Hello again, I am trying to unpack a DLL packed with Arma 3.75b.

I have tried using these to scripts to help:
MEPHiST0s - ARMADiLLO DETECTiVE v1.00 for olly script
Armadillo Standard+Strategic Code Splicing Script by AvAtAr

Neither of which appears to find the OEP. The app is also trial based, and needs a user name and serial to remove the time limit.

Can such an app only be unpacked properly with a valid serial?

I also tried to find the OEP manually, setting a BP at CALL EDI, Olly reports that the BP is outside the code section although it appears not to be the case.

I chose to ignore the warning and set the BP there anyway.

This BP is never reached when running the code. Is this a consequence of it having trial based protection too or have I overlooked something maybe?

I hope somebody can help me with this.

5aLIVE.

okay quick update, using AvAtAr Script and not fixing the code splicing the script arrives at the OEP.

Let's see how I get on with fixing the IAT after dumping.
This is my first attempt at manually unpacking anything, so there are bound to be a few hurdles along the way.

5aLIVE

Okay time to resurrect this thread back from the dead. I decided to put this little project on hold until I read some more tutorials on the subject (which I have).

I found a new tutorial by MaDMAn_H3rCuL3s which shows how to unpack an Arm 4.x protected DLL. It mentions a quick and easy method of find the OEP, simply by setting a break on access (F2) of the .text section of the DLL.

With the DLL at the EP, and pressing Shift-F9 a meesagebox shows "Error while unpacking program, code 5-15. Please report to author". This happens when no breakpoints are set too.

I never had this message appear when I was working on this before.
Here's a list of my setup:
XP home SP2,
Ricardo's patched Ollydbg 1.10 (Parcheado 4.EXE)
HideDebugger 1.2.3f with all the options enabled.
I also have all exceptions set to pass to the program
I've added the following custom exceptions:
000006BA, 0EEDFADE
C0000005(ACCESS VIOLATION), C000001D(ILLEGAL INSTRUCTION)
C000001E(INVALID LOCK SEQUENCE), C0000096(PRIVILEGED INSTRUCTION)
C000001D (Invalid lock sequence).

Pressing Shift-F9 gave a stack over flow (C00000FD). I added this to the custom exception list and restarted the driver. I still get the error message.
Can anyone help please?

I to am working on a dll like this . do you have msn or any messenger?

" Error while unpacking program, code 5-15. Please report to author".

Seems like Arma still detects the debugger. I'm currently analysing some Arma-protected app too (or to be more precise: Arma self and I recall a lot of these err-messages referenced in the code. I'm not sure what causes the 5-15 error exactly since I don't have the program here right now, but it might be due to the 'GetTickCount' protection; meaning that Arma measures the elapsed time between some routines and in case it took too long (stepping/breaking) it quits with such alike error. Try BPing the GetTickCount API ...

Besides, try renaming ollydbg.exe and make sure you don't have SoftIce or anything like that running. And I also have the 0EEDFACE and 0xBEEFC0DE custom exceptions passed through and I don't get caught (yet)

That for taking the trouble to reply SKiLLa. In the end I found a later version of the DLL (with a later version of Arma) and it loaded without error.

I can't explain why, and can only guess the original bacame damage in some way. I can't say I'm convinced by my own hypothesis though!

Thanks for all the hints and tip none the less.

5aLIVE.

You're welcome ! Besides you do have you're Olly patched against the OutputDebugString exploit, right ? And I'm pretty sure Arma wasn't damaged but it was detecting your efforts

Good luck with the DLL, and please post your results, might get you a pat on the back and even teach someone else some tricks ...