|
|
#1
11-14-2006, 20:46
|
|||
|
|||
|
Code Splicing Problem
HI Everybody,
I have a little problem with Armadillo. It's almost a year that i unpack titles protected with Armadillo and no problems. I am now trying to unpack and crack trying to reflect at 99% what the original executable was. So when fixing IAT i try to search the original IAT and overwrite it with the new so that no new sections are added and when setting variables i try to find a code cave in the text section rather than adding a new setcion. This way, if the program does not have nanomites, it is quite simlar to the original one. I am currently unpacking a target that does have some problems with arminline. It correctly finds code splicing memory area, but when fixing splices, it fails with a "Non contiguous code generated. Please fix it by hand". Since there are 1800 splices it is impossible to do this by hand. Does someone know why only on some titles, there are some "special" splices that fail to be resolved by arminline? I used an olly script to unpack the target, it simply changes the VirtualAlloc address to the .adata section in the executable. Nothing important, but this does not allow me to cut out all armadillo sections. Does someone know how to solve this issue? It happened me only twice in hundreds of titles unpacked. Regards TmC 
|
|
#2
11-14-2006, 21:23
|
|||
|
|||
|
Since Armadillo 4.48 Code-Splicing CAN be a bit different. Usually it is like this:
JMP to CS section, execute real code, save registers, crap code, uunsafe registers, JMP back. But with newer version is CAN be like this (not alwys): JMP to CS section, execute a part of real code, save registers, crap code, JMP to very far away part of CS section, execute part of real code and so on... maybe it can be more difficult and because of this ArmInline can´t fix it. Only solution atm is to attach section or rebuild CS with ArmTools (didn´t try this tool before...) greetz
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
