Log in

View Full Version : dll dump questions


0rp
May 11th, 2004, 18:53
k, i have a selfdecrypting dll, decrypted and bped at its oep.

if i use procdump to dump this instance, it doesn't work (DllMain returns FALSE). why does procdump LoadLibrary this image instead of doing some ReadProcessMemorys ? however, if i use other tools, i get a image, but this dump does not work.

i searched the forum and found some tricks (double load the same image, and diff them to get reloc differences), but i did not find a complete tutorial.

are there some tuts about this topic?

thx a lot

nikolatesla20
May 11th, 2004, 19:23
If it's decrypted in mem and you are at OEP all you really have to do is dump it, and then set it's ImageBase to the mem location that it was at in memory. Hopefully the relocation table will be whole, which will allow the DLL to be relocatable properly.

Use LordPE to dump the dll out.

-nt20

0rp
May 12th, 2004, 14:19
in olly, at address 4153BB, i have valid code. if i dump the dll using LordPE and load this dumped file with IDA, 4153BB doesnt contain valid opcodes.

if i search the whole dumped image for the opcodes at 4153BB, i don't find them. it seems this dumped image isn't decrypted.

whats wrong with my dump?

nikolatesla20
May 12th, 2004, 14:40
Quote:
[Originally Posted by 0rp]in olly, at address 4153BB, i have valid code. if i dump the dll using LordPE and load this dumped file with IDA, 4153BB doesnt contain valid opcodes.

if i search the whole dumped image for the opcodes at 4153BB, i don't find them. it seems this dumped image isn't decrypted.

whats wrong with my dump?



Take a look at the ImageBase that LordPE says the DLL is at, and set that ImageBase on the file as well, using a PE editor (either LordPE or PEditor)

If the ImageBase isn't right IDA will get lost.

-nt20