Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-01-2013, 03:30
DMichael's Avatar
DMichael DMichael is offline
Family
 
Join Date: Apr 2012
Location: Israel
Posts: 197
Rept. Given: 138
Rept. Rcvd 281 Times in 72 Posts
Thanks Given: 13
Thanks Rcvd at 31 Times in 25 Posts
DMichael Reputation: 200-299 DMichael Reputation: 200-299 DMichael Reputation: 200-299
final unpacked size

i have unpacked asome file packed with aspack now when i dump it it take 120mb ;o i seen that the rawsize of data section its huge! the problem that i cannot cut that section cuz it needed and realign wont work i need to set corret raw size ... but how can i calculate?
Reply With Quote
  #2  
Old 02-01-2013, 04:24
chessgod101's Avatar
chessgod101 chessgod101 is offline
Co-Administrator
 
Join Date: Jan 2011
Location: United States
Posts: 535
Rept. Given: 2,218
Rept. Rcvd 691 Times in 219 Posts
Thanks Given: 700
Thanks Rcvd at 939 Times in 186 Posts
chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699
Have you tried lordpe's rebuild function? It may be an easy solution to the problem. If you need to calculate the size of the section manually, simply subtract the section's beginning offset from the last byte in the section +1. If there is a section following this one, you can simply subtract the first section's offset from the from the following section's offset. LordPe is the best tool to do this. Just open the section editor and use the built in hex editor to determine what the last byte is. Once you have calculated the size, just use lordpe to change the value.

If you need a video explanation, the following video for protectionPlus unpacking shows you how to calculate raw size manually:
Code:
http://tuts4you.com/download.php?view.2115
__________________
"As the island of our knowledge grows, so does the shore of our ignorance." John Wheeler
Reply With Quote
  #3  
Old 02-01-2013, 04:35
Nacho_dj's Avatar
Nacho_dj Nacho_dj is online now
Lo*eXeTools*rd
 
Join Date: Mar 2005
Posts: 207
Rept. Given: 14
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 134 Times in 40 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Please could I have a link to download the target (via private message)?
__________________
http://arteam.accessroot.com
Reply With Quote
  #4  
Old 02-01-2013, 05:36
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 300
Rept. Given: 111
Rept. Rcvd 64 Times in 42 Posts
Thanks Given: 178
Thanks Rcvd at 215 Times in 92 Posts
deepzero Reputation: 64
In very rare cases, ASProtect has an anti-dump which can cause this. Not Aspack, though.
Reply With Quote
  #5  
Old 02-03-2013, 07:39
DMichael's Avatar
DMichael DMichael is offline
Family
 
Join Date: Apr 2012
Location: Israel
Posts: 197
Rept. Given: 138
Rept. Rcvd 281 Times in 72 Posts
Thanks Given: 13
Thanks Rcvd at 31 Times in 25 Posts
DMichael Reputation: 200-299 DMichael Reputation: 200-299 DMichael Reputation: 200-299
some one know how to deal that anti-dump?
its not first time i see that;o
Attached Files
File Type: rar 120mb.rar (936.9 KB, 6 views)
Reply With Quote
  #6  
Old 02-03-2013, 08:12
chessgod101's Avatar
chessgod101 chessgod101 is offline
Co-Administrator
 
Join Date: Jan 2011
Location: United States
Posts: 535
Rept. Given: 2,218
Rept. Rcvd 691 Times in 219 Posts
Thanks Given: 700
Thanks Rcvd at 939 Times in 186 Posts
chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699
Here is a quick unpack and rebuild of the exe. It seems to work correctly here. I do not have all of the dependencies, so I cannot thoroughly test it though.
Code:
http://rghost.net/43506225
The file was packed with something else prior to the aspack. The mackt section was added when the previous person fixed the IAT after unpacking. Since the new aspack, adata and old mackt sections were no longer needed, I deleted them from the dump and realigned the file with lordpe's rebuilder. Afterwards, I fixed the IAT with scylla 0.8.
__________________
"As the island of our knowledge grows, so does the shore of our ignorance." John Wheeler

Last edited by chessgod101; 02-03-2013 at 08:29.
Reply With Quote
The Following User Gave Reputation+1 to chessgod101 For This Useful Post:
Dreamer (02-03-2013)
  #7  
Old 02-03-2013, 09:21
Nacho_dj's Avatar
Nacho_dj Nacho_dj is online now
Lo*eXeTools*rd
 
Join Date: Mar 2005
Posts: 207
Rept. Given: 14
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 134 Times in 40 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Here is my unpacked.

