Exetools - final unpacked size

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - final unpacked size (https://forum.exetools.com/showthread.php?t=14784)

DMichael

02-01-2013 03:30

final unpacked size

i have unpacked asome file packed with aspack now when i dump it it take 120mb ;o i seen that the rawsize of data section its huge! the problem that i cannot cut that section cuz it needed and realign wont work i need to set corret raw size ... but how can i calculate?

chessgod101

02-01-2013 04:24

Have you tried lordpe's rebuild function? It may be an easy solution to the problem. If you need to calculate the size of the section manually, simply subtract the section's beginning offset from the last byte in the section +1. If there is a section following this one, you can simply subtract the first section's offset from the from the following section's offset. LordPe is the best tool to do this. Just open the section editor and use the built in hex editor to determine what the last byte is. Once you have calculated the size, just use lordpe to change the value.

If you need a video explanation, the following video for protectionPlus unpacking shows you how to calculate raw size manually:

Code:

http://tuts4you.com/download.php?view.2115

Nacho_dj

02-01-2013 04:35

Please could I have a link to download the target (via private message)?

deepzero

02-01-2013 05:36

In very rare cases, ASProtect has an anti-dump which can cause this. Not Aspack, though.

DMichael

02-03-2013 07:39

1 Attachment(s)

some one know how to deal that anti-dump?
its not first time i see that;o

chessgod101

02-03-2013 08:12

Here is a quick unpack and rebuild of the exe. It seems to work correctly here. I do not have all of the dependencies, so I cannot thoroughly test it though.

Code:

http://rghost.net/43506225

The file was packed with something else prior to the aspack. The mackt section was added when the previous person fixed the IAT after unpacking. Since the new aspack, adata and old mackt sections were no longer needed, I deleted them from the dump and realigned the file with lordpe's rebuilder. Afterwards, I fixed the IAT with scylla 0.8.

Nacho_dj

02-03-2013 09:21

Here is my unpacked.

I have just removed ASPack wrapper, you have got the executable previous to the ASPack compression:

HTML Code:

http://www.sendspace.com/file/zr9ura

Note that resources have been rebuilt, now reshacker tool can read them succesfully...:D

DMichael

02-03-2013 14:04

Quote:

Originally Posted by chessgod101 (Post 82574)

Here is a quick unpack and rebuild of the exe. It seems to work correctly here. I do not have all of the dependencies, so I cannot thoroughly test it though.

Code:

http://rghost.net/43506225

Quote:

Originally Posted by Nacho_dj (Post 82575)

Here is my unpacked.

I have just removed ASPack wrapper, you have got the executable previous to the ASPack compression:

HTML Code:

http://www.sendspace.com/file/zr9ura

Note that resources have been rebuilt, now reshacker tool can read them succesfully...:D

but how you fix the 120mb?

Nacho_dj

02-03-2013 16:41

Most of that huge size is filled with zeroes after dump. So you can decrease raw size in every section to the minimum value multiple of FileAlignment that does not contain exclusively zero bytes...

Of course you have to update also this new raw size in the PE header.

DMichael

02-03-2013 20:07

Quote:

Originally Posted by Nacho_dj (Post 82580)

tryed that but my exe got some strange windows error cannot write and read from process ;o

Nacho_dj

02-03-2013 20:28

Which 'strange Windows error' are you referring to?

chessgod101

02-04-2013 02:02

Quote:

but how you fix the 120mb?

The lordpe rebuilder will take care of the large size for you. You do not need to calculate it manually this way. ;)

All times are GMT +8. The time now is 14:40.