Unpacking DLLs

[nikola]

Hrm. I'll have to read more tuts on unpacking. I didnt know i'd have to deal with relocations upon unpacking them. Maybe that would be reason for my dll not to work after i got IAT :/ Thanks for answers

[D-Jester]

What exactly is the crypter/packer you are dealing with?

Some packers support automatic decompression such as upx, neolite...

I somehow doubt thats the case but...hey any advise I can offer, your welcome to it, I too am still learning.

Regards...

[TechLord]

I am facing a similar problem...

Unpacking a vboxed exe file is easy and rather similar for any vboxed exe file.

But the unpacking of vboxed dll files is needing a lot of time and analysis...Is there any simpler way like what we do for exe files...For example...
bp FreeLibrary when the try dialog screen comes up...Followed by putting a bp on the CODE segment once it breaks and then running it etc leads you straight to the OEP....is there any simpler way to do so for the dll files also...?

the way I proceed is mostly by changing the characteristics of the dll file by subtracting 2000 from it and then opening it under olly as an executable file...
But this method is also mostly not so helpful, and finally I end up analyzing it with IDA before I get anything useful done...

I'd already researched on secveral sites using google and also on the RCE site but there is no easy or methodical way to unpack the dll files...

Any pointers on this ... ?

Hi,
I am using OllyDbg. So when I tried stepping across the load library call, it crashed and any while ruinning the unpacked EXE I always got 'Cannot load DLL' messages. The DLL was packed with PE-Pack I think. BUt I had found the OEP of the DLL by running it in Olly. So When the message appeared that it cannot load dll, I simply searched the modules list of the EXE and found the DLL!!! THis must be some trick of the compressor. Anyway, I did a full dump of the DLL module and used the PE Editor of LordPE to change the Entrypoint to the OEP. And the DLL works!!

Thomas Antony