|
|
#6
07-07-2004, 18:03
|
|||
|
|||
|
Hi Guys,
Thanks for your help. Two things. 1. I was not sure that I was dumping the DLL correctly.. But looking at other posts on hxxp://www.woodmann.net I reliazed I was dumping correctly. 2. I was incorrectly calculating my relative offset for the entry point. To patch the PE header with. What happened was (and these values are for one specific dump) The DLL entry point was at 09F1000 but the PE Header started at 09F0000. The OEP was at 0A79000 (for example) [ quite a large DLL unpacked ] I was subtracting the DLL entry point and not the PE Header offset to get the Base Address Modifier value. (STUPID STUPID) Now when I put the correct address I did not even need to use IMPRec ... I simply edited the dumped DLL using LORDPE and bingo it fucking worked! Thanks for you help and sorry for my stupidity !!! Here are some references for anybody else having trouble with this: hxxp://www.woodmann.net/forum/showthread.php?t=5898&highlight=dump+dll hxxp://www.woodmann.net/forum/showthread.php?t=3824&highlight=dump+dll Here is a brilliant article on just this type of thing hxxp://www.woodmann.net/yates/lad.txt l8r REDBull Last edited by redbull; 07-07-2004 at 18:40. 
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Dumping | sfld | General Discussion | 2 | 03-20-2004 23:56 |
| Another BUG in LTR and how to Unpack iLUCRYPT correctly | shellkiller | General Discussion | 0 | 01-27-2002 10:08 |
Threaded Mode