new_age
January 26th, 2003, 14:14
Hello!
I've unpacked a neolite2 packed exe with procdump. (I've to make some modifications because original neolite2 script settings generate a non working exe under winxp) I removed the .neolite section.
The unpacked exe has these sections:
->Section Header Table
1. item:
Name: .text
VirtualSize: 0x000D3000
VirtualAddress: 0x00001000
SizeOfRawData: 0x000D2E94
PointerToRawData: 0x00001000
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0xE00000E0
(CODE, INITIALIZED_DATA, UNINITIALIZED_DATA, EXECUTE, READ, WRITE)
2. item:
Name: .rdata
VirtualSize: 0x00027000
VirtualAddress: 0x000D4000
SizeOfRawData: 0x00026670
PointerToRawData: 0x000D4000
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0x40000080
(UNINITIALIZED_DATA, READ)
3. item:
Name: .data
VirtualSize: 0x00014000
VirtualAddress: 0x000FB000
SizeOfRawData: 0x0000D29C
PointerToRawData: 0x000FB000
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0xC0000040
(INITIALIZED_DATA, READ, WRITE)
4. item:
Name: .rsrc
VirtualSize: 0x00038000
VirtualAddress: 0x0010F000
SizeOfRawData: 0x00037B5C
PointerToRawData: 0x00109000
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0x40000040
(INITIALIZED_DATA, READ)
So I've saved to disk these sections and added some zero bytes to the each end to get virtualsize each of them.
I've ripped a delphi 4 compiled exe header and added some zero bytes to the end to get a 1000h file size.
Then I've copied the header and the sections and get a 147000h filesize.
With LordPE PE Editor I've modified the Basic PE Header info and set Import Table and Resources dir. info and created a new section (.FUCKIT
)
->DOS Header
e_magic: 0x5A4D
e_cblp: 0x0050
e_cp: 0x0002
e_crlc: 0x0000
e_cparhdr: 0x0004
e_minalloc: 0x000F
e_maxalloc: 0xFFFF
e_ss: 0x0000
e_sp: 0x00B8
e_csum: 0x0000
e_ip: 0x0000
e_cs: 0x0000
e_lfarlc: 0x0040
e_ovno: 0x001A
e_res: 0x0000000000000000
e_oemid: 0x0000
e_oeminfo: 0x0000
e_res2: 0x0000000000000000000000000000000000000000
e_lfanew: 0x00000100
->File Header
Machine: 0x014C (I386)
NumberOfSections: 0x0001
TimeDateStamp: 0x3E33C24F (GMT: Sun Jan 26 11:11:11 2003)
PointerToSymbolTable: 0x00000000
NumberOfSymbols: 0x00000000
SizeOfOptionalHeader: 0x00E0
Characteristics: 0x030F
(RELOCS_STRIPPED)
(EXECUTABLE_IMAGE)
(LINE_NUMS_STRIPPED)
(LOCAL_SYMS_STRIPPED)
(32BIT_MACHINE)
(DEBUG_STRIPPED)
->Optional Header
Magic: 0x010B (HDR32_MAGIC)
MajorLinkerVersion: 0x02
MinorLinkerVersion: 0x19 -> 2.25
SizeOfCode: 0x00007400
SizeOfInitializedData: 0x00002600
SizeOfUninitializedData: 0x00000000
AddressOfEntryPoint: 0x000962FE
BaseOfCode: 0x00096000
BaseOfData: 0x00001000
ImageBase: 0x00400000
SectionAlignment: 0x00001000
FileAlignment: 0x00001000
MajorOperatingSystemVersion: 0x0001
MinorOperatingSystemVersion: 0x0000 -> 1.00
MajorImageVersion: 0x0000
MinorImageVersion: 0x0000 -> 0.00
MajorSubsystemVersion: 0x0004
MinorSubsystemVersion: 0x0000 -> 4.00
Win32VersionValue: 0x00000000
SizeOfImage: 0x00146000
SizeOfHeaders: 0x00001000
CheckSum: 0x00155FFF
Subsystem: 0x0002 (WINDOWS_GUI)
DllCharacteristics: 0x0000
SizeOfStackReserve: 0x00100000
SizeOfStackCommit: 0x00004000
SizeOfHeapReserve: 0x00100000
SizeOfHeapCommit: 0x00001000
LoaderFlags: 0x00000000
NumberOfRvaAndSizes: 0x00000010
DataDirectory (16) RVA Size
------------- ---------- ----------
ExportTable 0x00000000 0x00000000
ImportTable 0x000F7D08 0x00000140 (".FUCKIT"
Resource 0x0010F000 0x00003000 (".FUCKIT"
Exception 0x00000000 0x00000000
Security 0x00000000 0x00000000
Relocation 0x00000000 0x00000000
Debug 0x00000000 0x00000000
Copyright 0x00000000 0x00000000
GlobalPtr 0x00000000 0x00000000
TLSTable 0x00000000 0x00000000
LoadConfig 0x00000000 0x00000000
BoundImport 0x00000000 0x00000000
IAT 0x00000000 0x00000000
DelayImport 0x00000000 0x00000000
COM 0x00000000 0x00000000
Reserved 0x00000000 0x00000000
The created exe file doesn't run. What is the problem?
