Thread: WinCE dll unpacking
View Single Post
  #1  
Old 01-15-2018, 22:49
leader leader is offline
Friend
  
Join Date: Oct 2017
Posts: 10
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 15
Thanks Rcvd at 3 Times in 2 Posts
leader Reputation: 0
WinCE dll unpacking
Hi,

I have a packed dll for WinCE and I wan't to analyse it.
Unfortunately I can not identify what protector is used.
It seems that the dll is unpack himself in the memory during runtime.
There is only 5 functions who does the unpacking/decompressing, so I decide to make a static unpacker for it.

I have a problem to analyse 2 short functions, and I don't know how to handle them:

Quote:
int __fastcall nullsub_1(int a1, int a2)
{
int (__fastcall *v2)(int, int); // r10

return v2(a1, a2);
}
Quote:
int __fastcall sub_10009F7E(int a1, int a2)
{
int (__fastcall *v2)(int, int); // r11

return v2(a1, a2);
}
Both functions are similar, and just calls another functions from memory with the arguments passed. The problem is that the functions pointer is never set, so I don't know what fucntions will be called. (v2 (r10 and r11) never assigned in the dll)

Maybe somebody can give me some tips how to handle this calls?

Regards,
leader
Reply With Quote