Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Professional (!!!) Neolite 2.0 unpacking, please help ¡­ (https://forum.exetools.com/showthread.php?t=7943)

tester 08-16-2005 05:21

Professional (!!!) Neolite 2.0 unpacking, please help ¡­
 
1 Attachment(s)
Hi All ,
It¡¯s about 2 weeks that I¡¯m in hell, in disappointment point !
I have a dll file that it packed with neolite 2.0 ( PEid said). I ¡®m read all of the tutorials that exist on the web,& I unpacked all those samples without any problem (easy exe and dll files!) , and I think that I know principles of :unpacking ¡®Neolite¡¯.

My method for unpacking dll :

With ollydbg I found the ¡®OEP¡¯ of the file =10001A12 => (1A12).
With ¡®LordPE¡¯ I dumped it fully.
With ¡®Imprec¡¯ I repair IAT of the file .
& finally, I corrected manually OEP of the dump file to new value ( with Lord PE)
( also I was try dumping with ollyDump & repaired IAT with it ¡­)


but in any case , my program (exe file that used unpack dll) crashed,,,,
I ¡®m haven¡¯t any experience in IAT structures (my weakness point) and I think it is crash reason ¡­

At below, you can see data extraction¡­. Thanks for Any idea ,any help , ¡­¡­ thanks guys¡­


Data Results :

***************** Before unpacking (Original Packed File):
Basic PE Header Information =================================
Entry Point 000A91A7
ImageBase 10000000
SizeofImage 000B10F4
BaseofCode 000A9000
BaseofData 00001000
[Section Table]============================================
Name Voffset Vsize Roffset Rsize Flags
.text 00001000 0000C000 00000000 0000C000 C0000080
.rdata 0000D000 00004000 00000000 00004000 40000080
.data 00011000 000036C4 00001000 00001000 C0000040
.rsrc 00015000 000904DC 00002000 00004000 40000040
Oreloc 000A6000 00003000 00000000 00003000 42000080
.neolit 000A9000 000071A7 00006000 00002000 E0000020
.reloc 000B1000 000000F4 00008000 00001000 42000040
[Dierctory Table]============================================
RVA Size
ExportTable 000A9172 00000035
ImportTable 000A9000 0000008C
¡­.
IAT 000A908C 00000030
¡­.




***************** After unpacking:

Basic PE Header Information =================================
Entry Point 00001A12 (Manually change)
ImageBase 10000000
SizeofImage 000B3000
BaseofCode 000A9000
BaseofData 00001000
[Section Table]============================================
Name Voffset Vsize Roffset Rsize Flags
.text 00001000 0000C000 00001000 0000C000 C0000080
.rdata 0000D000 00004000 0000D000 00004000 40000080
.data 00011000 000036C4 00011000 000036C4 C0000040
.rsrc 00015000 000904DC 00015000 000904DC C0000040
Oreloc 000A6000 00003000 000A6000 00003000 42000080
.neolit 000A9000 000071A7 000A9000 000071A7 E0000020
.reloc 000B1000 000000F4 000B1000 000000F4 42000040
.makt 000B2000 00001000 000B2000 00001000 E0000060

[Dierctory Table]============================================
RVA Size
ExportTable 000A9172 00000035
ImportTable 000B2000 0000003C
¡­.
IAT 00000000 00000000 (??!!!!!)
¡­

al-kaiser 08-16-2005 22:43

Try this tut that worked for me on upacking Neolite apps

hxxp://rapidshare.de/files/4040543/NeoLite_2.0__Unpacking_.rar.html

tester 08-17-2005 14:30

Thank you first al-kaiser;
but i can't got that file,,, server say error:

Fatal error: Maximum execution time of 30 seconds exceeded in /home/admin1/public_html/src1-index.php on line 116
:(

can you attach the file on forum for me , pelase?

wildmans 08-17-2005 16:18

Well I unpacked neolite 2 DLL's in the past without much problems.. Only thing I did different was that I manually restored the IAT instead of letting a tool create a new section with the iat in it.
Not sure if that causes your problems. But for instance peexplorer gives a warning if the IAT is in a seperate section AFTER the .rsrc section(with the export table)

tester 08-17-2005 23:27

it's true wildmans,,,
you have complete knowledge about IAT & about what are you needed to changes... but i havent good mentality about that!!! i'm rally newbie.

PEexplorer gives NO warning... if assume that it gives some error, I don't know what i must doing .... I think i need to get some refernces to read about IAT and PE sections first,,, but it takes long time :(

further help plz



=================== Now:
one of my freinds chaged RVA of ImportTable and now it isn't crash ,,,, but when exe file started, an error message say:"Failed to initialize the program",,,,like when i remove that dll or change it's name !!!

suddenLy 08-19-2005 18:58

I'm not sure what the problem is, cos there is not enough info. about ur target.

But did u check the relocation problem?

Usually unpacking of dll has a problem of relocation.

If other dll - which has a same image base address with ur target dll - is loaded before ur target dll, it may cause a problem.

Because image base address of the target dll is changed, and then relocation problem occured.

So how about trying another image base address in dumping or using Reloxa tool?

tester 08-20-2005 20:39

1 Attachment(s)
suddenLy thanX,,,
there is some dll's that they have same image base addresses,,, but i think about other things:

i suggested that "Failed to initialize the program" message maybe ceated from some check routines like 'CRC Checks...' & etc... , I founded that message in the main exe file ( this exe file load dll's & program started) , but i can't trace it to find check points!(poor knowledge!)

thanks to all- to help & clarify me!

(as soon as possible , I will send related request on the 'Request section board' , if 'Registered User Limitions' Let me!!!)


attachment = Main exe file -&- Original Name of target dll=Ararbres.dll


All times are GMT +8. The time now is 18:26.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX