|
|
#1
09-26-2004, 21:45
|
|||
|
|||
|
Armadillo Import Elimination
Im trying to unpack an arma protected program (one process). It uses import elimination... so first i used a script (so that it does not detect the change) to patch the iat so that there are no invalid pointers left, but after the patch the first iat call goes to RegQuerryValueEx... so the functions are not in the correct place. How can i solve this? (I have only patched this jump and then i let the protected program run with the patched iat...)
Target: Code:
http://activeurls.com/en/download.htm 
|
|
#2
09-26-2004, 23:47
|
|||
|
|||
|
....
if its only one api call, wrong placed you can fix it simple,
look your last iat area find the "ReqQuerryValueEx" where placed (on rva) then patch islike this (opcode) FF25xxxxxxxx (the xx is rva + imagebase then inverted e.g FF25B3A14000)
|
|
#3
09-27-2004, 02:02
|
|||
|
|||
|
no... its not only one function...
|
 |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| More Armadillo - import reconstruction | FEARHQ | General Discussion | 8 | 09-19-2005 16:46 |
Linear Mode
