this mprogram protected by copymemII and code splicing...
unpack the program using the copymemII method and dump the "stolen code" from memory and add a new section...remember to edit the the virtual address...
example: the "stolen code" is at address 15c0000 then u have to minus the imagebase which is 400000 then the virtual address is 11c0000...
here is the unpack exe..i have optimized the program
1)use lordpe dump the region of the "stolen code"
2)open the dumped exe with lordpe -> section-> load section..choose the dumped region
3)now edit the virtual address(see the example above)
4) now save the file, open lordpe again go option and ONLY ticked "Validate PE", and rebuild the dumped exe
5)now fix the IAT........
6)optimize the program after removed some useless section left by armadillo.
btw... have to dump the region of stolen code and exe at the same time because everytime u start the program the "stolen code" will be at different address....
最初由 baby 发布 1)use lordpe dump the region of the "stolen code" 如何定位在哪个部位?
to find the location of the "stolen code".... the way i used is load the dumped.exe after fixing the IAT.. then scroll to top of the program or press Home key on ur keyboard...
then search for binary string "E9" (u have to keep searching until u find some very far jump...example for the "stolen code" of the program i unpacked is at 15c0000
004011AA - E9 51EE1B01 JMP dumped_.015C0000 <-- different from ur computer...
004011AF F7D2 NOT EDX
004011B1 87FF XCHG EDI,EDI
004011B3 57 PUSH EDI
004011B4 5F POP EDI
004011B5 F7D2 NOT EDX
15c0000 is the start of the "stolen code" use lordpe dump this region and add it at the back of the exe and edit the virtual address to 15c0000 - 400000 = 11c0000
understood???
btw.. dll is a lot more difficult to unpack then exe...i cannot unpack the dll u attached..