Hi,

I can't seem to get an unpacked version of newbin to run! ( http://www.newsbin.com/cgi-bin/fcount.cgi?nb331b6.zip ) I unpacked it fine (oep: 44c41f)... but when I run the dumped version it says "The application failed to initialize prperly (0xc0000005)..."

The app just ran in the tutorial that I read about neolite 2.0.

I dumped it w/ PEditor 1.7.

I was thinking that the IT was hosed... but I can't find the IAT start/length... I have only seen tuts about asprotect...

Well... i'm tired and will look again tomorrow...

Thanks in advance!

-drak0

Hi,

I think the reason for the error is a dump with PEditor is a memory dump after the program has started and certain values have been initialized, etc. You should do a raw dump of the file at the end of unpacking code with Icedump.
/DUMP 400000 [size of image] [filename]
Then use PEditor to change the OEP and use its Dumpfixer option. This should give a working program.

If you compare the 2 dumps you'll see that there are several differences in the .data section starting at Virtual Offset A8000. You can replace the already written-to .data section of the PEditor dump with the virgin one from the raw dump method to prove this is the problem.

The Imports aren't encrypted with Neolite and the program should run fine as dumped, but if you want to see them with PEditor or W32Dasm, you need to change the RVA of the Import Table to the real one, not the one pointed to in unpacking code. This is an address in the Optional Header that points to the Image_Import_Descriptor (IID) table, a set of 5 DWORDS that gives information about each dll. One way to find this address is to do a hex search for the starting address of the IAT, which is at 89000, the beginning of the .rdata section. If you search for "009008" you'll land in the middle of the IID table. Find the starting address offset for this table and change the RVA and size of the Import Table as shown in PEditor to the correct values (A4F90 and 104) and you should see the proper Imports in a disassembly.

Kayaker

Hi Kayaker... let me explain exactly what I did and you can tell me if it's wrong or not....



Ok, at first (because I didn't know it was neolite) I did a 'bpx getversion' and when the target broke, i scrolled up and there was the OEP. I did a 'bpm 44c41f x' and reran the program ==> it broke at the OEP. i then changed the code to 'jmp eip' (but i wrote down the values that I over wrote). I got out of SI and did a full dump with PEditor. I opened the dump w/ hiew, went to offset 4c41f and changed the 2 bytes back. And finally I changed the entry point of the dump.exe.

That should give me a working dump right???? that's the same thing as using icedump right? I would use icedump but i'm using win2k and SI from the new driver studio... and when i patch ntice.sys, reboot, and fire up SI, I get a BSOD

As far as the other stuff you said... i'm going to have to read that again

Thanks!

-drak0

Hi DraK0

Try trw2000 > bpx 44c41f > makepe > fully unpacked and just run fine......(957kb)

SpeKKeL

hi spekkel,

I would love to try TRW2000... but there is NO nt support (win2k sp1) I don't get why the hell this is being so difficult...

the dump i make w/ pedump is 944kb and w/ procdump is 916kb i believe....

this should work???

-drak0

Oh yea, I also dumped with the new version of NT ice dump... and got the exact same results as w/ PEditor (after i realigned the sections w/ 'dumpfixer')

sup drak0

Well I haven't looked at the program but it seems like something similar to what Kayaker said, the error you are getting doesn't look like an error from a bad pe header or executable. Try breaking on the messagebox that gives the error and see what calls it and try to figure it out from there.

goatass

Hi,

I did a dump as you did by setting a 'jmp eip' at the end of unpacking code and dumping with PEditor and, not surprisingly, got an identical working dump as when doing a raw dump with Icedump. Sorry, I hadn't realized from your 1st post that you had done it this way, I thought maybe you had done an image dump after the program had started and this was the cause of your problem.

So it sounds like this might be a Win2K specific problem and you need to scope it out on your system as goatass suggests.

Regards,
Kayaker