Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Correctly Dumping Unpacked DLL's
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 07-03-2004, 01:07
asterix asterix is offline
Friend
  
Join Date: Feb 2003
Posts: 98
Rept. Given: 1
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
asterix Reputation: 4
For the ASPack not needed ImpRec

_______________
Best regards,
Asterix
Reply With Quote
  #2  
Old 07-03-2004, 01:16
ricnar456 ricnar456 is offline
Friend
  
Join Date: May 2002
Posts: 290
Rept. Given: 1
Rept. Rcvd 28 Times in 10 Posts
Thanks Given: 0
Thanks Rcvd at 52 Times in 40 Posts
ricnar456 Reputation: 28
IMP REC and Dlls
Only i say changing a mark in IMP REC options, work with dll (obvious if is necesary)
I only unpack armadillos and asprotected dlls, and is necesary in this cases

Ricardo
Reply With Quote
  #3  
Old 07-07-2004, 18:03
redbull redbull is offline
Friend
  
Join Date: Mar 2004
Posts: 160
Rept. Given: 17
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 6 Times in 6 Posts
redbull Reputation: 5
Hi Guys,

Thanks for your help.

Two things.

1. I was not sure that I was dumping the DLL correctly.. But looking at other posts on hxxp://www.woodmann.net I reliazed I was dumping correctly.

2. I was incorrectly calculating my relative offset for the entry point. To patch the PE header with.

What happened was (and these values are for one specific dump)

The DLL entry point was at 09F1000 but the PE Header started at 09F0000.

The OEP was at 0A79000 (for example) [ quite a large DLL unpacked ] I was subtracting the DLL entry point and not the PE Header offset to get the Base Address Modifier value. (STUPID STUPID)

Now when I put the correct address I did not even need to use IMPRec ... I simply edited the dumped DLL using LORDPE and bingo it fucking worked!

Thanks for you help and sorry for my stupidity !!!

Here are some references for anybody else having trouble with this:

hxxp://www.woodmann.net/forum/showthread.php?t=5898&highlight=dump+dll

hxxp://www.woodmann.net/forum/showthread.php?t=3824&highlight=dump+dll

Here is a brilliant article on just this type of thing
hxxp://www.woodmann.net/yates/lad.txt

l8r

REDBull
Last edited by redbull; 07-07-2004 at 18:40.
Reply With Quote
  #4  
Old 07-07-2004, 19:09
JMI JMI is offline
Leader
  
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 98 Times in 96 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
Hum..... There is something quite familiar about those references... I just can't quite get my fingers on it, but I'd swear I have seem them somewhere before.

But that happens when one gets older. You begin to think you've seen most everything before. I' think I know someone named Woodmann though, just can't remember from where.

Regards,
__________________
JMI
Reply With Quote
  #5  
Old 07-07-2004, 20:37
redbull redbull is offline
Friend
  
Join Date: Mar 2004
Posts: 160
Rept. Given: 17
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 6 Times in 6 Posts
redbull Reputation: 5
Quote:
Originally Posted by JMI
There is something quite familiar about those references... I just can't quite get my fingers on it, but I'd swear I have seem them somewhere before.

But that happens when one gets older. You begin to think you've seen most everything before. I' think I know someone named Woodmann though, just can't remember from where.
HEHHEE

Well i guess it is a lesson for me ... Check with the other Forums before you post a dumbass question :P

hehehe
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Dumping sfld General Discussion 2 03-20-2004 23:56
Another BUG in LTR and how to Unpack iLUCRYPT correctly shellkiller General Discussion 0 01-27-2002 10:08


All times are GMT +8. The time now is 18:26.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )