zacdac
June 12th, 2002, 15:28
G'day..
I’m seeking some help with unpacking dll’s and restoring their relocations.
I have no problem unpacking an exe/dll at a fixed image base.
However I have never seen any tutorials/information on how to dump/reconstruct the relocations.
I have put together a very simple project. It consists of an executable and a dll. The exe loads the dll at runtime and calls one of the dlls exported functions, which displays a messagebox.
The dll is packed with upx to keep things simple.
Both the exe and dll have an imagebase of 00400000 so that the dll will be forced to use an alternative imagebase when it is loaded, and therefore use the relocations table.
I read one post that suggested you do the following:
1) dump the dll using is default imagebase.
2) dump the dll after the sections are unpacked but before the relocations are performed.
3) fix the PE header to restore the relocations table.
Task 1) can be done by converting the dll to exe (note: you have to modify the first jnz in the upx unpacking runtime in order for it to unpack.) and then dump the dll as normal.
Task 2) I have tracked the code and think I have found where the code is unpacked before the relocations are performed. In the upx unpacking runtime, about half way is a “pop esi” which is jumped to after the code is unpacked.
The next half of the routine reconstructs the linked address in the dll (the imports first and then the relocations).
I assume UPX has to do this because the packed dll has no relocations, so the runtime needs to uncompress the .rloc section and then perform the task that the OS loader would normally perform.
Task 3) Well this is where I am struggling.
Can somebody let me know if it is possible to unpack a dll with the relocations ? If yes then I am hoping that by putting together some simple files, that somebody can demonstrate the technique. Then I can put together a nice little tutorial to fill the void.
Thanks,
Zac
I’m seeking some help with unpacking dll’s and restoring their relocations.
I have no problem unpacking an exe/dll at a fixed image base.
However I have never seen any tutorials/information on how to dump/reconstruct the relocations.
I have put together a very simple project. It consists of an executable and a dll. The exe loads the dll at runtime and calls one of the dlls exported functions, which displays a messagebox.
The dll is packed with upx to keep things simple.
Both the exe and dll have an imagebase of 00400000 so that the dll will be forced to use an alternative imagebase when it is loaded, and therefore use the relocations table.
I read one post that suggested you do the following:
1) dump the dll using is default imagebase.
2) dump the dll after the sections are unpacked but before the relocations are performed.
3) fix the PE header to restore the relocations table.
Task 1) can be done by converting the dll to exe (note: you have to modify the first jnz in the upx unpacking runtime in order for it to unpack.) and then dump the dll as normal.
Task 2) I have tracked the code and think I have found where the code is unpacked before the relocations are performed. In the upx unpacking runtime, about half way is a “pop esi” which is jumped to after the code is unpacked.
The next half of the routine reconstructs the linked address in the dll (the imports first and then the relocations).
I assume UPX has to do this because the packed dll has no relocations, so the runtime needs to uncompress the .rloc section and then perform the task that the OS loader would normally perform.
Task 3) Well this is where I am struggling.
Can somebody let me know if it is possible to unpack a dll with the relocations ? If yes then I am hoping that by putting together some simple files, that somebody can demonstrate the technique. Then I can put together a nice little tutorial to fill the void.
Thanks,
Zac