[q] Unpack of uncompressed exe. [Archive] - RCE Messageboard's Regroupment

View Full Version : [q] Unpack of uncompressed exe.

panicshift

December 7th, 2002, 17:12

I try to dump calc.exe that not compressed.

so, run calc.exe, and in loadPE i do dump.

i confirmed that address of entry is same.

but, dumped.exe is crash.

What's the problem?

is this loadPE problem?

My Step :

1. Run Uncompressed calc.exe

2. Full dump with loadPE(option : Full dump : force RAW mode)

3. And run dumped.exe, but crash..

file size : same
Entry Addr : same

fc original_calc.exe unpacked.exe /b

000000D4: 00 5B
000000D5: 00 4C
000000D6: 00 6F
000000D7: 00 72
000000D8: 00 64
000000D9: 00 50
000000DA: 00 45
000000DB: 00 5D
00001094: 71 08
00001095: B8 B9
00001096: 83 00
00001097: 79 78
00001098: A3 E1
00001099: 5C 84
0000109A: 85 02
0000109B: 79 78
0000109C: 1A BB
0000109D: AC AD
0000109E: 83 00
0000109F: 79 78
000010A0: E5 78
000010A1: AC AE
000010A2: 83 00
000010A3: 79 78
000010A4: 96 4C
000010A5: 14 11
000010A6: 83 00
000010A7: 79 78
000010A8: E1 1E
000010A9: 42 3C
000010AA: 83 00
000010AB: 79 78
000010AC: 75 0C
000010AD: B1 B2
000010AE: 83 00
000010AF: 79 78
000010B0: 83 56
000010B1: 57 1F
000010B2: 83 00
000010B3: 79 78
000010B4: 03 6A
000010B5: EF F5
000010B6: 83 00
000010B7: 79 78
000010B8: 25 5A
000010B9: 46 3E
000010BA: 83 00
000010BB: 79 78
000010BC: 2F 64
000010BD: 46 3E
000010BE: 83 00
000010BF: 79 78
000010C0: 35 6A
000010C1: 46 3E
000010C2: 83 00
000010C3: 79 78
000010C4: 2C 70
000010C5: 7C BB
000010C6: 86 03
000010C7: 79 78
000010C8: 8F 26
000010C9: B3 B4
000010CA: 83 00
000010CB: 79 78
000010CC: F8 EA
000010CD: 14 1D
000010CE: 83 00
000010CF: 79 78
000010D0: 5E 70
000010D1: BA 3E
000010D2: 83 00
000010D3: 79 78
000010D4: 74 08
000010D5: 71 B5
000010D6: 86 03
000010D7: 79 78
000010D8: 04 9E
000010D9: 55 26
000010DA: 83 00
000010DB: 79 78
000010DC: 80 DC
000010DD: F1 F7
000010DE: 83 00
000010DF: 79 78
000010E0: CD 14
000010E1: 18 62
000010E2: 84 01
000010E3: 79 78
000010E4: 75 B5
000010E5: 2D 30
.......
........
00016800: 01 20
00016803: 00 60
00016804: 10 2E
00016805: 01 64
00016806: 00 61
00016807: 00 74
00016808: 00 61
0001680A: 13 00
0001680C: 65 84
0001680D: 78 0F
0001680E: 65 00
0001680F: 5C 00
00016810: 63 00
00016811: 61 30
00016812: 6C 01
00016813: 63 00
00016814: 2E 00
00016815: 64 10
00016816: 62 00
00016817: 67 00
00016819: 2E 30
0001681A: 65 01
0001681B: 78 00
0001681C: 65 00
00016828: 00 40
0001682B: 00 C0
0001682C: 00 2E
0001682D: 00 72
0001682E: 00 73
0001682F: 00 72
00016830: 00 63
00016834: 00 18
00016835: 00 26
00016839: 00 40
0001683A: 00 01
0001683D: 00 30
00016841: 00 40
00016842: 00 01
00016850: 00 40
00016853: 00 40

Kayaker

December 7th, 2002, 19:15

Right you are. If you check in a hex editor and use LordPE itself (select View always first thunk) you'll see the changes from 1094-10E8 are the msvcrt.dll import addresses in the IAT. While they are bound imports (already have their addresses listed) in the original file, the PE loader is obviously reinitializing them to the real addresses on your own system. Nothing unusual here.

As for the other changes it does look like LordPE corrupts the resource section of the file it's dumping. What it seems to do is use the .rsrc section to make a copy of the PE header so it can add its little [LordPE] logo to it. The entire header from MZ to the section headers is duplicated there and is presumably copied into the correct position at the start of file later. This is the difference in the PE header from D4 to DB.
000000D4 5B 4C 6F 72 64 50 45 5D [LordPE]

I have to admit, while LordPE is a wonderful tool I've always been a little annoyed at its adding of this superfluous stuff. The early PEditor version of it added 60 bytes of "Modified with PEditor 1.7..." to the PE header and I found in a mini project we had long ago that it corrupted a particular file because it ran into the next section and overwrote a critical dword zero delimiter.

It was about this time I learned to make all modifications to the PE header manually and do all dumps as raw /dump Icedump dumps and not rely on any other tools. I'm sure LordPE could allocate some separate memory to make its changes instead of using the files .rsrc section.

Kayaker

nikolatesla20

December 7th, 2002, 20:52

No, I beleive the real problem here is that you dumped calc.exe while it was running.

The first BIG thing all dumpers learn is to never to that. You have to SUSPEND the program at its OEP. Otherwise you will get initialized variables and initialized pointers. The program will see the pointers are already initialized and won't re-initialize them, and hence you get bad pointers all over the place, and in a computer, a bad pointer is death.

If there is one thing you must learn and keep with you at all times, it is DUMP AT SUSPENDED OEP.

-nt20

JimmyClif

December 7th, 2002, 21:51

IIRC there's an option in LordPE to disable the little 'tag' it creates inside the PE header.... Some commandline thing.... Don't remember exactly how or where I read or saw that

TTFN

JC