Hi all,

I've just unwrapped a program protected with VBoxm430.
After dumping and fixing the E.P. to the O.E.P, I executed the dumped file and received the message :

"File xxx can't load at the desired address, and is not relocatable".

I tought the problem was rwlated to the ImageSize and incresed it, but without sucess .

Any help will be apreciated.

Hello Ivanov !

Every Win32 program has a desired load address. This means, that it is loaded to that address if it's available. This is usually 00400000h or 10000000h.

If this address is used by a different program, the program gets relocated and is loaded to a different location in memory. This means that the loader (Windows or the packer) changes all direct memory references (i.e. Mov EAX, [00402384]) to the new load region in memory. But since the loader does not know what calls need this patching, there is a relocation table which gives information about that.

Since you don't need to relocate .EXE files normally, this table was maybe removed from the program by the author or by a packer. So it can't be relocated any more if the desired address is occupied already and you get the error you described.

VBox handles the relocation itself, so you have two possibilities getting the relocation table.

Catch it in VBox when it gets decrypted and insert it in the unpacked .EXE.
Look at which address the program is loaded by VBox, dump the program, occupy this address so VBox is forced to load it to an other address the next time, run it again, dump it again and calculate the relocation table from the differences between the two dumps.