Log in

View Full Version : question about armadillo packed dll & IAT


lordsoth
July 21st, 2004, 01:43
hi, I'm trying to unpack a dll protected by armadillo, don't know exacly what version, When resolving IAT, I found 3/4 pointers to this

0159AB19 jmp 0159AB1E
0159AB1E jmp 0159AB23
0159AB23 jmp 0159AB19

what should I do with that?? shoul I truncate it? for example one occurrence is placed between advapi32.dll and comctl32.dll

thanks a lot!
lordsoth

JMI
July 21st, 2004, 02:07
Well, if you've actually been reading the threads and tuts on ARMA, you would be aware that ARMA has routines which find the address of many API's and construct jumps into the ARMA space to locate the actual API after it destroys the IAT. Perhaps it would do you some good to read some more on how this all works. There have been threads here and/or exetools on the ARMA routines which accomplish this process. It would, of course be a good idea ( ) if you checked exactly what is at each address, so you understand what ARMA is doing with its attempt to hide the "real" API jumps.

Regards,

stephenteh
July 21st, 2004, 09:06
this is not a valid pointer.. u can cut it..
if u look carefully...u will noticed all 3 jumps is jumping at the same place...

lordsoth
July 21st, 2004, 16:16
I know, but I need to know if those are useless one or had been hidden/modified by armadildo!
thanks

stephenteh
July 25th, 2004, 11:55
it's useless, u will see this kind of pointer between 2 difference dll...