX+6D511C]
006CD021 48 DEC EAX
006CD022 41 INC ECX
006CD023 83FA 05 CMP EDX,5
006CD026 75 0B JNZ SHORT Dumped.006CD033
006CD028 83FF 04 CMP EDI,4
006CD02B 75 06 JNZ SHORT Dumped.006CD033
006CD02D 83FB 04 CMP EBX,4
006CD030 75 01 JNZ SHORT Dumped.006CD033
006CD032 46 INC ESI
006CD033 83FE 01 CMP ESI,1
006CD036 72 2A JB SHORT Dumped.006CD062
006CD038 81FB FF000000 CMP EBX,0FF
006CD03E 7F 30 JG SHORT Dumped.006CD070
006CD040 81FB 01FFFFFF CMP EBX,-0FF
006CD046 7C 28 JL SHORT Dumped.006CD070
006CD048 83FF 04 CMP EDI,4
006CD04B 7D 23 JGE SHORT Dumped.006CD070
006CD04D 66:4B DEC BX
006CD04F 0FB692 DAD06C00 MOVZX EDX,BYTE PTR DS:[EDX+6CD0DA]
006CD056 8810 MOV BYTE PTR DS:[EAX],DL
006CD058 8858 01 MOV BYTE PTR DS:[EAX+1],BL
006CD05B 83FE 02 CMP ESI,2
006CD05E 75 02 JNZ SHORT Dumped.006CD062
006CD060 33F6 XOR ESI,ESI
006CD062 3D 5C945C00 CMP EAX,Dumped.005C945C
006CD067 ^75 9C JNZ SHORT Dumped.006CD005
006CD069 CC INT3
006CD06A 61 POPAD
006CD06B -E9 B88FD3FF JMP Dumped.<ModuleEntryPoint>
006CD070 03D8 ADD EBX,EAX
006CD072 43 INC EBX
006CD073 81FB 00104000 CMP EBX,401000
006CD079 ^7C E7 JL SHORT Dumped.006CD062
006CD07B 81FB FFFF4304 CMP EBX,443FFFF
006CD081 ^7F DF JG SHORT Dumped.006CD062
006CD083 2BD8 SUB EBX,EAX
006CD085 83FF 04 CMP EDI,4
006CD088 75 18 JNZ SHORT Dumped.006CD0A2
006CD08A 3E:0FB61455 00D1>MOVZX EDX,BYTE PTR DS:[EDX*2+6CD100]
006CD093 80FA 0F CMP DL,0F
006CD096 ^74 CA JE SHORT Dumped.006CD062
006CD098 83EB 05 SUB EBX,5
006CD09B 8810 MOV BYTE PTR DS:[EAX],DL
006CD09D 8958 01 MOV DWORD PTR DS:[EAX+1],EBX
006CD0A0 ^EB B9 JMP SHORT Dumped.006CD05B
006CD0A2 3E:0FB71455 00D1>MOVZX EDX,WORD PTR DS:[EDX*2+6CD100]
006CD0AB 80FA 0F CMP DL,0F
006CD0AE ^75 B2 JNZ SHORT Dumped.006CD062
006CD0B0 83EB 06 SUB EBX,6
006CD0B3 66:8910 MOV WORD PTR DS:[EAX],DX
006CD0B6 8958 02 MOV DWORD PTR DS:[EAX+2],EBX
006CD0B9 ^EB A7 JMP SHORT Dumped.006CD062
Program Always Loops to:
Code:
006CD062 3D 5C945C00 CMP EAX,Dumped.005C945C
006CD067 ^75 9C JNZ SHORT Dumped.006CD005
So it never checks really anything.
Maybe a messed up Table ?
Any idea to kick me in the right direction would be great.
-Billy
