|
Unpacking DLLs
Hi guys,
Can someone write a tutorial on unpacking DLLs. I have seen a prog for doing this but it doesn't work in 98SE. I tried running the program. I had unpacked the program itself. But inbetwen, it loads the DLL using LoadLibrary. Olly tells me the code section is compress blah blah. Then olly gets an exception or something. And either LoadLib returs zero or the proggy crashes. Though PEid doesn't say anything(Nothing found*). ANother DLL in the same proggy uses PETite. Can someone give me some pointers? Thomas Antony |
Hi,
I want to ask a question too. Related dll IAT. How do you grab IAT from dll? Do you use ImpREC? I was unpacking asprotected dll once and got dump and oep but i had problems with iat. I tried using ImpRec for that. I put adress manualy. For IAT start i put dll IAT RVA - exe imagebase and size 1000 but ImpRec couldnt read memory. I thought i should patch ImpRec becouse its possible that it checks if my adress is inside exe.... Anyway, i'm sure you people already have a way :) Thanks |
open the dll in a hex editor,
remember the byte at entry point and patch it to 0xCC, make sure your softice/ollydbg/whatever is configured to break on int3, start the program in the debugger, wait for int3 break in dll, patch back the byte you remembered, set eip back to the entry point to execute this original code (with byte patched pack), now do whatever is needed to unpack it, trace etc:) |
Alternatively you can load the dll into LordPE change its characteristics to 10* instead of 20* (where * star usually is E or F depending upon relocation), rename the extention of the file to *.exe (where * is the filename) and open it with your debugger.
It will run just like an executable, because techincally, it is an executable just a special type...certain dlls are ran just like executables (i.e. rundll32.exe) Unpack it just like you would an executable, just don't forget to update or rebuild the relocation, and then change the characteristics back, rename it again, and you done. :D Regards, |
DLL-characteristics - 2000 = EXE-characteristics
some packers crash if you do this |
Quote:
Good point, I know for a fact this method will not work on VBox protected DLL's, ...from experience. :mad: |
Hi,
I have found the OEP of the DLL. How do I dump it? DO II use OllyDump? Thomas Antony |
Thanks guys! :)
Thomas: You can use LordPE for that. Open LordPE, click on exe that loads that dll, in lower window you will see modules that exe loaded. Find your dll and do a Full dump :) |
the hardest about unpacking DLLs are relocations in my view... there isn't any good fixer out. so you have to study relocations and do it manually or write a tool for it...
|
Hrm. I'll have to read more tuts on unpacking. I didnt know i'd have to deal with relocations upon unpacking them. Maybe that would be reason for my dll not to work after i got IAT :/ Thanks for answers
|
What exactly is the crypter/packer you are dealing with?
Some packers support automatic decompression such as upx, neolite... I somehow doubt thats the case but...hey any advise I can offer, your welcome to it, I too am still learning. Regards... |
Having similar problem
I am facing a similar problem...
Unpacking a vboxed exe file is easy and rather similar for any vboxed exe file. But the unpacking of vboxed dll files is needing a lot of time and analysis...Is there any simpler way like what we do for exe files...For example... bp FreeLibrary when the try dialog screen comes up...Followed by putting a bp on the CODE segment once it breaks and then running it etc leads you straight to the OEP....is there any simpler way to do so for the dll files also...? the way I proceed is mostly by changing the characteristics of the dll file by subtracting 2000 from it and then opening it under olly as an executable file... But this method is also mostly not so helpful, and finally I end up analyzing it with IDA before I get anything useful done... I'd already researched on secveral sites using google and also on the RCE site but there is no easy or methodical way to unpack the dll files... Any pointers on this ... ? |
Hi,
I am using OllyDbg. So when I tried stepping across the load library call, it crashed and any while ruinning the unpacked EXE I always got 'Cannot load DLL' messages. The DLL was packed with PE-Pack I think. BUt I had found the OEP of the DLL by running it in Olly. So When the message appeared that it cannot load dll, I simply searched the modules list of the EXE and found the DLL!!! THis must be some trick of the compressor. Anyway, I did a full dump of the DLL module and used the PE Editor of LordPE to change the Entrypoint to the OEP. And the DLL works!! Thomas Antony |
You tried to load dll with Ollys loaddll? Were you stepping thru packer code across some calls? Some packers have trace checks. I like to put bp on ret and then press f9 sometimes instead of using trace till ret.
|
vboxed dll are different i think
As I said, trying to run the vboxed dlls is different I think... As they terminate with a vboxat not initialized successfully or some such message...
This happens when you run the vboxed dlls either by themselves by changing the characteristics to that of exe or by using olly's loaddll... Letting the dll load and then dumping them fully does not work as simply with the present versions of vbox 4.6.2 ... All the techniques mentioned on the RCE fora for unpacking dlls including the ones mentioned on this thread fail for the vbox. Can someone who has ACTUALLY unpacked vboxed dlls of recent apps ( which use the recent versions of vbox 4.6.2) actually give steps which they took please... ? Generic steps rather than specific ones which work for most if not all the dlls packed with vbox, however vague, would be helpful, from someone who has actually unpacked the dlls recently... Thank you... |
As for my first question here... Just now i was unpacking some ASPR and noticed "Pick DLL" button in ImpRec :) What a dumber :) Pick executable of dll, pick dll and there you have it :) I just wonder how none of you wankers told me this :P :) Keeping all easy ways to yourself
TechLord: I'm not really clear where you are having problem. Getting to DllMain? Getting IAT? |
dll unpacking prob...
nikola:
My main problem is in getting the OEP... The way I proceed, as I said in one of my prev posts is by changing the characteristics of the dll to exe by subtracting 2000h from the characteristic in PE Editor. Then I load it in Olly as an exe and try to step it using F7 and F8. Then I try to look for the OEP in the usual way - looking for any SUDDEN changes in the EIP ranges, any sudden jmp away from the decrypting code etc... This tends to fail more often with Vbox than with other packers. I sometimes try to load it in IDA Pro 4.7 and after a long and thorough search, I get the oep. My request was whether someone succeeded in finding any easier way to unpack the vboxed dlls. The search on the net, including the RCE fora, only succeeded in me understanding that the unpacking of the dll is "More involved and complex"...According some of the authors... Even after I find the OEP, getting the imports with imprec frequently fails when I use ImpRec 1.6 Final...there are very few if any documents on the net explaining how to get the imports for the dll...The way I proceed is to create a small loading exe file for the dll and then try to get the imports through ImpRec...Any detailed Tutorial on unpacking at least a single vboxed dll is welcome... I can provide plenty of vboxed dlls if you need them for preparing a rather rough sketch of the steps to take, if not a full-blown tut... :) Thank you... :) |
I didnt unpack dll but i unpacked some exes and i dont think methodology should defer significantly. IAT wasnt problem for my exes. Just had TL1 and TL3 if i recall correctly and cut rest invalid thunks.
It'd be nice if you can attach a small dll here. Tho i have an exam on next monday and a bad one so i probably wont be able to try that out soon |
Yes...
nikola:
Unpacking vboxed exes is pretty straight-forward and quite mechanical...Since you yourself are saying that you've not unpacked dlls before, they are quite "involved, and complex", as one of the authors on the forum put it. If you have tryout version of A*obe Phot* sho* CS or any of the recent ad*be tryout products, you can find at least one or two dll which are vboxed there. Photosh*p CS has cooltype.dll for instance...( Admins : I hope I am not breaking any of the rules by naming the target since I am not giving any application-specific code here...Please correct me and the post if anything in the post is illegal... :) ) PEiD will very easily let you find the dlls which are packed. The problem with not having a generic approach for the dlls, unlike for the exes , for which we have several generic ones...Is that one dll is very easy to reverse while another takes a whole day...While yet another takes a full week to reverse and find the OEP... For unpacking the exes ( and even the dlls ) the approach of using SICE with tracex and hydra is given by some of the authors on the net. But it doesn't seem to work very well for dlls though it is quite good for exes. Moreover, SICE tends to give some stange problem with some programs with system-level drivers and hence, I use SICE only when necessary on an old machine devoted only for that purpose... The IAT was never a problem for me also for exes, as you mentioned in the post. :) It is not so for the dlls. Each dll gives a different problem...Though I'd managed to solve them...Taking a long time... The ImpRec does a marvellous job and the remaining two imports which it leaves out are always the same and it takes hardly a few seconds to disassemble and find the two. On a fast comp, the IAT-finding for the exes is quite mechanical and takes not more than 15 mins at most. This is all true, of course, if you have the correct OEP... This is where the problem boils down to ...We have to have a generic method to find the OEP for most if not all of the Vboxed dll also. Onec the OEP is known, then the job of course, becomes much easier... Using the newer PEiD with the plugin gives the OEP of vboxed exe files correctly ( though I don't find it necessary to use it )...But it says it cannot create process to find OEP or something like that and fails when I give it a dll to find the oep for. I also have a very bad exam on Monday ! Anyway I'd told you how to get the files...If you don't have access to the tryout versions, then please let me know and I'll mail them to you. It may not be as easy as you think to reverse them and give a generic approach... :) |
i been following this thread for some time and i been wondering about relocations.. is there a easy way of fixing them if so any help would be great
|
Generic method finding 4.6.2 VBOXed DLL OEP
Quote:
VBOXTB is loaded to memory address 0A000000 (address may be different) VBOXTB.0A0081B9 (Offset 81B9) MOV EAX, [ESI+14] (EAX = OEP DLL) ... VBOXTB.0A0081CB PUSH [EBP+14] VBOXTB.0A0081CE PUSH [EBP+10] VBOXTB.0A0081D1 PUSH [EBP+0C] VBOXTB.0A0081D4 (Offset 81D4) CALL EAX (EAX = OEP of DLL) Another generic approach is setting a memory breakpoint to section .text of VBOXed DLL when Ollydbg stops after loading this DLL. First time the memory breakpoint (type memory on access) stops execution is when some bytes at OEP will be changed. Second time memory breakpoint stops due to execution of OEP (same approach as finding OEP of VBOXed exe files). Both generic approaches needs still remaining trial days. If trial period is exeeded - no problem. Infos about remaining days are stored in a .LIC (shared folder in programs path \VBOX\Licenses, C:\os??????.BIN (? = numeric characters) and in registry HKEY_CLASSES_ROOT\CLSID\..., look for entries with no subtrees and only one registry entry @ = a long cryptic text string. If You want to get exact registry entry and exact filename of .BIN You have to patch RUNDLL32.EXE at OEP with JMP OEP (EB FE). Ollydbg will stop at entry of RUNDLL32 when VBOX tries to load VBOXR.DLL. Patch RUNDLL32 back at OEP (E8 0A), set breakpoints at KERNEL32!GetFileAttributesA and ADVAPI32!RegOpenKeyA and run. Ollydbg will serve file name and registry entry. How to reset trial period to original value: Delete both RUNDLL processes (e.g. using Sysinternals ProcessExplorer 'Kill process tree'), delete registry entry and file .BIN. Finally remove .LIC and copy original .LIC (you have on HDD after install of program - don't forget to make backup) to destination. You can easily recognise original .LIC regarding date/time stamp, if equal with corresponding .PRF then it is original file. If not available reinstall programm and make backup of .LIC :) Greets Izak |
asprotect
I'm trying to unpack a dll protected with asprotect but seens to have new stuff or trick because stripper 2.11 RC1 and RC2 don't work. Still in exe's files with the new asprotect show me
Code:
stripper v2.11 rc2..Code:
Error: 85 |
Well im unpacking a DLL file too but the darn thing won't run because of the relocation messed up I quess.
The DLL has an imagebase(checked in LordPE) of 10000000. However the dll gets loaded by the main app at base 019A0000. Because of no relocationtable some calls etc get messed up.. IS there any info/tut/app out to get this reltable fixed ? There is little alternative, except manually finding ALL adresses and adding them to a new table.. |
| All times are GMT +8. The time now is 18:44. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX