anyone can help me to unpack this dll? I'm not sure, but it may be packed by Xtreme-Protector v1.05
http://www.megaupload.com/?d=L90MQE8C

thanks

Your DLL is protected with very old version of XHEO CodeVeil. They used Xtreme-Protector to pack their loader dll, that's why you got confused.

There are plenty of tutorials how to unpack XHEO, google for them.

[Please DO NOT reply to yourself. Use the EDIT button to add to your post]

thanks. I will do some homewokrs based on your information:)

I have read UFO-Pu55y's tutorial about "Unpacking CodeVeil 1.xx",

but something I doesn't understand yet, for instance, in his tutor,
"The size of the 'rsrc' is 0x2200, but looking in WinHex we see that something like a '.reloc' section begins at 0x000FA200 only. Cut the unnecessary bytes from 0x000F9400 to 0x000FA200...."

I doesn't understand why we should cut it from 0x000F9400 to 0x000FA200. how the number 0x000F9400 is figured out?

the tutor and the target can be found below:
http://forum.tuts4you.com/showtopic=14073

Raw Address of .rsrc section + Raw Size of .rsrc section = 0xF7200+0x2200=0xF9400

thanks again for your quick answer. I am not very clear about the PE strucuture at all. so I have such a stupid question:)

so, if we got the following dump section;
http://www.image-upload.net/images/38z25ghpf43bvlebjw_thumb.jpg (http://www.image-upload.net/viewer.php?file=38z25ghpf43bvlebjw.jpg)
how we got the AddressOfEntryPoint and Import Directory RVA?

because it seems something different from UFO-Pu55y's tutorial

Values are different but the method described in tutorial works. Read carefully, it's all explained there (page 4 and 5). ;)

For example, search for FF 25. You will find it at offset 0x50FE. Put 50FE in CFF "Address Converter" and you'll get the correct value for AddressOfEntryPoint.

Import Directory requires more work but you'll eventually get it right. :)

[Please DO NOT reply to yourself. Use the EDIT button to add to your post]

thank again.
actually, I have done exactly as what you said. but the dump doesn't work yet.
I understand that FF25 means "JMP", but why this jump is after _CorExeMain?

should JMP call <_CorExeMain>,

or here the case is as follows ?:
call <-CorExeMain>.
jmp <Entrypoint>??

and this part I don't understand very well
http://www.image-upload.net/images/oq2xczu2qw4jn9hq6zm_thumb.jpg (http://www.image-upload.net/viewer.php?file=oq2xczu2qw4jn9hq6zm.jpg)

"go some bites back again, you will find....".
my question is go how many bites...? or just go same bite as in the tutorial?

There are lots of reasons why dump would not work. I haven't verified that tutorial you found works on the sample you chose. I can just answer about general principles..

Code at .NET assembly entrypoint should always be FF 25 XX XX XX XX (jmp dword ptr [_CorEXEMain]). When you become more experienced, you'll learn why it is like this but for now just accept it as a fact.

"go some bytes back again" is a bad phrase, here is revised version for the tutorial:

Step1 : In 'Address Converter' again search for the string '_CorExeMain'. 2 bytes in front of that string look at the offset.. 0xF116. Convert the offset to RVA, you'll get value 0x10F16. Step2: Going few bytes back you need to find value 0x10F16 (bytes 16 0F 01). They are at offset 0xF108. Convert 0xF108 to RVA, you'll get value 0x10F08.
Step3: Going few bytes back you need to find value 0x10F08 (bytes 08 0F 01). They are at offset 0xF0D8, convert that value to RVA and you'll have Import Directory RVA.

In your file the addresses will be different but the principle is the same.

I know it's easier to ask but please try to google for basic stuff first. :)

[Please DO NOT reply to yourself. Use the EDIT button to add to your post]

master Kao,
Again, thanks for your patience to answer my question which sounds to be simple for you, but it is really hard for me. Now eventually I understand :)

now I am still bothered by the unworking dump.
I feel that i have completely fixed the dump, but it still doesn't work. now the import table and .reloc section seems ok.
but when I start the dump, it still gives me an error:" not a valid win32 program", upsetting!!

anyone can help me to have a look?

http://www.megaupload.com/?d=D7NCDHFZ

Great work so far! :) You missed one line in tutorial:

Only one value is left to be fixed now.. the SizeOfImage:

Fix that and your EXE file will be successfully unpacked.

master, you are right.
after I corrected the SizeofImage, it is working.
I think I did make a change of it before, but I make a stupid wrong calculation of the SizeofImage: a000+2000= c0000, but not e000:)
many thanks for you to guide me to go through this small program:)

I have unpacking my target successfully too.

I manually unpacked executable.

I go to fix the dlls files now. For now not working.