Ok thank you. I will search on nanomite.
Can I ask you another question since you dumped it also? Dumping is no problem but the IAT is a biatch.
After detaching the father, I attach the son, fix the dubug byte and set hw bp at 00432000.
few shift-f9s, hit the hw brake, ctrl-f9, f7 land here
Code:
00A7EA7B 83C4 0C ADD ESP,0C
00A7EA7E 8D85 58EAFFFF LEA EAX,DWORD PTR SS:[EBP-15A8]
00A7EA84 50 PUSH EAX
00A7EA85 FFB5 58EAFFFF PUSH DWORD PTR SS:[EBP-15A8]
00A7EA8B FFB5 60EAFFFF PUSH DWORD PTR SS:[EBP-15A0]
00A7EA91 8B85 34EBFFFF MOV EAX,DWORD PTR SS:[EBP-14CC]
00A7EA97 0385 5CEAFFFF ADD EAX,DWORD PTR SS:[EBP-15A4]
00A7EA9D 50 PUSH EAX
00A7EA9E FF15 3461A800 CALL DWORD PTR DS:[A86134] ; kernel32.VirtualProtect
This looks good according to the Unpacking Gods - Armadillo v3 + Debug Blocker tutorial. But this is as far it goes. There are NO 4/5 Nops in this version and JE seems to have no affect. I ended up manually doing alott of tracing and right before dillo writes the bad addy at IAT, one of the registers have the name to a good function.
Can you teach something new please. Or is it not possible in this case? I know I got a good IAT cause you got the same thing, but I would love to learn the better way which is to kill dillo so it leaves our good IAT along.
Thanks again for taking on this project aswell.
Quote:
|
Originally Posted by OrionOnion
I dumped that and got same result.
OEP & IAT Correct.
also got INT3 stop.
I think it use nanomite feature.
search about nanomite in woodmann
you may get info about nanomite.
|