NA
Almost forget the reason: I can't recompress the unpacked exe file. (I've tried a lot of packers/encryptors)
I've unpacked a neolite2 packed exe with procdump. (I've to make some modifications because original neolite2 script settings generate a non working exe under winxp) I removed the .neolite section.
The unpacked exe has these sections:
->Section Header Table
1. item:
Name: .text
VirtualSize: 0x000D3000
VirtualAddress: 0x00001000
SizeOfRawData: 0x000D2E94
PointerToRawData: 0x00001000
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0xE00000E0
(CODE, INITIALIZED_DATA, UNINITIALIZED_DATA, EXECUTE, READ, WRITE)
2. item:
Name: .rdata
VirtualSize: 0x00027000
VirtualAddress: 0x000D4000
SizeOfRawData: 0x00026670
PointerToRawData: 0x000D4000
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0x40000080
(UNINITIALIZED_DATA, READ)
3. item:
Name: .data
VirtualSize: 0x00014000
VirtualAddress: 0x000FB000
SizeOfRawData: 0x0000D29C
PointerToRawData: 0x000FB000
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0xC0000040
(INITIALIZED_DATA, READ, WRITE)
4. item:
Name: .rsrc
VirtualSize: 0x00038000
VirtualAddress: 0x0010F000
SizeOfRawData: 0x00037B5C
PointerToRawData: 0x00109000
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0x40000040
(INITIALIZED_DATA, READ)
So I've saved to disk these sections and added some zero bytes to the each end to get virtualsize each of them.
I've ripped a delphi 4 compiled exe header and added some zero bytes to the end to get a 1000h file size.
Then I've copied the header and the sections and get a 147000h filesize.
With LordPE PE Editor I've modified the Basic PE Header info and set Import Table and Resources dir. info and created a new section (.FUCKIT
)->DOS Header
e_magic: 0x5A4D
e_cblp: 0x0050
e_cp: 0x0002
e_crlc: 0x0000
e_cparhdr: 0x0004
e_minalloc: 0x000F
e_maxalloc: 0xFFFF
e_ss: 0x0000
e_sp: 0x00B8
e_csum: 0x0000
e_ip: 0x0000
e_cs: 0x0000
e_lfarlc: 0x0040
e_ovno: 0x001A
e_res: 0x0000000000000000
e_oemid: 0x0000
e_oeminfo: 0x0000
e_res2: 0x0000000000000000000000000000000000000000
e_lfanew: 0x00000100
->File Header
Machine: 0x014C (I386)
NumberOfSections: 0x0001
TimeDateStamp: 0x3E33C24F (GMT: Sun Jan 26 11:11:11 2003)
PointerToSymbolTable: 0x00000000
NumberOfSymbols: 0x00000000
SizeOfOptionalHeader: 0x00E0
Characteristics: 0x030F
(RELOCS_STRIPPED)
(EXECUTABLE_IMAGE)
(LINE_NUMS_STRIPPED)
(LOCAL_SYMS_STRIPPED)
(32BIT_MACHINE)
(DEBUG_STRIPPED)
->Optional Header
Magic: 0x010B (HDR32_MAGIC)
MajorLinkerVersion: 0x02
MinorLinkerVersion: 0x19 -> 2.25
SizeOfCode: 0x00007400
SizeOfInitializedData: 0x00002600
SizeOfUninitializedData: 0x00000000
AddressOfEntryPoint: 0x000962FE
BaseOfCode: 0x00096000
BaseOfData: 0x00001000
ImageBase: 0x00400000
SectionAlignment: 0x00001000
FileAlignment: 0x00001000
MajorOperatingSystemVersion: 0x0001
MinorOperatingSystemVersion: 0x0000 -> 1.00
MajorImageVersion: 0x0000
MinorImageVersion: 0x0000 -> 0.00
MajorSubsystemVersion: 0x0004
MinorSubsystemVersion: 0x0000 -> 4.00
Win32VersionValue: 0x00000000
SizeOfImage: 0x00146000
SizeOfHeaders: 0x00001000
CheckSum: 0x00155FFF
Subsystem: 0x0002 (WINDOWS_GUI)
DllCharacteristics: 0x0000
SizeOfStackReserve: 0x00100000
SizeOfStackCommit: 0x00004000
SizeOfHeapReserve: 0x00100000
SizeOfHeapCommit: 0x00001000
LoaderFlags: 0x00000000
NumberOfRvaAndSizes: 0x00000010
DataDirectory (16) RVA Size
------------- ---------- ----------
ExportTable 0x00000000 0x00000000
ImportTable 0x000F7D08 0x00000140 (".FUCKIT"
Resource 0x0010F000 0x00003000 (".FUCKIT"
Exception 0x00000000 0x00000000
Security 0x00000000 0x00000000
Relocation 0x00000000 0x00000000
Debug 0x00000000 0x00000000
Copyright 0x00000000 0x00000000
GlobalPtr 0x00000000 0x00000000
TLSTable 0x00000000 0x00000000
LoadConfig 0x00000000 0x00000000
BoundImport 0x00000000 0x00000000
IAT 0x00000000 0x00000000
DelayImport 0x00000000 0x00000000
COM 0x00000000 0x00000000
Reserved 0x00000000 0x00000000
The created exe file doesn't run. What is the problem?
NA
Almost forget the reason: I can't recompress the unpacked exe file. (I've tried a lot of packers/encryptors)