IT Elimination

[Kyrios]

Hi, i can't unpack armadilled when IT Elimination is used. It's new feature since v3.60 beta1.
Like, Strategic Code Splicing (i can deal with it), i've added a new section from dumped region.
This target only using standard protection + IT Elimination.
i've changed the long JNE to long Jmp in IT rebuilding,
but there's still problem in Indirect Jump.

The Indirect Call is OK (of my dumped file).

Code:

004E8140   PUSH EBX
004E8141   PUSH ESI
004E8142   PUSH EDI
004E8143   MOV DWORD PTR SS:[EBP-18],ESP
004E8146   CALL DWORD PTR DS:[D885B4] ; kernel32.GetVersion
004E814C   XOR EDX,EDX

As you can see, the indirect CALL is OK.
But there's problem in Indirect Jump (my dumped file)

Code:

00548F50  JMP DWORD PTR DS:[D88904]
00548F56  JMP DWORD PTR DS:[D888FC]
00548F5C  JMP DWORD PTR DS:[D888F8]

And the value of [D888F8] is 77C0167D, but there's no such memory of that address (77C0167D).
And i could not go there.


But in protected file, the code is like this:

Code:

00548F50  JMP DWORD PTR DS:[D88904]  ; VERSION.VerQueryValueA
00548F56  JMP DWORD PTR DS:[D888FC]  ; VERSION.GetFileVersionInfoA
00548F5C  JMP DWORD PTR DS:[D888F8]  ; VERSION.GetFileVersionInfoSizeA

And the value of [D888F8] is 77C0167D (wich is same with mine). But i can go there.

==================================================================================

Weird, There's no module VERSION.dll in my dumped file. Anyone know how to deal with this new feature?
Sorry for poor english


Hypersnap-DX 5.50.01
Kyrios