don't have rce login, sorry. thought i'd post something
Quote:
Ok, I have this unpacked dll which wont load at certain image base... meaning :
if i use LordPE to to rebuild PE image with option Change ImageBase to 10000000h then LoadLibraryA call to this dll will fail, giving error 2E6 which is ERROR_BAD_PIPE.
if i use LordPE to rebuild PE image but with new ImageBase set to say, 1F700000h then the dll works fine, can be loaded with no problem...
So the question is what the hell is wrong ?
I have checked and it must be that Reloc info are correct or else LordPE wont be able to rebuild it, but it seems Windows is unable to utilise this reloc information and throw up when it cant load the dll at the designated ImageBase?
Anyone got any idea? This is the weirdest thing i have seen whole week
|
bpm(w) on first reloc address and dump at that point. this will preserve its original structure much like dumping before an iat is resolved. you will then be able to set its imagebase at its native space.
another tip for dumping dll's is to use the ollyloader. it is nice cuz most of the time it will load the dll into its native imagebase making it easier to dump.
you will notice that it will load if you change the imagebase to what you had dumped it to because the reloc addresses have already been fixed to that imagebase and will not work simply by changing the imagebase value in the pe header cuz the values simply don't align.
if this wasn't the problem you were having and i have misunderstood you, then forget what you just read
otherwise, please try the aforementioned advise.