View Full Version : LordPE problem
nick_name
November 8th, 2005, 09:22
guys, with some armadillo targets (specially with nanomites 'n copymem/debug blocker) i've seen weird LordPE delux B behavious
if i select full dump with LordPE, it silently crashes 'n produces a error-prone dump file.
the options that r ticked in my LordPE settings are :
1.section table : autofix SizeOfImage
2.full dump : paste header from disk
3.full dump : fix header
4.full dump : rebuild image
5. delete temp files for pe editior
REBUILDER :
status window
dumpfix
realign file : nice
wipe relocation
rebuild import table
validate PE
is there any rebuilder options which i should not use ??
thank you.
Lord_Looser
November 8th, 2005, 11:25
I'm not sure but I think rebuilder options are only for "rebuild pe" and activated "full dump: rebuild image" option. Perhaps you should first dump file without rebuild option. I've always disabled "Rebuild import table". Therefore I use ImpRec.
But im not sure with nanomites...
nick_name
November 8th, 2005, 14:00
Lord_Looser , then do u suggest i should disable the option
full dump : rebuild image
keeping the other options like full dump : fix header
??
Ricardo Narvaja
November 9th, 2005, 03:45
look this, before dump when you are in the oep, open other instance of the program but donĀ“t RUN only go to 400000 and copy the 1000 bytes of the header with BYNARY COPY and next paste in the header of the son stopped in the oep, look the differences (will be in red).
Armadillo make changes in the heade while unpacking for make imposible or hard dump, next dump.
Ricardo Narvaja
nick_name
November 9th, 2005, 07:38
ricnar THANKS for your reply.
well, i have been actually using the technique that you mentioned. 'n afterward ollydump 3.00.110 to dump it
but i was just wondering, is it any bug in LordPE
** somewhere i read, ollydump 3.00.110 is buggy 'n they were suggesting to use 2.xx version, is it true ??
i was using 2.xx 'n recently upgraded to 3.00.110
THANK YOU.
Ricardo Narvaja
November 9th, 2005, 09:15
if you reconstruct the iat with IMP REC is the same use Version 3 or 2, the version 2 recoonstruct IAT in some UPX , ASPACK or esay packers, the version 3 have a bug in this but, for armadillo is the same.
I use OLLYDMP 3 for dmps armadillos without problem.
Ricardo
nick_name
November 9th, 2005, 10:05
THANKS Ricardo
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.