[redbull]

Hi Guys,

Thanks for your help.

Two things.

1. I was not sure that I was dumping the DLL correctly.. But looking at other posts on hxxp://www.woodmann.net I reliazed I was dumping correctly.

2. I was incorrectly calculating my relative offset for the entry point. To patch the PE header with.

What happened was (and these values are for one specific dump)

The DLL entry point was at 09F1000 but the PE Header started at 09F0000.

The OEP was at 0A79000 (for example) [ quite a large DLL unpacked ] I was subtracting the DLL entry point and not the PE Header offset to get the Base Address Modifier value. (STUPID STUPID)

Now when I put the correct address I did not even need to use IMPRec ... I simply edited the dumped DLL using LORDPE and bingo it fucking worked!

Thanks for you help and sorry for my stupidity !!!

Here are some references for anybody else having trouble with this:

hxxp://www.woodmann.net/forum/showthread.php?t=5898&highlight=dump+dll

hxxp://www.woodmann.net/forum/showthread.php?t=3824&highlight=dump+dll

Here is a brilliant article on just this type of thing
hxxp://www.woodmann.net/yates/lad.txt

l8r

REDBull