Thread: Dillo protected DLL
View Single Post
  #26  
Old 09-29-2005, 23:11
5Alive 5Alive is offline
Friend
  
Join Date: Aug 2003
Posts: 82
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 1 Time in 1 Post
5Alive Reputation: 0
Archer,
Quote:
Originally Posted by Archer
Well, it may be OEP, looks like OEP. (BTW, I wrote to you in PM about 1 month earlier about OEP and import table. I don't remember exact addresses now.)
Yes, I've still got your PM, I found a later version of the DLL which I can load into olly directly without error. So the OEP and such has changed. I'm pretty sure this is the right OEP, it agrees with Lunars DLL stripper anyway.

Quote:
Originally Posted by Archer
As I remember there is only 1 jump that should be patched to get clear import table, but I'm not sure, it was too long ago.
Quote:
Originally Posted by Archer
As I remember there is only 1 jump that should be patched to get clear import table, but I'm not sure, it was too long ago.
I think the later DLL uses the same version of Arma (3.75), the tut describes a patch for the magic jump and one for GetTickCount. The GetTickCount patch must only apply to Arma 4.x. (Anyone confirm this?)


Quote:
Originally Posted by Archer
Well, good import entry usually looks like xx xx xx 77 or xx xx xx 7c, others are usually bad (invalid or edited by Arma).
That's the sort of form I had reasoned on, I just need someone skilled in the art of unpacking to confirm this. Thanks for that.

Quote:
Originally Posted by Archer
To find the beginning I usually look for zero entries (00 00 00 00) or many invalid entries. Anyway, when entering addresses in ImpRec it's not essential to enter precise address of beginning, you can substract for example 100 to be sure, that beginning is in the interval.
Okay, cool.

UPDATE: I think I am but one step away from getting this dumped now.
After patching the addresses:
$0173 5093 JNZ (RVA $9AF6D) <-- Magic jump (changed to NOP)
$0173 5214 JBE (RVA $9ADEC> <--Anti-dump (changed to JMP)

I think the DLL is ready to be dumped. I set a BP on the OEP and press Shift+F9, you can see the correct IAT table being wrtten in memory, the trouble is Olly says that the "debugged program was unamble to process exception". So I cannot attach to the DLL process with LordPE or ImpRec.

I made making a binary copy of the IAT and pasting it into a reloaded DLL and attached to with LordPE, dumped it. Then tried to fixed the IAT with ImpRec. The unpacked DLL still fails to load.

Please help! See my post in the request section of the forum for a link to this file.

Thankyou.
Attached Images
File Type: jpg IAT.jpg (88.2 KB, 12 views)
Last edited by 5Alive; 10-03-2005 at 19:04.
Reply With Quote