Correctly Dumping Unpacked DLL's

[redbull]

Hi Guys (and gals),

I have been working on a dll which is packed by ASPack 2.12. Not hard to unpack at all..

I simply open in OLLYDebug (using LoadDLL.EXE).

The packed entry point is the instruction PUSHAD.
I then put a read breakpoint on the word pointed to by [ESP] and then run..
Aftre the break point, you step over about 5 lines and boom you are at the entry. (Thanks for the Tutorial on this)

Now all the unpack guides I have all deal with unpacking and dumping EXE files. So normally you would open OLLYDump and calc the new base address and dump the process.. Then fix the imports and everything is 100%.

With Ollydump you cant dump a DLL (not that I can see).. Obviously becuase the DLL is not what was loaded into OLLYDebug but rather the wrapper LOADDLL.EXE loaded the dll. (OLLYDump gives an error like "Cannot read memory address 0401000 ... 04a7000") and does not dump at all.

Also I found that the Base Address Modifier calculation is not right (probably for the same reason)... So I manually worked this out (not hard) to about $34576.. but still no dump ...

Ok so I loaded a number of dumpers. One I tried was PETools ... So I find the LoadDLL.EXE process ... Click Choose DLL and choose the DLL i want to dump. It finds it ok ... and I right click ... Full Dump ...

Ok now the DLL is dumped but the imports are screwed (Also when I load the file into anything it says the PE header is screwed). The exports are fine though. (duh hehehe)

So then I try to use IMPRec to rebuild the imports... So I choose the LoadDLL.EXE process .. and the DLL and I choose Auto Search ... Nothing (error message "no suitable imports at that entry point") ... So then I changed the Entry point from 80100 to the new address (I tried the actual memory OEP and also the file offset to the OEP) .. nothing.. It says "That memory address does not belong to that process".

Please help me correctly dump this DLL and rebuild the import table. I am comfortable with both OLLYDebug and Softice

Thanks in advance

REDBull

[asterix]

If you understand Russian

_http://www.wasm.ru/forum/index.php?action=vthread&forum=5&topic=1882&page=0#2

[ricnar456]

For work with dlls in IMP REC you need change a mark in OPTIONS of IMP REC, are 5 o 6 marks, try with this and you can fix the dll perfectly if you have problems go to crackslatinos page and download the tut of asprotect in a dll and look in this tut what mark you need change but is very easy try and you found quickly i don't remember in this moment well.

Ricardo Narvaja

[asterix]

For the ASPack not needed ImpRec

_______________
Best regards,
Asterix

[ricnar456]

Only i say changing a mark in IMP REC options, work with dll (obvious if is necesary)
I only unpack armadillos and asprotected dlls, and is necesary in this cases

Ricardo

[redbull]

Hi Guys,

Thanks for your help.

Two things.

1. I was not sure that I was dumping the DLL correctly.. But looking at other posts on hxxp://www.woodmann.net I reliazed I was dumping correctly.

2. I was incorrectly calculating my relative offset for the entry point. To patch the PE header with.

What happened was (and these values are for one specific dump)

The DLL entry point was at 09F1000 but the PE Header started at 09F0000.

The OEP was at 0A79000 (for example) [ quite a large DLL unpacked ] I was subtracting the DLL entry point and not the PE Header offset to get the Base Address Modifier value. (STUPID STUPID)

Now when I put the correct address I did not even need to use IMPRec ... I simply edited the dumped DLL using LORDPE and bingo it fucking worked!

Thanks for you help and sorry for my stupidity !!!

Here are some references for anybody else having trouble with this:

hxxp://www.woodmann.net/forum/showthread.php?t=5898&highlight=dump+dll

hxxp://www.woodmann.net/forum/showthread.php?t=3824&highlight=dump+dll

Here is a brilliant article on just this type of thing
hxxp://www.woodmann.net/yates/lad.txt

l8r

REDBull