nitr8
June 12th, 2004, 03:54
Hello
I'm wondering how unpacking on a Petite v2.2 packed DLL file works, since i only yet read tutorials that described how to do it on packed EXE files.
I tried it anyway with SoftICE and OllyDbg, but can't step behind it.
There is nothing in the code, that should look like this:
POPAD...
POPF...
ADD...
JMP...
I found the following in OllyDbg:
MOV...
PUSH...
PUSH DWORD PTR FS...
MOV DWORD PTR FS...
PUSHFW
PUSHAD
PUSH EAX
PUSH 10000000
I tried setting a New Origin onto the first MOV (it's the EiP=1147B042), then traced until i executed the PUSHAD and stood on PUSH EAX, wrote down the ESP and EDI, pressed CTRL+G on Hexdump Window, entered the ESP, selected the first 2 bytes, set a breakpoint on Hardware Access, WORD. After that i just pressed F9, then SHIFT+F9 - but OllyDbg just send me an Access Violation Message in it's Status Window and after that a message, that the Debugged program was unable to process exception. After pressing SHIFT+F9 2 more times, OllyDbg just terminated the hole process. I dunno why and what to do else.
I need big help on this one.
Thank you very much.
I'm wondering how unpacking on a Petite v2.2 packed DLL file works, since i only yet read tutorials that described how to do it on packed EXE files.
I tried it anyway with SoftICE and OllyDbg, but can't step behind it.
There is nothing in the code, that should look like this:
POPAD...
POPF...
ADD...
JMP...
I found the following in OllyDbg:
MOV...
PUSH...
PUSH DWORD PTR FS...
MOV DWORD PTR FS...
PUSHFW
PUSHAD
PUSH EAX
PUSH 10000000
I tried setting a New Origin onto the first MOV (it's the EiP=1147B042), then traced until i executed the PUSHAD and stood on PUSH EAX, wrote down the ESP and EDI, pressed CTRL+G on Hexdump Window, entered the ESP, selected the first 2 bytes, set a breakpoint on Hardware Access, WORD. After that i just pressed F9, then SHIFT+F9 - but OllyDbg just send me an Access Violation Message in it's Status Window and after that a message, that the Debugged program was unable to process exception. After pressing SHIFT+F9 2 more times, OllyDbg just terminated the hole process. I dunno why and what to do else.
I need big help on this one.
Thank you very much.