removing Armadillos residual sections

mustanger · Frequent poster Joined: 13 Sep 2005 Posts: 64

Just when I was getting cocky about my armadillo abilities, I'm suddenly thrust back to my status as a dumb questioner!

I'm unpacking a program with nanomites and when I try to repair the dump in the very last step, Arminline tells me it can't do it and to "try removing armadillo's residual section" I know exactly what it means, but alas, I only know how to NOP or fill with zeros. I know this is an easy one step procedure. Can any of you mavens of cracking tell me what it is?

BTW As I was lookin for a way to remove sections, I right clicked in the Memory window and there was a coomand to "actualize" . It doesn't remove armadillo sections, but as long as I've got your attention, does anybody know what this does?

moniker · Posted: Fri Jul 07, 2006 7:11 pm Post subject:

removing sections is one of the things i don't do through olly. There are several PE editors, like LordPE, that allow you to fiddel with sections, and other PE-format specific things.

actualize isn't a function i use commonly either, i figure that when you change for example the access permissions on a section you need to actualize the settings.

bengunn · Regular Joined: 15 Apr 2005 Posts: 118

Hi moniker,
It would be interesting if you would show in some detail how you do it with lpe, I've never ended up with a working dump after removing sections and rebuilding dumped arma targets using lpe alone. My method is, using ollypedumper dump twice, first a full dump all sections included, second one with all sections from the second .text to end removed, extract the resource section from first dump, use resource rebuilder to rebuild resources then add it to the second dump, that always works but a easier/simpler method would be preferred.
cheers.

haggar · Regular Joined: 19 Mar 2005 Posts: 246

I think that I wrote in couple mines tutorials how to do it. You erase all sections of armadillo that are unused. But if you redirect spliced code to one of them, then ofcourse that you must not delete it. Sometimes is not good to delete that .pdata one.

When you delete sections the easiest way is to rebuild it with LordPE. But in options select only "Validate PE file" and "Show Progress Window". If you want to do it manually, then you must set number of sections and image size. Also you can check file alignment, sections , etc...