hi, I'm trying to unpack a dll protected by armadillo, don't know exacly what version, When resolving IAT, I found 3/4 pointers to this

0159AB19 jmp 0159AB1E
0159AB1E jmp 0159AB23
0159AB23 jmp 0159AB19

what should I do with that?? shoul I truncate it? for example one occurrence is placed between advapi32.dll and comctl32.dll

thanks a lot!
lordsoth

Well, if you've actually been reading the threads and tuts on ARMA, you would be aware that ARMA has routines which find the address of many API's and construct jumps into the ARMA space to locate the actual API after it destroys the IAT. Perhaps it would do you some good to read some more on how this all works. There have been threads here and/or exetools on the ARMA routines which accomplish this process. It would, of course be a good idea ( ) if you checked exactly what is at each address, so you understand what ARMA is doing with its attempt to hide the "real" API jumps.

Regards,

this is not a valid pointer.. u can cut it..
if u look carefully...u will noticed all 3 jumps is jumping at the same place...

I know, but I need to know if those are useless one or had been hidden/modified by armadildo!
thanks

it's useless, u will see this kind of pointer between 2 difference dll...