Armadillo in Polyphonic Wizard v3.5

[codeX]

Hi,

I'm working on Polyphonic Wizard v3.5, from

h**p://www.polyphonicwizard.com

PEiD says it's packed with Armadillo 3.78.I've found the OEP and dumped it.In Imprec it shows a number of invalid trunks and i managed to fix a few of them.Then i cut the remaining trunks and fixed the dump.To my surprise this VB app runs.

Now the problem is when i choose exit or click on Close button it crashes

saying

Quote:

The instruction at "0x00fada7a" referenced memory at "0x00fada7a". The memory could not be "read".

What can be the problem? Thanks in advance for help.

as far as i know arma protected vb program only have 1 invalid api... that's __vbaEnd
so probably u never fix that api...

While we have an active topic within reason, I'll pop my question in here.

I too have been trying to unpack an application that shows Armadillo 3.78 as the packer. I have found what I believe is the Entry point and used ollydump to dump the file. I'm stuck trying to use Imprec to rebuild the IAT, and seem to be getting no where fast. I've tried my best to use imprec with this packer, though I don't think I fully understand what to do. I can't run the dumped exe because of this, so I just opened it in olly to use imprec on the dumped file. Is this the correct way about going at this? Perhaps someone can help me with this subject.

Thank you.

Hi,

maybe this thread:
_http://forum.exetools.com/showthread.php?t=6664 -> Armadillo 4.xx standard unpacking by DappA
will help you .. covers IAT stuff ... i hope it works for you ...

_veDc

EDIT: Just deleted the not working URL Tag .. sorry ..

Why version 3.5 while 4 is already out? For educational purposes?

Quote:

Originally Posted by _veDc

Hi,

maybe this thread:
_http://forum.exetools.com/showthread.php?t=6664 -> Armadillo 4.xx standard unpacking by DappA
will help you .. covers IAT stuff ... i hope it works for you ...

_veDc

EDIT: Just deleted the not working URL Tag .. sorry ..

Though the IAT rebuild is completely different it seems, I'm not finding anything that is stated. I'll post an attachment for all to look at, maybe someone will enlighten me.

EDIT: Added required dll to the attachment.

hxxp://ollydbg.win32asmcommunity.net/index.php?action=vthread&forum=6&topic=1105

Finding the OEP isn't what I'm looking for. I can't figure out how to rebuild the IAT with the tutorial posted. The OEP for my attached file is 00029B73

Quote:

Originally Posted by AdamD

Finding the OEP isn't what I'm looking for. I can't figure out how to rebuild the IAT with the tutorial posted. The OEP for my attached file is 00029B73

Sorry AdamD i was Referring to the original post from codeX
btw yor attachment doesn't work

I fixed the attachment by adding a required dll to the zip file. This is a client that is initialized by web browser, so when ran just executed by itself, it has no gui without javascript running their gui dlls. Any help is appreciated, this has been a big challenge for me.

AdamD Verified your OEP ;-) , program is protected with code splicing this is the main problem for the rebuild of the IAT. Probable you already know this information.
If i've time i'll look at the IAT problem

[codeX]

Thankx friends....

stephenteh , i'm gonna to test that api __vbaEnd.

But I got a lot of invalid trunks and all of which can be disassebled in Imprec.

codeX i have done version 4.02. But i can't test it. Can you test it for me ? See your PM for link ..

This armadillo used in this app, is very basic, need to fix IAT (Its VB, so Only __vbaEnd) + CODE SPLICE, then just the silly "Armaccess.dll" Bug.

If its needed i can write a little tut for this app as i have some free time this weekend.

Cya.

[codeX]

Hi Vepergen,

I'm using XP with visual studio installed . But it give's the error i've PMed you.

@Peter[Pan]

Yes it's very basic protection. I've to fix

Quote:

00407E28 -FF25 50104000 JMP DWORD PTR DS:[401050]

to give the __vbaEnd. Cab i fix it from olly?