#1
|
|||
|
|||
Dumped File / DLL Missing
Ive dumped a file, compressed with a packer i was not able to determine, but when i run it the system says that it cant find xxxxx.dll.
That dll is in the exe (exports).. how do i fix this? I cant dump the dlls as i cant find them.. Even procdump does not show them.. Any help? Thanks.. RF1911 |
#2
|
|||
|
|||
I'm not quite clear about the problem. If you get a message about a missing DLL when you run your program, the only reason is a missing DLL. Maybe the DLL isn't in your path, or it isn't in the application path (if one) or directory. The DLL name should be mentioned in the import table, not in the export one.
Hope it helps |
#3
|
|||
|
|||
May be your dll is embedded in your exe using eg. PEBUNDLE etc.
I am not sure as to how to seperate it though. |
#4
|
|||
|
|||
The DLL is unpacked at runtime.. The DLL IS in the dumped exe but i still get the error (windows error right at loading)
Is it a IAT problem? |
#5
|
|||
|
|||
The DLL missing message is generated when the loader tries to map the DLL inside the virtual addressing space of the process before the process is started (i.e. compile time dynamical linking). This means that the loader can't find the DLL. If the DLL is unpacked by the main executable, and the latter unpacks itself too, you should obtain two executables (the main EXE and the DLL) at the end of the unpacking process. If you've dumped the main EXE, I doubt that the is in the dumped file; anyway, the dumped file usually don't execute the unpacking code. I guess you should dump the DLL too.
Hope it helps |
#6
|
||||
|
||||
I've seen this problem before - what you need to do is search through the dumped exe for dll's with a hex editor, extract them to a new file, fix the pe header of them, and then rename them to the proper name. Once that is done the app with run without any problems. However, you will not be able to disassemble it until you find the original entry point (it will be in a pebundle section at the moment). Shouldn't take you more than 15-20 seconds to find the OEP however with something like Ollydbg. It's kinda obvious
Best string to search for throughout the exe file would be something common, such as "This program cannot be run in DOS mode", which appears in the header of most exe and dll's. To fix the PE header of each dll once extracted, simply assign RO = VO, RS = VS. Then you can view the exports section of the dll and it'll tell you the name to rename it to. Simple really. If you need any help, just ask. |
#7
|
|||
|
|||
the same happen' when i dump hasp envelope
I have a app that is protected by hasp envelope.
I dump it using cooldump and LordPE dump engine, after that i repair the imports using imprec. When i launch the exe i get message that software requires a dll. This dll can't see it as a loaded DLL under procdump or lordpe. Also i search for it into main dumped exe and no success. Any ideea? Hints? Regards VirtualM |
#8
|
||||
|
||||
It could be that the DLL was bound the original exe before you unpacked it. If you can't find the file it's looking for, the only other thing to do is to unpack it again and at the place you dump, search the memory for dlls.
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
10 lines code dumped themida | pll823 | General Discussion | 3 | 04-23-2005 17:36 |
ntdll.h header file missing? | Teerayoot | General Discussion | 3 | 09-08-2004 03:34 |
How to reduce the size of dumped exe | atest | General Discussion | 5 | 09-28-2003 18:41 |