I have just removed ASPack wrapper, you have got the executable previous to the ASPack compression:
HTML Code:
http://www.sendspace.com/file/zr9ura
Note that resources have been rebuilt, now reshacker tool can read them succesfully...
__________________
http://arteam.accessroot.com
Reply With Quote
  #8  
Old 02-03-2013, 14:04
DMichael's Avatar
DMichael DMichael is offline
Family
 
Join Date: Apr 2012
Location: Israel
Posts: 197
Rept. Given: 138
Rept. Rcvd 281 Times in 72 Posts
Thanks Given: 13
Thanks Rcvd at 31 Times in 25 Posts
DMichael Reputation: 200-299 DMichael Reputation: 200-299 DMichael Reputation: 200-299
Quote:
Originally Posted by chessgod101 View Post
Here is a quick unpack and rebuild of the exe. It seems to work correctly here. I do not have all of the dependencies, so I cannot thoroughly test it though.
Code:
http://rghost.net/43506225
The file was packed with something else prior to the aspack. The mackt section was added when the previous person fixed the IAT after unpacking. Since the new aspack, adata and old mackt sections were no longer needed, I deleted them from the dump and realigned the file with lordpe's rebuilder. Afterwards, I fixed the IAT with scylla 0.8.
Quote:
Originally Posted by Nacho_dj View Post
Here is my unpacked.

I have just removed ASPack wrapper, you have got the executable previous to the ASPack compression:
HTML Code:
http://www.sendspace.com/file/zr9ura
Note that resources have been rebuilt, now reshacker tool can read them succesfully...
but how you fix the 120mb?
Reply With Quote
  #9  
Old 02-03-2013, 16:41
Nacho_dj's Avatar
Nacho_dj Nacho_dj is online now
Lo*eXeTools*rd
 
Join Date: Mar 2005
Posts: 207
Rept. Given: 14
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 134 Times in 40 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Most of that huge size is filled with zeroes after dump. So you can decrease raw size in every section to the minimum value multiple of FileAlignment that does not contain exclusively zero bytes...

Of course you have to update also this new raw size in the PE header.
__________________
http://arteam.accessroot.com
Reply With Quote
  #10  
Old 02-03-2013, 20:07
DMichael's Avatar
DMichael DMichael is offline
Family
 
Join Date: Apr 2012
Location: Israel
Posts: 197
Rept. Given: 138
Rept. Rcvd 281 Times in 72 Posts
Thanks Given: 13
Thanks Rcvd at 31 Times in 25 Posts
DMichael Reputation: 200-299 DMichael Reputation: 200-299 DMichael Reputation: 200-299
Quote:
Originally Posted by Nacho_dj View Post
Most of that huge size is filled with zeroes after dump. So you can decrease raw size in every section to the minimum value multiple of FileAlignment that does not contain exclusively zero bytes...

Of course you have to update also this new raw size in the PE header.
tryed that but my exe got some strange windows error cannot write and read from process ;o
Reply With Quote
  #11  
Old 02-03-2013, 20:28
Nacho_dj's Avatar
Nacho_dj Nacho_dj is online now
Lo*eXeTools*rd
 
Join Date: Mar 2005
Posts: 207
Rept. Given: 14
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 134 Times in 40 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Which 'strange Windows error' are you referring to?
__________________
http://arteam.accessroot.com
Reply With Quote
  #12  
Old 02-04-2013, 02:02
chessgod101's Avatar
chessgod101 chessgod101 is offline
Co-Administrator
 
Join Date: Jan 2011
Location: United States
Posts: 535
Rept. Given: 2,218
Rept. Rcvd 691 Times in 219 Posts
Thanks Given: 700
Thanks Rcvd at 939 Times in 186 Posts
chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699
Quote:
but how you fix the 120mb?
The lordpe rebuilder will take care of the large size for you. You do not need to calculate it manually this way.
__________________
"As the island of our knowledge grows, so does the shore of our ignorance." John Wheeler
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
minimizng application size DMichael General Discussion 6 08-30-2012 12:37
Instruction Size visu General Discussion 9 05-16-2005 18:23
How to reduce the size of dumped exe atest General Discussion 5 09-28-2003 18:41


All times are GMT +8. The time now is 15:04.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )