Hi,
I am having a problem unpacking GetRight Pro 6 beta 7.
Well, not a problem, because it unpacks good and it runs, but I'm experiencing some funny behaviours and strange codes that i want to check here to ensure i'm not completely gone puff!.
GetRight is protected with Standard+CodeSplicing+IAT Elimination.
I Load it in Olly dbg, run script Armadillo.v.4.0-4.4.Standard.osc and after a while the script shows OEP: 005D9454 (001D94C4 without IB).
At this point, i already notice a strange thing: OEP looks very funny to be a C++ OEP. It is not 558B etc for C++ 6 nor 6A etc for C++ 7.0. PEiD will later say C++ wthout other infos.
I fire up arminline 0.92, fill values and everything goes perfect. I dump with LordPE and fix IAT with ImpREC(perfect IAT).
I try to run the executable and whoa! it runs. OK. Now let's recall it from the tray Icon and here is the second funny behaviour: NO ICONS ON MENUS OR TOOLBARS.
After a while of thinking, i open the file with ResHack to ensure that the resources were not messed up by the dumper. I can see all the resourced and dialogs without problems and NO "packed by an exe compressor" appears.
I tried to analyse the executable with the Resurrection Team Utility Armadumper, and the OEP is the same as mine.
Last strange behaviour: In all armadillo unpacked files, i delete the text1, data1, adata, pdata sections because they are related to armadillo (adata only if not needed for IAT rebasement). If I delete the text section in getright the executable crashes, and this does not happen in all other executables i unpacked so far.
So i have a complete and running executable (no errors or exceptions are shown) with no icons on toolbar and menus, strange OEP instructions at the beginning and crashes on deletion of Armadillo sections.
Am I wrong?
If not, what or where is the problem? I can't figure out it.
Attach: My unpacked file.
Edit: 17/04 Better Optimised File: Fixed OEP and removed unused sections. Still icons problem.