#31
|
|||
|
|||
The "IAT" magic jump is after a Virtual Protect call. You'll know you are in the right spot if you BPX on VirtualProtect, and then take a look at the instruction that the code returns to after the call to VirtualProtect. If it's a PUSH 1, then you are right on top the IAT redirection code and the magic jump is down below a little ways.
You can't put a BPX or any breakpoint anywhere near the magic jump since it's decrypted at runtime. BPX'ing on the API call is the only way to get there. Also, once you've patched the magic jump, put another BPX after the IAT redirection code, and when you hit that BPX, then repair your Import Table (since it will now be complete in memory). And then change the magic jump back to original instruction. It's optional, but if you don't change the instruction back then Arma goes to re-encrypt the IAT redirection code and it will crash since the code is different. -Lunar |
#32
|
||||
|
||||
Quote:
Being new to the art of unpacking I thought that one the file is unpacked no patching would be needed. One of the other VIP forum members kindly unpacked the file for me. It has all the relocs intact and it loads, running the file reports an invalid or corrupt serial number so it needs to be patched. I found that the DLL is trying to load the armaccess.dll and then make a call to check the serial, I patched this and it runs. Upon running the patched DLL for the first time it displays the registration info, activating again runs the DLL as expected. Can anyone tell me if this is how unpacked Arma DLLs normally behave? How do you guys tackle the armaccess.dll reference? Just patch it out as I have? Quote:
Quote:
Quote:
I've read that loading the unpacked file at different base addresses into Relox is what is needed to recover the table. I've also read that they don't need to be rebuilt as they are in there original state in the dump. Can you clarify this please? I'm quite enjoying the whole learning experience of it all. Thanks, 5Alive. |
#33
|
|||
|
|||
Hey,
I've never had to rebuild a relocation table in Armadillo programs or DLL's. -Lunar |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Why can't I re-Dillo it? | Flagmax | General Discussion | 8 | 07-31-2004 03:30 |