Hero
July 5th, 2007, 02:13
Hi all
When I start reading tutorials about armadillo,I were easily be able to unpack them due good tutorials and I had no problem with Code Splicing too.
When I see a Code Spliced exe file,I normally dump Spliced code and attach them to rebuilt dump exe(from rebuilt, I mean dump and rebuilded IAT one) in a new section and change the VA of it new section to what it should be and exe file works like piece of cake.The reason of this very easy way is that address of spliced codes in exe file in normally over ImageBase,then I can address it without any problem and changing SectionHeader of it.
But When I started to unpack a DLL with code splicing,I got an small problem:
Because ImageBase of DLLs are too big,normally address of spliced codes are less than ImageBase.Then I can't rebuild my PE in the same way of exes,beacuse I can't set a negative VA.
What is the best way for attaching spliced codes from a DLL to it?
(I didn't see any tutorial for unpacking DLLs with code spilicing and there is no problem with any other aspect of its unpacked except connecting these dumped spliced codes to DLL)
Regards
When I start reading tutorials about armadillo,I were easily be able to unpack them due good tutorials and I had no problem with Code Splicing too.
When I see a Code Spliced exe file,I normally dump Spliced code and attach them to rebuilt dump exe(from rebuilt, I mean dump and rebuilded IAT one) in a new section and change the VA of it new section to what it should be and exe file works like piece of cake.The reason of this very easy way is that address of spliced codes in exe file in normally over ImageBase,then I can address it without any problem and changing SectionHeader of it.
But When I started to unpack a DLL with code splicing,I got an small problem:
Because ImageBase of DLLs are too big,normally address of spliced codes are less than ImageBase.Then I can't rebuild my PE in the same way of exes,beacuse I can't set a negative VA.
What is the best way for attaching spliced codes from a DLL to it?
(I didn't see any tutorial for unpacking DLLs with code spilicing and there is no problem with any other aspect of its unpacked except connecting these dumped spliced codes to DLL)
Regards