Dillo protected DLL

The "IAT" magic jump is after a Virtual Protect call. You'll know you are in the right spot if you BPX on VirtualProtect, and then take a look at the instruction that the code returns to after the call to VirtualProtect. If it's a PUSH 1, then you are right on top the IAT redirection code and the magic jump is down below a little ways.

You can't put a BPX or any breakpoint anywhere near the magic jump since it's decrypted at runtime. BPX'ing on the API call is the only way to get there. Also, once you've patched the magic jump, put another BPX after the IAT redirection code, and when you hit that BPX, then repair your Import Table (since it will now be complete in memory). And then change the magic jump back to original instruction. It's optional, but if you don't change the instruction back then Arma goes to re-encrypt the IAT redirection code and it will crash since the code is different.

-Lunar

[5Alive]

Quote:

Originally Posted by Messer

Do you know what you want to patch in unpacked-dll? Maybe it is possible to create an inline patch. I've created some inline patches of Arma protected EXEs already. Maybe it is possible doing this with dll's too.

Sorry for the late reply I've been busy with work recently.
Being new to the art of unpacking I thought that one the file is unpacked no patching would be needed. One of the other VIP forum members kindly unpacked the file for me.

It has all the relocs intact and it loads, running the file reports an invalid or corrupt serial number so it needs to be patched.

I found that the DLL is trying to load the armaccess.dll and then make a call to check the serial, I patched this and it runs. Upon running the patched DLL for the first time it displays the registration info, activating again runs the DLL as expected. Can anyone tell me if this is how unpacked Arma DLLs normally behave?

How do you guys tackle the armaccess.dll reference? Just patch it out as I have?

Quote:

Originally Posted by Messer

I've found magic jump with "he GetModuleHandleA". Then you just need to patch 1 long-jump.

I'll need to look at this again. If anything, I have learned more about how to use Ollydbg, ImpRec and LordPE than anything else which can't be a bad thing. Still I'll need to read more on the PE format and so on if I am to progess.

Quote:

Originally Posted by Messer

Don't know what to do with the relocs but I will look what i can do to fix this problem

I'll PM the forum member who unpacked this and ask if can can explain how he did it. I'll reply here with any information I get.

Quote:

Originally Posted by Lunar_Dust

The "IAT" magic jump is after a Virtual Protect call. You'll know you are in the right spot if you BPX on VirtualProtect, and then take a look at the instruction that the code returns to after the call to VirtualProtect. If it's a PUSH 1, then you are right on top the IAT redirection code and the magic jump is down below a little ways.

You can't put a BPX or any breakpoint anywhere near the magic jump since it's decrypted at runtime. BPX'ing on the API call is the only way to get there. Also, once you've patched the magic jump, put another BPX after the IAT redirection code, and when you hit that BPX, then repair your Import Table (since it will now be complete in memory). And then change the magic jump back to original instruction. It's optional, but if you don't change the instruction back then Arma goes to re-encrypt the IAT redirection code and it will crash since the code is different.

-Lunar

Hi Lunar, thanks for the explanation of what needs to be to be done and why, things are starting to make much more sense to me. Perhaps you can answer the burning question about restoring the relocation table, what method (if any) do you use?

I've read that loading the unpacked file at different base addresses into Relox is what is needed to recover the table. I've also read that they don't need to be rebuilt as they are in there original state in the dump. Can you clarify this please?

I'm quite enjoying the whole learning experience of it all. Thanks, 5Alive.

Hey,

I've never had to rebuild a relocation table in Armadillo programs or DLL's.

-Lunar