1. i detach child from father
2. at child, i find IAT begins at 6961e0
3. i put a HW bp on write there

4. i restart olly , detach the father from child ( while the hw bp is already there)
5. i'm at child again
6. with a f9 , the child starts to run

OLLY does'nt break anytime on the IAT writting , where i'm going wrong ??
is there any other way to find the MAGIC jump or get the full IAT

where i'm going wrong ??

Yep, it can be weird. Try memory bp then.

Btw, does that target have spliced code or IAT elimination. Is it CopyMemII or just DebugBlocker?

Armadillo uses _stricmp API to compare which API's need to be obfuscated so you can break there, but problem is that api is used for other things too and it would take ages to break at right spot. Check this http://www.reversing.be/article.php?story=20051002151932648 ("http://www.reversing.be/article.php?story=20051002151932648") and this http://www.reversing.be/article.php?story=20050926230011232 ("http://www.reversing.be/article.php?story=20050926230011232")

mr hagger, THANKS for the reply.

the target has NANOMITES, which i think is the last thing to take care of.
the target does'nt have any IAT ELIMINATION.

but i've noticed one thing, if i use OpenMutexA trick, it does'nt even break on CreateThread 'n shows the error message 'Debugged program was unable to process the exception'

if i use the WriteProcessMemory trick, i can detach the child from father but when in the OEP of child, some of the IAT imports are already missing

Ops, I don't know how to unpack nanomites. I was planing to read some papers about that but I'm little tired from this unpacking. If there are no IAT elimination, then IAT should be simple to fix.

From what I noticed, nanomites are some threads, what they do - I'm not sure. I have deatached processes in easy cd-da extractor and it was working oK. But when I placed couple bp's, code was screwed.

I've been trying to unpack Movie Collector and also Photo Collector, but I too fail with the NanoMites, eventhough I found a Spanish tutorial about NamoMites, I just can't figure it out (translation-sites s#ck ). Can anyone explain this to me (or provide a link to a English tutorial) ?

Strangely enough, although both programs are protected with Arma v4 (i just tried the latest version of both programs) , the Movie Collector license-protection-scheme is quite easy to patch, while Photo Collector licensing is just completely different (code-wise). The same nag and (basicly) the same protection, but it seems there are other Arma options used, since I can't phish the serial-routine Both use DebugBlocker, NanoMites and at least of of the 2 also has code-slicing and (some ?) IAT elimination (redirects) ..if I'm not confusing things here, I haven't looked at it lately; too confusing

So it seems Photo Collector is better/different protected ... I found several cracks for Movie Collector (I don't care for the program and I don't use it, I'm just using it to learn about Arma v4 with most protection-options enabled), but none for Photo Collector ... quite strange ...

Protections can differ but that is usually minor anoyance after unpacking. If you want to practice, you have on http://tuts4you.com/ ("http://tuts4you.com/") unpackmes , more than you need for 4.30, 4.20... armadillo's. With ALL protections, including nanomites.

Back to nanomites, there is on old biw site crusader's tutorial for armadillo 2.x with nanomites. Old but armadillo is pretty much the same and tut is good. There is also new, very very detailed tutorial for 4.20 on reteam site.

mr. hagger thanks for ur replies.

i'm finally successful with MOVIE COLLECTOR
fixed the nanos with ArmInline

but no-luck with N-REC + ARMTOOLS

i've opened a new thread mentioning my problems, could you please take look there ??

thank you