Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Professional (!!!) Neolite 2.0 unpacking, please help ��
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 08-16-2005, 05:21
tester
 
Posts: n/a
Professional (!!!) Neolite 2.0 unpacking, please help ��
Hi All ,
It��s about 2 weeks that I��m in hell, in disappointment point !
I have a dll file that it packed with neolite 2.0 ( PEid said). I ��m read all of the tutorials that exist on the web,& I unpacked all those samples without any problem (easy exe and dll files!) , and I think that I know principles of :unpacking ��Neolite��.

My method for unpacking dll :

With ollydbg I found the ��OEP�� of the file =10001A12 => (1A12).
With ��LordPE�� I dumped it fully.
With ��Imprec�� I repair IAT of the file .
& finally, I corrected manually OEP of the dump file to new value ( with Lord PE)
( also I was try dumping with ollyDump & repaired IAT with it ��)


but in any case , my program (exe file that used unpack dll) crashed,,,,
I ��m haven��t any experience in IAT structures (my weakness point) and I think it is crash reason ��

At below, you can see data extraction��. Thanks for Any idea ,any help , ���� thanks guys��


Data Results :

***************** Before unpacking (Original Packed File):
Basic PE Header Information =================================
Entry Point 000A91A7
ImageBase 10000000
SizeofImage 000B10F4
BaseofCode 000A9000
BaseofData 00001000
[Section Table]============================================
Name Voffset Vsize Roffset Rsize Flags
.text 00001000 0000C000 00000000 0000C000 C0000080
.rdata 0000D000 00004000 00000000 00004000 40000080
.data 00011000 000036C4 00001000 00001000 C0000040
.rsrc 00015000 000904DC 00002000 00004000 40000040
Oreloc 000A6000 00003000 00000000 00003000 42000080
.neolit 000A9000 000071A7 00006000 00002000 E0000020
.reloc 000B1000 000000F4 00008000 00001000 42000040
[Dierctory Table]============================================
RVA Size
ExportTable 000A9172 00000035
ImportTable 000A9000 0000008C
��.
IAT 000A908C 00000030
��.




***************** After unpacking:

Basic PE Header Information =================================
Entry Point 00001A12 (Manually change)
ImageBase 10000000
SizeofImage 000B3000
BaseofCode 000A9000
BaseofData 00001000
[Section Table]============================================
Name Voffset Vsize Roffset Rsize Flags
.text 00001000 0000C000 00001000 0000C000 C0000080
.rdata 0000D000 00004000 0000D000 00004000 40000080
.data 00011000 000036C4 00011000 000036C4 C0000040
.rsrc 00015000 000904DC 00015000 000904DC C0000040
Oreloc 000A6000 00003000 000A6000 00003000 42000080
.neolit 000A9000 000071A7 000A9000 000071A7 E0000020
.reloc 000B1000 000000F4 000B1000 000000F4 42000040
.makt 000B2000 00001000 000B2000 00001000 E0000060

[Dierctory Table]============================================
RVA Size
ExportTable 000A9172 00000035
ImportTable 000B2000 0000003C
��.
IAT 00000000 00000000 (??!!!!!)
��
Attached Files
File Type: rar arb_.rar (140.1 KB, 12 views)
Last edited by tester; 08-18-2005 at 02:05.
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


All times are GMT +8. The time now is 16:40.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )