Hi Guys (and gals),
I have been working on a dll which is packed by ASPack 2.12. Not hard to unpack at all..
I simply open in OLLYDebug (using LoadDLL.EXE).
The packed entry point is the instruction PUSHAD.
I then put a read breakpoint on the word pointed to by [ESP] and then run..
Aftre the break point, you step over about 5 lines and boom you are at the entry. (Thanks for the Tutorial on this)
Now all the unpack guides I have all deal with unpacking and dumping EXE files. So normally you would open OLLYDump and calc the new base address and dump the process.. Then fix the imports and everything is 100%.
With Ollydump you cant dump a DLL (not that I can see).. Obviously becuase the DLL is not what was loaded into OLLYDebug but rather the wrapper LOADDLL.EXE loaded the dll. (OLLYDump gives an error like "Cannot read memory address 0401000 ... 04a7000") and does not dump at all.
Also I found that the Base Address Modifier calculation is not right (probably for the same reason)... So I manually worked this out (not hard) to about $34576.. but still no dump ...
Ok so I loaded a number of dumpers. One I tried was PETools ... So I find the LoadDLL.EXE process ... Click Choose DLL and choose the DLL i want to dump. It finds it ok ... and I right click ... Full Dump ...
Ok now the DLL is dumped but the imports are screwed (Also when I load the file into anything it says the PE header is screwed). The exports are fine though. (duh
hehehe)
So then I try to use IMPRec to rebuild the imports... So I choose the LoadDLL.EXE process .. and the DLL and I choose Auto Search ... Nothing (error message "no suitable imports at that entry point") ... So then I changed the Entry point from 80100 to the new address (I tried the actual memory OEP and also the file offset to the OEP) .. nothing.. It says "That memory address does not belong to that process".
Please help me correctly dump this DLL and rebuild the import table. I am comfortable with both OLLYDebug and Softice
Thanks in advance
REDBull