Ok i've done some work but the problem is still the same. i just can't unpack the son of a bitch.
This is what i've done. I used 2 different debugger:
Olly and SICE.
With SICE i am be able to find the OEP by setting a breakpoint on SETPROCESSWORKINGSETSIZE.
The program tries to detect it via INT 1. After bypass this trick i found the original entry point of the program. Now the problem is that i just can't rebuild the IAT. In fact the prg steals it by call a memory space out of the code.
So i think:
If i can redirect this space into the code space i can then use the goog IMPREC 1.6 (thanks to MACKT icon_twisted.gif ) to rebuiild the whole IAT.
So i redirect it to an unused space of the code but the problem is that this son of a bitch clears my BPMD on the redirected IAT address.
So i take olly to put ahardware breakpoint on it but the problem is that with olly i just can't reach the OEP so i cannot put a hardware breakpoint on write a dword like all armadillo tutorial on the iat redirected space memory. Another thing is that if i put a breakpoint on WriteProcessMemory to change th bytes and make an infinite loop of the father and after that a breakpoint at WaitForDebugEvent and then PUSH PID of son, and call the DebugActiveProcessStop to attach
the son, when i open the second instance of fighter.exe (Ollyrenamed), i attach to the correct PID that i pushed before, it calls the exitthread and it exits without attach. Any suggestion is pleased and if someone could help me i'll be glad to him/her.
Regards
FIGHTER_81

hello,
big confusion around there, if u want me to take a look, private msg me the app name/address...

fighter_81, 4 what i could see it looks standart IAT Elim, so u must be doing something wrong, i say that because the OEP u gived me is incorrect, the correct one is 0x45AB71. Iam using olly, please check the existing tuts and eventually u ill get it. I wish i could help u more, but u ill have to be a little more specific on ur doubts :\ Iam attaching fixed imports so u can compare something? :s


Regards
Spec0p

P.S. Its also protected with nanos :x

No you don't, and especially not when it contains the target name. You will have to handle such things privately outside this board.

Thank you very much for your help.
I will retry and i let you know

sry about that dELTA, i thougth that there was no prob in posting the imports since its only api names, any app can use them , even windows,what i didnt realized thought is that there was the app name inside, thats maybe because i dont save the tree often. Ill be carefull next time.. :\

We don't allow "fixed" imports, because they would permit someone to paste them into their attempted crack and we might then be accused of hosting cracks and have to move our server AGAIN. I hope this is clear. You may, however send whatever you want to another member by PM, you just can't post things which cause the Board trouble.

Regards,

Clear enought for me, dont get me wrong i had never the intention to prejudice the board in any way... is just that i had the impression i had seen some 3/4 times iat.txt around here somewhere without being warned, that was the only reason i posted it, if i had the minimum clue, i wouldnt had posted it, belive me
p.e http://www.woodmann.com/forum/showthread.php?t=2811
http://www.woodmann.com/forum/showthread.php?t=2667
http://www.woodmann.com/forum/showthread.php?t=2839
Anyway i wont do it again

Regards,
Spec0p

Yeah, some remnants can be found from the old times when the rules of this board weren't as strict as now. We understand your mistake anyway, no problem.

And it was BECAUSE of some of the Threads you found, and the problems they caused, that we changed the rules.

Regards,

i'll be glad with all that have replied me and i have been able to unpack this bastard with sice. Now i only have to fix nanomites
thanks
Regards
FIGHTER_81
p.s.
My OEP is 0045a9f7
p.p.s
Grazie