|
|
#14
08-28-2005, 02:44
|
|||
|
|||
|
Okay here's a summary of things I found.
If you load the protected DLL in to PE Explorer it shows the OEP as 0137567h, running Avatar's script it shows the OEP as 0137568h, a difference of one byte. How can the OEP of the protected DLL be one byte away from the security DLL? Does this suggest to me that the init/unpack is called from entry itself = DllMain()? I tried using 0137568h with ImpRec a second time, and there were no invalid thunks this time. I fixed the dump again and it still fails to run with no error message. @taos/Archer from what I understand from reading the archives is that this CRC happened before because I used the OEP $xxxxxx7 instead of $xxxxxx8. I notice the there is a entry to the CreatFilea API so I'll have a look at that anyway. EDIT: Nope I tried $xxxxxx7 as OEP again and it behaves the same, no error message and no run.  Is likely that IAT of the dumped file is being destroyed? I've read that I need to patch a magic jump to prevent the IAT from being destroyed. Sorry for all these question, but I'm finding most of the info out there is about packed EXEs not DLLs. Last edited by 5Alive; 08-28-2005 at 03:04. 
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Why can't I re-Dillo it? | Flagmax | General Discussion | 8 | 07-31-2004 03:30 |
Threaded Mode