Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Correctly Dumping Unpacked DLL's
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 07-02-2004, 19:14
redbull redbull is offline
Friend
  
Join Date: Mar 2004
Posts: 160
Rept. Given: 17
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 6 Times in 6 Posts
redbull Reputation: 5
Correctly Dumping Unpacked DLL's
Hi Guys (and gals),

I have been working on a dll which is packed by ASPack 2.12. Not hard to unpack at all..

I simply open in OLLYDebug (using LoadDLL.EXE).

The packed entry point is the instruction PUSHAD.
I then put a read breakpoint on the word pointed to by [ESP] and then run..
Aftre the break point, you step over about 5 lines and boom you are at the entry. (Thanks for the Tutorial on this)

Now all the unpack guides I have all deal with unpacking and dumping EXE files. So normally you would open OLLYDump and calc the new base address and dump the process.. Then fix the imports and everything is 100%.

With Ollydump you cant dump a DLL (not that I can see).. Obviously becuase the DLL is not what was loaded into OLLYDebug but rather the wrapper LOADDLL.EXE loaded the dll. (OLLYDump gives an error like "Cannot read memory address 0401000 ... 04a7000") and does not dump at all.

Also I found that the Base Address Modifier calculation is not right (probably for the same reason)... So I manually worked this out (not hard) to about $34576.. but still no dump ...

Ok so I loaded a number of dumpers. One I tried was PETools ... So I find the LoadDLL.EXE process ... Click Choose DLL and choose the DLL i want to dump. It finds it ok ... and I right click ... Full Dump ...

Ok now the DLL is dumped but the imports are screwed (Also when I load the file into anything it says the PE header is screwed). The exports are fine though. (duh hehehe)

So then I try to use IMPRec to rebuild the imports... So I choose the LoadDLL.EXE process .. and the DLL and I choose Auto Search ... Nothing (error message "no suitable imports at that entry point") ... So then I changed the Entry point from 80100 to the new address (I tried the actual memory OEP and also the file offset to the OEP) .. nothing.. It says "That memory address does not belong to that process".

Please help me correctly dump this DLL and rebuild the import table. I am comfortable with both OLLYDebug and Softice

Thanks in advance

REDBull
Last edited by redbull; 07-02-2004 at 19:16.
Reply With Quote
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Dumping sfld General Discussion 2 03-20-2004 23:56
Another BUG in LTR and how to Unpack iLUCRYPT correctly shellkiller General Discussion 0 01-27-2002 10:08


All times are GMT +8. The time now is 23:09.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )