About Armadillo unpacking..

Hello

Have that same problem. Trying to unpack dilled target writen in VB. Everything was Ok- succesfully detached from parent, fixed IAT and dumped. When trying to run dumped.exe, program simply crashes. When reviewed dumped.exe in debugger, found problems with calls to IAT. In IAT, without calls to dll's, was addresses in programs address space, whose did checking 5 bytes in standard dll function for 0cch and simply redirecting. But what i must do with calls tu 3 closed circle jumps? I have deleted. Was i wrong?
One more question- where are calls to msvbm5.dll? Or i find wrong OEP?

Thanx
and sorry for bad english knowledge

I have the same thing and with the tut of MEPHiST0 to detect armadillo's version, my program was protected by armadillo 3.75b.

So there is WriteMemory with 2 bytes protection and after You can rebuild IAT finding magic jmp but after it seems to have anti dump with jmp in armadillo code which is not in dump(code splicing) and perhaps nanomites.

Someone did he already have this protection?

hashshah > How did you rebuild IAT?

I'm new in this forums and can't get attachments, so don't know how to find exact version. What i now about my program:
1. was writen with VB;
2. calls WriteProcessMemory 2 times with 2 bytes;
3. can't run detached process without renaming olly;
4. rewrites calls to some functions with antidebugging code;
5. has strange anti disassembling code jumping into commands middle.

What i did:
detached with ActiveProcessStop;
breaked in .text section at push ebp... and dumped;
used ImpRec to change unknown functions with +64h to original dll's
deleted calls to {a: jump b; b: jump c; c: jump a} and others whose, i think, does dillo work to unpacking(?) or was to hard to understand for me becouse they must not be called if program is working without shell?

I'm newby;
don't beat me hard- i can't connect to ricnar (DNS reports IP 0.0.0.0)
and the Internet gives nothing usefull, Olly scripts crashes, Armadumpers/killers is writen for earlier versions.
So trying forums

hobgoblin: any news on that newsleecher program? I just downloaded the 1.0final version... and I have no idea where to start

[ricnar456]

use your mind is very easy repair all programs mentioned in this thread.

Imagination please.

Ricardo Narvaja

newsleecher uses nanomites.... so it will be not so easy to unpack .

[hobgoblin]

Hi guys,
I have unpacked and dumped the final version, and that's not difficult. the hard part is the nanomites. I tried using Ricnar's approach (searching for 800003 and so on..), but it seems that somethings changed in this version. Unfortunately I haven't had the time to dig deeper into it yet. But if anyone have a working approach on how to solve this, please post a few words.

regards,
hobgoblin