Log in

View Full Version : Dll relocation?


crUsAdEr
May 31st, 2004, 03:49
Ok, I have this unpacked dll which wont load at certain image base... meaning :

if i use LordPE to to rebuild PE image with option Change ImageBase to 10000000h then LoadLibraryA call to this dll will fail, giving error 2E6 which is ERROR_BAD_PIPE.

if i use LordPE to rebuild PE image but with new ImageBase set to say, 1F700000h then the dll works fine, can be loaded with no problem...

So the question is what the hell is wrong ?
I have checked and it must be that Reloc info are correct or else LordPE wont be able to rebuild it, but it seems Windows is unable to utilise this reloc information and throw up when it cant load the dll at the designated ImageBase?

Anyone got any idea? This is the weirdest thing i have seen whole week

sgdt
May 31st, 2004, 04:18
Quote:
[Originally Posted by crUsAdEr]I have checked and it must be that Reloc info are correct or else LordPE wont be able to rebuild it, but it seems Windows is unable to utilise this reloc information and throw up when it cant load the dll at the designated ImageBase?


The Reloc has to be toast, or at least missing an entry or two. But, it should be easy to find (in a morbid sort of way).

Anyway, lets say your image is naturally 1F700000-1F8FFFFF. In a hex editor, or in a program, look for sequences of bytes that are in that range. When you find one, look in your relocation list to see if there is a entry. If not, make a note of the address. When you are done, bring the DLL into IDA (at 1F700000), and look for those addresses. If they are real (and not artifacts of random code or data), add a reloc entry. When complete, you'll be able to rebase in LordPE or whatever.

If your list is exceptionally large, consider living with it being at 1F700000. :hmm:

crUsAdEr
May 31st, 2004, 06:32
Quote:
[Originally Posted by sgdt]The Reloc has to be toast, or at least missing an entry or two. But, it should be easy to find (in a morbid sort of way).

Anyway, lets say your image is naturally 1F700000-1F8FFFFF. In a hex editor, or in a program, look for sequences of bytes that are in that range. When you find one, look in your relocation list to see if there is a entry. If not, make a note of the address. When you are done, bring the DLL into IDA (at 1F700000), and look for those addresses. If they are real (and not artifacts of random code or data), add a reloc entry. When complete, you'll be able to rebase in LordPE or whatever.

If your list is exceptionally large, consider living with it being at 1F700000. :hmm:



Hi sgdt, thanks for the reply but i think u misunderstood me...
the original dll ImageBase is 28000000h but it wont load when LoadLibrary is called with it...

I use LordPE and can successfully rebase the dll to any image base i wish... if i rebase the dll to 1F70000h the dll loads fine, if i rebase the dll to 10000000h the dll wont load again :/... So the point is that i can rebase the dll as i wish... but at certain ImageBase the dll cant be loaded by Windows but at some other ImageBase it works fine?

dELTA
May 31st, 2004, 19:17
You might get a very good clue by simply tracing the DLLMain-procedure at DLL load time, noting were the non-working version deviates from the execution path of the working one.

crUsAdEr
May 31st, 2004, 22:09
Hi Delta,

the problem is DLL main is never executed....

OS wont load it at all... looks like OS doesnt recognise relocation directory at all :/...

dELTA
June 1st, 2004, 18:26
Very strange indeed. But just to be sure, you do know that the DLLMain is executed during the call to LoadLibrary, right, and that the return code of DLLMain can affect the result of the LoadLibrary function? Otherwise it practically must be something wrong with the PE structure of the DLL, relocation wise or other, as far as I can see.

crUsAdEr
June 1st, 2004, 20:17
Hi Delta, yep i am aware of DLL loading process...
I set CC on DLL entry point, doesnt break... the thing is LordPE is able to rebase fine so the reloc struct seems good, so i am not sure what is wrong really... either Windows is stricter abt reloc format, or perhaps some dll setting flags? though i have ripped exactly the original header...

nikolatesla20
June 1st, 2004, 21:22
What exact O.S. are you using here, because in different Windows versions DLL's have to be above/below certain ranges...and you can't rebase them to whereever you want.

-nt20