Hi.

Searched already the board but find no solution for my problem. I think it might have to do with some relocations. I unpacked dll (use aspackdie because itīs faster/but itīs an "unknown algorithm 3"-for aspack 2.12b as PEid said.) but if i load dll with loadlibrary it has another base than loading with ollydbg!

Example Olly:
01A71000 | |EB 10 jmp short 01A71012
01A71002 | |66 db 66 ; CHAR 'f'
01A71003 | |62 db 62 ; CHAR 'b'
01A71004 | |3A db 3A ; CHAR ':'
01A71005 | |43 db 43 ; CHAR 'C'
01A71006 | |2B db 2B ; CHAR '+'
01A71007 | |2B db 2B ; CHAR '+'
01A71008 | |48 db 48 ; CHAR 'H'
01A71009 | |4F db 4F ; CHAR 'O'
01A7100A | |4F db 4F ; CHAR 'O'
01A7100B | |4B db 4B ; CHAR 'K'
01A7100C | |90 nop
01A7100D | |E9 db E9
01A71012 |> \A1 F3A3AF01 mov eax, [dword ds:1AFA3F3]
01A71017 |. C1E0 02 shl eax, 2
01A7101A |. A3 F7A3AF01 mov [dword ds:1AFA3F7], eax
01A7101F |. 8B4424 08 mov eax, [dword ss:esp+8]
01A71023 |. A3 65A4AF01 mov [dword ds:1AFA465], eax
01A71028 |. FF1485 55A4AF>call near [dword ds:eax*4+1AFA455]
01A7102F |. 833D 65A4AF01>cmp [dword ds:1AFA465], 1
01A71036 |. 75 5E jnz short flash001.01A71096
01A71038 |. 803D FFA3AF01>cmp [byte ds:1AFA3FF], 0

This works because for example at 1A71012 mov eax is pointing to memory which is available! (non shared dll memory at 1afa3f7)

But if i load with LoadLibrary it looks like this:
01F91000 > /EB 10 jmp short 01F91012
01F91002 |66:623A bound di, [word ds:edx]
01F91005 |43 inc ebx
01F91006 |2B2B sub ebp, [dword ds:ebx]
01F91008 |48 dec eax
01F91009 |4F dec edi
01F9100A |4F dec edi
01F9100B |4B dec ebx
01F9100C |90 nop
01F9100D -|E9 6CA4AF01 jmp 03A8B47E
01F91012 \A1 F3A3AF01 mov eax, [dword ds:1AFA3F3]
01F91017 C1E0 02 shl eax, 2
01F9101A A3 F7A3AF01 mov [dword ds:1AFA3F7], eax
01F9101F 8B4424 08 mov eax, [dword ss:esp+8]
01F91023 A3 65A4AF01 mov [dword ds:1AFA465], eax
01F91028 FF1485 55A4AF01 call near [dword ds:eax*4+1AFA455]
01F9102F 833D 65A4AF01 0>cmp [dword ds:1AFA465], 1


So the Base is changed from 1A10000 to 1F90000 but the mov eax is still pointing to 1afa3f3. ?!

I just thought a dll is like an exe, so i should not bother with relocations but i think i am wrong? anyway, dumping the file with petools and copying the reloc section changes nothing at this point.

i am at the end of my knowledge.. may be somebody can explain this to me and how to solve this?!
(Btw. itīs on a Windows XP system, i did not test under other os)

regards,
friedo

yep dlls need relocation data, chances are when the protection was applied the reloc information was destroyed and the protection handles it all runtime.. u got no choice really but to try and get 2 dumps of the dll loaded at a diff base, then compare, and rebuild some form of relocation information from that.. should work then

Okay. So i was on the right way. I used a simple Ollyscript for ASPACK to determine the real relocation table, patched the whole .reloc section and adapt the relocation table in pe header (thatīs what i missed last time and why it doesnīt work.)

Such a changed DLL works at different Imagebases!

Thx so far.

p.s.:
I thought aspackdie would adapt this reloctable automatically... tztztz
Anyway, i got big problems to dump such a unpacked dll with ollydbg oder petools because everytime i do it and adapt the import table with imprec i got an error thatīs not a "win32-executable-file". because donīt know how to solve i let aspackdie do the workfor me and changes some things manually...

May be thereīs a tutorial out there which explains why my dumped file is not a win32 executable?

That could be a problem due to wrong sizes for sections (virtualsize), and sizeofimage. simply try to use pe-editor / rebuild pe-header fro 2k/nt and check if rebuilded exe works... if so,could some small subroutine that aligns ur files vsizes + sizeofimage..voila