View Full Version : question about armadillo packed dll & IAT
lordsoth
July 21st, 2004, 01:43
hi, I'm trying to unpack a dll protected by armadillo, don't know exacly what version, When resolving IAT, I found 3/4 pointers to this
0159AB19 jmp 0159AB1E
0159AB1E jmp 0159AB23
0159AB23 jmp 0159AB19
what should I do with that?? shoul I truncate it? for example one occurrence is placed between advapi32.dll and comctl32.dll
thanks a lot!
lordsoth
JMI
July 21st, 2004, 02:07
Well, if you've actually been reading the threads and tuts on ARMA, you would be aware that ARMA has routines which find the address of many API's and construct jumps into the ARMA space to locate the actual API after it destroys the IAT. Perhaps it would do you some good to read some more on how this all works. There have been threads here and/or exetools on the ARMA routines which accomplish this process. It would, of course be a good idea (

) if you checked exactly what is at each address, so you understand what ARMA is doing with its attempt to hide the "real" API jumps.
Regards,
stephenteh
July 21st, 2004, 09:06
this is not a valid pointer.. u can cut it..
if u look carefully...u will noticed all 3 jumps is jumping at the same place...
lordsoth
July 21st, 2004, 16:16
I know, but I need to know if those are useless one or had been hidden/modified by armadildo!
thanks
stephenteh
July 25th, 2004, 11:55
it's useless, u will see this kind of pointer between 2 difference dll...
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.