Log in

View Full Version : My dll is now unpacked and cracked, but...

UltimAtomMAX
September 16th, 2002, 11:53
ASProtect 1.2
Dumped with LordPE, IAT with RV (all resolved)
Fixed EiP, Import directory,etc...
LordPE Rebuild PE options : - Status win - Rebuild IT - Valid PE.

It works fine for me, but...
These dlls fails to be loaded on others computer...
Maybe it is a reloc table pb, but if it is that, I don't know the process to rebuild a reloc table...
DakienDX
September 16th, 2002, 12:55
Hello UltimAtomMAX !

If it's just a relocation problem, this should be quite easy.

You don't need to rebuild the relocations, they're in their original form in the dump you've made. You just need to fix the entry in the image directory. You must put the original position and length in there.

You could rebase the image base to it's old value too, but that's just a cosmetic change and does only work if you've fixed the relocation table.

If this doesn't work, how does the DLL "fail" to load on other computers? (DLL not found, Import not found, crash, BSOD, ...)
UltimAtomMAX
September 16th, 2002, 13:39
How could I find "the original position and length" of relocations, because this is the same for the ASpacked & Dumped file, so when I check directories under LordPE...

In the ASpacked one:
Relocation: 0019590C Size: 00000008

In the Dumped & Rebuilded one:
Relocation: 0019590C Size: 00000008

Image base of ASpacked dlls still the same with the dumped ones:
ImageBase: 10000000
UltimAtomMAX
September 16th, 2002, 13:40
Message :
"Failed to load xxxx.dll"
DakienDX
September 16th, 2002, 18:13
Hello UltimAtomMAX !

The relocations are a whole section. You must check every section if (nearly) every second byte is a value between 30h and 3Fh.
Take this section as the start address and the length is how long it is to the end of the relocations, where all the 00h until the end of the section begin.

Check if the dump has really as base address of 10000000h. The header is taken from the disc, but in memory there might be a different address.

Go to the OEP and see if you've something like
Code:
10023456: Call DWord Ptr [10045678]
in the code. (offsets are choosen random, but the image base must be the same)

If you've something like
Code:
10023456: Call DWord Ptr [016B5678]
you must change the image base to the right value.

The error message looks like the DLL tries to load into address space which is already used by another EXE/DLL, which happens if there is a relocation problem. (no or invalid relocations)
UltimAtomMAX
September 17th, 2002, 00:51
Thank you very very very much !!!
This is my first dump and it works very fine now !!!
I love you DakienDX ( in MegaMan X5 too )