zyzygy
June 17th, 2004, 13:26
Hi guys,
Could somebody tell me how to unpack a dll form any packer,general theory ?thanks
Could somebody tell me how to unpack a dll form any packer,general theory ?thanks
View Full Version : unpacking a dll
JMI
June 17th, 2004, 13:39
The FIRST thing to do is read the BIG RED LETTERS at the top of the Forums and then read the FAQ. That will tell you to search for answers BEFORE you post a question.
Go to the search button at the top of the Forums and enter "unpack dll" (without the quotes) and read the many threads you will find with that search.
Regards,
Go to the search button at the top of the Forums and enter "unpack dll" (without the quotes) and read the many threads you will find with that search.
Regards,
MaRKuS-DJM
June 18th, 2004, 08:03
it works the same way as a executable... you can use a PE Editor to change characteristics that windows don't think it is a dll and then execute it or use ollydebug. i think it's better to change characteristics. then unpack as usual
cRk
June 18th, 2004, 10:11
you can use a PE Editor to change characteristics that windows don't think it is a dll and then execute it
exaclty which characteristics to change?? and what values to change for ?
exaclty which characteristics to change?? and what values to change for ?
MaRKuS-DJM
June 19th, 2004, 07:53
for DLLs, you have to subtract 2000 from characteristics to make windows think it is an executable.
example:
characteristic of DLL: 210E
- 2000 = 010E
windows will think it is an executable. of course it is only for unpacking. the dll itself won't run. after unpacking, change characteristics back or dll won't work
@Crk
characteristics in PE Header
example:
characteristic of DLL: 210E
- 2000 = 010E
windows will think it is an executable. of course it is only for unpacking. the dll itself won't run. after unpacking, change characteristics back or dll won't work
@Crk
characteristics in PE Header
zyzygy
June 19th, 2004, 08:01
thanks for the info will try it out
could you tell me how to do it exactly ?thanks a million
could you tell me how to do it exactly ?thanks a million
%UNDEFINED%
June 19th, 2004, 12:17
Quote:
| [Originally Posted by MaRKuS-DJM]for DLLs, you have to subtract 2000 from characteristics to make windows think it is an executable. example: characteristic of DLL: 210E - 2000 = 010E windows will think it is an executable. of course it is only for unpacking. the dll itself won't run. after unpacking, change characteristics back or dll won't work |
That's an excellent idea, never thought of that approach
dELTA
June 19th, 2004, 16:18
Quote:
| could you tell me how to do it exactly ? |
No.
JMI
June 19th, 2004, 20:23
Or to elaberate on dELTA's, somewhat cryptic response, that's why the Diety inventy the internet. So that you could search the net and find information about things you don't know how to do. Why heck, you could even try SEARCHING for an answer HERE. There is a search button here, don't ya know???
Using the words: "PE Editor change characteristics" (without the quotes) you should find some interesting reading about PE headers and at least a couple of kinds of "characteristics" one might change.
These is also alot of information on the net about the PE file format you probably should become familiar with if you intend to actually learn how to unpack.
Regards,
Using the words: "PE Editor change characteristics" (without the quotes) you should find some interesting reading about PE headers and at least a couple of kinds of "characteristics" one might change.
These is also alot of information on the net about the PE file format you probably should become familiar with if you intend to actually learn how to unpack.
Regards,
zyzygy
June 20th, 2004, 01:45
Ok thank you for the replies ,i will surely do that .
MEPHiST0
June 20th, 2004, 17:26
nice tips on the .dll > exe MarKUS
can load dll in olly now
can load dll in olly now
neviens
June 21st, 2004, 05:25
Somtimes it is necessary to load the dll for unpacking without any changes,
because of CRC selfchecking. For this approach I usualy do a small program
with LoadLibrary() function inside, then a famous Spl/\js 'BPX ORD_0056+94'
breakpoint under win98 will do a job (or "Break on new module" under Olly?).
Neviens.
because of CRC selfchecking. For this approach I usualy do a small program
with LoadLibrary() function inside, then a famous Spl/\js 'BPX ORD_0056+94'
breakpoint under win98 will do a job (or "Break on new module" under Olly?).
Neviens.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.