Hi there

I used to try out unpacking of a NeoLite v2.0 packed DLL file, but can't get it to work.

I've read several tutorials on doing it, but never reached the end of the hole process, because the unpacked (dumped) DLL file is about 20 megs big, while the packed one is only about 111 Bytes and the Loader of the DLL always says Injection failed, whenŽi reset the Entry Point within ProcDump.

The DLL is being Loaded by a Program (EXE). So the Procedure goes like this: LOADER -> (PACKED) DLL FILE -> MAIN PROGRAM EXE FILE

which means: it is an Addon to another Program. The Addon's DLL file is crypted with NeoLite v2.0 and i want to unpack the DLL

i tried finding out OEP so far and i did CC at E9 in the DLL with HexEditor then did "d eip", "[ALT]+[D]", "CC", "[ALT+D]", traced throught the code with F10, till i stand with the line on the code "JMP EAX", did again: "d eip", "[ALT+D]", "EBFE", "[ALT+D]", "[CTRL+D]" and dumped the hole DLL (full dump) file which was loaded in the REAL PROGRAM EXE (Not the Addon EXE).

-> over 20 megs of DLL file created (wtf)

The problem now is following: When starting the Addon for the FIRST TIME, it has an OEP at 1147915C. In this first start it is searching for the Real Program's EXE and creates an INI file. After that If you close the Addon and start it again, it has an OEP at address 03BB915C.

I don't know what i'm doing wrong but the size of the DLL file isn't normal and also the Injection failed message is making my hope for the graves...

Can anybody please tell me or describe step by step how to dump the DLL file from ground, to get it working and smaller and what the real OEP is?

BTW: the Image Base of this DLL is at unbelievable 10000000...

Also: ProcDump didn't help much it sometimes said "Process can't be dumped" so i used LordPE for dumping

i stand with the line on the code "JMP EAX",

check EAX value ; EAX = ???? <-- that's OEP

in memory you see the image BASE of the dll --> RVAs you see ... the only difference is you'll set image base to the begin of those RVA as it was 00401000

it's obvious you're lost or actually you don't know what you're doing .. there are many tuts about unpacking Neolite and always is the same home work.

after you dump the dll there's not need to fix imports for this packer .. maybe you'll only need to fix each section ... it's good to use a Pe Rebuilder for this cases .. i usually use the one which has ProDump and work very well.. after rebuilding there's 90% possibilities your .dll will run ok.

if Prodump can't dump is because that dll most have an Anti-dump trick .. before you try to dump with LordPe make sure to hit the option correctImageSize for this case then dump.

Regards

exactly... i did yesterday.

i set E9 to CC at Hexdump E9A6000000, then set bpint3 in SoftICE, launched that thing, SoftICE poped up, i entered:

d eip, pressed [ALT]+[D], entered E9 at CC (original bytes), pressed [ALT]+[D] once more, traced through the code with F10, till i was over JMP EAX, entered d eip once more, pressed [ALT]+[D] again and there i was at the point everybody was talking about... i was at the 558B bytes. the other times before i just didn't trace over JMP EAX. i just stood on the code line, but didn't trace over it. that was my mistake ( ). i finally replaced them with the EBFE bytes (nice trick py CoDe_InSiDe - thx for that info), pressed [ALT]+[D] once more, pressed [STRG]+[D], loaded LordPE, fully dumped the DLL (ProcDump wouldn't do it), after that launched ProcDump, clicked on "REBUILD PE", loaded the file into it and it said "successfully rebuild".

After all the stuff above i just had to replace the EBFE bytes with the original 558B bytes, cuz it didn't really run after rebuilding, just was in a loop. so launched hexeditor, searched for EBFE Hex String, replaced it with 558B (original bytes), saved that shit and launched the file. It's working now.

The DLL file is still over 20 megs, but the size doesn't matter. Program works and i'm really happy about it.

*Happy*

i'm glad it runs