Log in

View Full Version : NEOLITE 2.0 UNPACK


master
December 4th, 2004, 15:41
one silly question about a DLL unpack.
it's after i found the oep
How do i put the "CC" (INT 3) (i've rad that in a tut) in code. I have winhex, and cannot edit the code.

Thanx alot

hosiminh
December 7th, 2004, 03:46
I believe you are looking for this : hxxp://members.home.nl/code.inside/tutorials.html

I assume you want to do it with Softice + symbol loader
I would put my eyes on tutorials 13 , 25 ,26 ,27 . You can apply the same technique to the dll file .

Small tip : With Ollydbg you can load *.exe , *.dll and *.ocx files .

master
December 8th, 2004, 11:03
The problem is that i cannot find the OEP. This is the first step of unpacking (so i was reading it in every tut). The file DLL. And it's beeing called froam an exe that is not compressed.
When i load it in Olly, and press a couple time shift+F9, i enter in this packed shit, and code looks like this:

01194EEE 8B0B MOV ECX, DWORD PTR DSEBX)
01194EF0 66:8DBD MOV BX,BX
01194EF3 0FB9 ???? - Unknown command, that meens it is compressed.

I checked with StudPE it says Neolite 2.0.

I tried to follow the procedure written in the tut you said, i cannot even find the OEP because in tut it's with exe.

If you have some idea, please help

THNX

master
December 8th, 2004, 11:33
I forget to write te Section information, it looks like this:
Name Virtual Size Virtual Offset Raw Size Raw Offset Characteristics
.text 00012000 00001000 00012000 00001000 60000020
.rdata 00005000 00013000 00005000 00013000 C0000040
.data 00004724 00018000 00003000 00018000 C0000040
.rsrc 00022000 0001D000 00022000 0001B000 40000040
.reloc 00003000 0003F000 00003000 0003D000 C2000040
.protect 000D4000 00042000 000D4000 00040000 E0000020 that's the protectet shit

From the Header info, the Entry point is 00042280
Can i found out the OEP?

THNX AGAIN

hosiminh
December 9th, 2004, 05:45
Well , i guess i wasn't clear enough . Get a copy of Ollydbg (hxxp://home.t-online.de/home/Ollydbg) . Run Ollydbg , choose File > Open and choose in file type "Dinamyc-link library (*.dll)" . Ollydbg will ask you something ...Launch LOADDLL.exe?... Click YES . Now you should be at the PEP (packer entry point) . Now begin to trace with F7 and F8 . As i remember , neolite always use instruction "JMP EAX" before it jumps from packer code to OEP (original entry point)


Here you will find some tutorials about this packer :
hxxp://tutorials.accessroot.com/
hxxp://unpacking.free.fr/tuts/unpack/neolite/Tutorial-Manual-Unpacking-Neolite2.0.html
hxxp://www.iespana.es/ollydbg/akira.html

master
December 9th, 2004, 12:34
Thnx hosiminh!

I am actually using OLLY the whole time. I tried that procedure you wrote, oep still not found.
The "JMP EAX" was not in the procedure, before i got the famous "hasp not found".
Must check the last tut you mentioned, that have i not found earlier.
Maybe, the problem is, because the progi is with hasp hardlock, maybe it is packed on some other way too (hasp envelope).
Thanks anyway

master
December 9th, 2004, 13:01
Well, maybe you got some time.

The program is located at:
http://www.woodmann.com/fravia/rce-faq.htm

But don't bother to much. It would be gread if you knew where i could start.
I checked every tut on hasp, and neolite. Nothing similar found in here

THNX

dELTA
December 9th, 2004, 17:43
Don't post target name/address, read the FAQ!

master
December 10th, 2004, 13:09
sorry dELTA