Manual Unpacking problem
 

In OllyDbg I've tried manually unpacking a program, but when I dump the process (using Ollydump plugin, I leave all the settings to default), then try and load the unpacked program I get this message:
"The entry point could not be located in the dynamic link library Shell32.dll"

I'm unsure of what to do, any help is appreciated.

Hi Nilrem / merliN

What's the program name/ link?
What is the program packed with?



Best Wishes

R@der

Can we talk more privately please R@dier?
For now I'll PM you the info.

My contact info is:
merlin!accessroot.com - email
jammysa@hotmail!com - msn messenger
46313648 - icq

Re: Manual Unpacking problem
 

Your import table isn't correct.
When you use the default options of ollydump it also tries to recreate the import table. It's more safely tou recreate the import table manualy or to use imprec/revirgin

regards lownoise

Still no go, argh!

Hi Nilrem,

as per PM
here is the iat just use Imprec to fix

Thanks to you two, I was unpacking it correctly, but was not importing it correctly, thanks a lot.

I click fixdump, then the file opened in Ollydbg, and I get the error message (from Imprec):
"Invalid dump file! Can't match RVA to Offset int he dump file"
In Imprec I also have the values that R@dier said to have:
"OEP: 00063274 IATRVA: 00067150 IATSize: 000006B8"
I didn't type them in either (well only the OEP then clicked IAT AutoSearch).

you should perhaps fix the dump and not the original (in olly opened) file ;)

here is a quick run down
load into olly

004A4230 > $ 60 PUSHAD <----- starting point
004A4231 . BE 00F04600 MOV ESI,wwDisp.0046F000
004A4236 . 8DBE 0020F9FF LEA EDI,DWORD PTR DS:[ESI+FFF92000]
004A423C . 57 PUSH EDI

Scroll down till

004A4395 > FF96 B85E0A00 CALL DWORD PTR DS:[ESI+A5EB8]
004A439B > 61 POPAD
004A439C .-E9 D3EEFBFF JMP wwDisp.00463274 <----jmp to OEP Set Break point here


F7 to OEP

00463274 55 PUSH EBP <-----OEP
00463275 8BEC MOV EBP,ESP
00463277 33C9 XOR ECX,ECX


olly dump prog and turn off rebuild imports
dump as unpacked.exe

do not shut down olly yet we are now going to get the imports

Start ImpRec
Select process
changes oep: 00063274
click get imports and check for invalid

click fix dump ans select unpacked.exe

shut down olly

done all works great now

I hope this helps

Run the new file which will be saved as
unpacked_.exe


Best Wishes

R@dier

Ahh can't believe that my problem was because I was fixing the original not the dump! UGH! Feel so stupid such a silly little mistake.

Reload the program in Olly please R@dier (the one you unpacked) do you get a error message saying:
"Module 'exenamehere' has entry point outside the code..." etc, then when you click ok it tells you it may still be packed, I mean everything looks fine and everything, just curious.

You need to fix the base of code so that the base of code falls in the section where the OEP is. After that you wont get a warning anymore. Use LordPE or something similiar for this.

Example:

ImageBase: 0x00400000
OEP:0x0000137c
BaseOfCode:0x00001000

The warning is nothing special or important. Just a notice. The file is unpacked correctly.

@ Nilrem
No Error warnings here :D




R@dier

Cheers.