Unpacking DLLs

Hi guys,
Can someone write a tutorial on unpacking DLLs. I have seen a prog for doing this but it doesn't work in 98SE. I tried running the program. I had unpacked the program itself. But inbetwen, it loads the DLL using LoadLibrary. Olly tells me the code section is compress blah blah. Then olly gets an exception or something. And either LoadLib returs zero or the proggy crashes. Though PEid doesn't say anything(Nothing found*). ANother DLL in the same proggy uses PETite. Can someone give me some pointers?

Thomas Antony

[nikola]

Hi,
I want to ask a question too. Related dll IAT. How do you grab IAT from dll? Do you use ImpREC? I was unpacking asprotected dll once and got dump and oep but i had problems with iat. I tried using ImpRec for that. I put adress manualy. For IAT start i put dll IAT RVA - exe imagebase and size 1000 but ImpRec couldnt read memory. I thought i should patch ImpRec becouse its possible that it checks if my adress is inside exe....
Anyway, i'm sure you people already have a way
Thanks

[upb]

open the dll in a hex editor,
remember the byte at entry point and patch it to 0xCC,
make sure your softice/ollydbg/whatever is configured to break on int3,
start the program in the debugger,
wait for int3 break in dll,
patch back the byte you remembered,
set eip back to the entry point to execute this original code (with byte patched pack),
now do whatever is needed to unpack it, trace etc

[D-Jester]

Alternatively you can load the dll into LordPE change its characteristics to 10* instead of 20* (where * star usually is E or F depending upon relocation), rename the extention of the file to *.exe (where * is the filename) and open it with your debugger.
It will run just like an executable, because techincally, it is an executable just a special type...certain dlls are ran just like executables (i.e. rundll32.exe)
Unpack it just like you would an executable, just don't forget to update or rebuild the relocation, and then change the characteristics back, rename it again, and you done.

Regards,

[MaRKuS-DJM]

DLL-characteristics - 2000 = EXE-characteristics
some packers crash if you do this

[D-Jester]

Quote:

Originally Posted by MaRKuS-DJM

...some packers crash if you do this

Good point, I know for a fact this method will not work on VBox protected DLL's, ...from experience.

Hi,
I have found the OEP of the DLL. How do I dump it? DO II use OllyDump?

Thomas Antony

[nikola]

Thanks guys!
Thomas: You can use LordPE for that. Open LordPE, click on exe that loads that dll, in lower window you will see modules that exe loaded. Find your dll and do a Full dump

[MaRKuS-DJM]

the hardest about unpacking DLLs are relocations in my view... there isn't any good fixer out. so you have to study relocations and do it manually or write a tool for it...

[nikola]

Hrm. I'll have to read more tuts on unpacking. I didnt know i'd have to deal with relocations upon unpacking them. Maybe that would be reason for my dll not to work after i got IAT :/ Thanks for answers

[D-Jester]

What exactly is the crypter/packer you are dealing with?

Some packers support automatic decompression such as upx, neolite...

I somehow doubt thats the case but...hey any advise I can offer, your welcome to it, I too am still learning.

Regards...

[TechLord]

I am facing a similar problem...

Unpacking a vboxed exe file is easy and rather similar for any vboxed exe file.

But the unpacking of vboxed dll files is needing a lot of time and analysis...Is there any simpler way like what we do for exe files...For example...
bp FreeLibrary when the try dialog screen comes up...Followed by putting a bp on the CODE segment once it breaks and then running it etc leads you straight to the OEP....is there any simpler way to do so for the dll files also...?

the way I proceed is mostly by changing the characteristics of the dll file by subtracting 2000 from it and then opening it under olly as an executable file...
But this method is also mostly not so helpful, and finally I end up analyzing it with IDA before I get anything useful done...

I'd already researched on secveral sites using google and also on the RCE site but there is no easy or methodical way to unpack the dll files...

Any pointers on this ... ?

Hi,
I am using OllyDbg. So when I tried stepping across the load library call, it crashed and any while ruinning the unpacked EXE I always got 'Cannot load DLL' messages. The DLL was packed with PE-Pack I think. BUt I had found the OEP of the DLL by running it in Olly. So When the message appeared that it cannot load dll, I simply searched the modules list of the EXE and found the DLL!!! THis must be some trick of the compressor. Anyway, I did a full dump of the DLL module and used the PE Editor of LordPE to change the Entrypoint to the OEP. And the DLL works!!

Thomas Antony

[nikola]

You tried to load dll with Ollys loaddll? Were you stepping thru packer code across some calls? Some packers have trace checks. I like to put bp on ret and then press f9 sometimes instead of using trace till ret.

[TechLord]

As I said, trying to run the vboxed dlls is different I think... As they terminate with a vboxat not initialized successfully or some such message...

This happens when you run the vboxed dlls either by themselves by changing the characteristics to that of exe or by using olly's loaddll...

Letting the dll load and then dumping them fully does not work as simply with the present versions of vbox 4.6.2 ...

All the techniques mentioned on the RCE fora for unpacking dlls including the ones mentioned on this thread fail for the vbox.

Can someone who has ACTUALLY unpacked vboxed dlls of recent apps ( which use the recent versions of vbox 4.6.2) actually give steps which they took please... ?

Generic steps rather than specific ones which work for most if not all the dlls packed with vbox, however vague, would be helpful, from someone who has actually unpacked the dlls recently...

Thank you...