|
|
#1
01-08-2004, 20:29
|
|||
|
|||
|
Manual Unpacking problem
In OllyDbg I've tried manually unpacking a program, but when I dump the process (using Ollydump plugin, I leave all the settings to default), then try and load the unpacked program I get this message:
"The entry point could not be located in the dynamic link library Shell32.dll" I'm unsure of what to do, any help is appreciated. Last edited by Nilrem; 01-09-2004 at 00:14. 
|
|
#2
01-08-2004, 23:27
|
|||
|
|||
|
Hi Nilrem / merliN
What's the program name/ link? What is the program packed with? Best Wishes R@der
|
|
#3
01-09-2004, 00:06
|
|||
|
|||
|
Can we talk more privately please R@dier?
For now I'll PM you the info. My contact info is: merlin!accessroot.com - email jammysa@hotmail!com - msn messenger 46313648 - icq Last edited by Nilrem; 01-09-2004 at 00:17.
|
|
#4
01-09-2004, 02:15
|
|||
|
|||
|
Re: Manual Unpacking problem
Quote:
Your import table isn't correct. When you use the default options of ollydump it also tries to recreate the import table. It's more safely tou recreate the import table manualy or to use imprec/revirgin regards lownoise
|
|
#5
01-09-2004, 07:33
|
|||
|
|||
|
Still no go, argh!
|
|
#6
01-09-2004, 07:59
|
|||
|
|||
|
Hi Nilrem,
as per PM here is the iat just use Imprec to fix
|
|
#7
01-09-2004, 18:37
|
|||
|
|||
|
Thanks to you two, I was unpacking it correctly, but was not importing it correctly, thanks a lot.
|
|
#8
01-10-2004, 00:25
|
|||
|
|||
|
I click fixdump, then the file opened in Ollydbg, and I get the error message (from Imprec):
"Invalid dump file! Can't match RVA to Offset int he dump file" In Imprec I also have the values that R@dier said to have: "OEP: 00063274 IATRVA: 00067150 IATSize: 000006B8" I didn't type them in either (well only the OEP then clicked IAT AutoSearch). Last edited by Nilrem; 01-10-2004 at 00:27.
|
|
#9
01-10-2004, 00:29
|
||||
|
||||
|
you should perhaps fix the dump and not the original (in olly opened) file
|
|
#10
01-10-2004, 00:37
|
|||
|
|||
|
here is a quick run down
load into olly 004A4230 > $ 60 PUSHAD <----- starting point 004A4231 . BE 00F04600 MOV ESI,wwDisp.0046F000 004A4236 . 8DBE 0020F9FF LEA EDI,DWORD PTR DS:[ESI+FFF92000] 004A423C . 57 PUSH EDI Scroll down till 004A4395 > FF96 B85E0A00 CALL DWORD PTR DS:[ESI+A5EB8] 004A439B > 61 POPAD 004A439C .-E9 D3EEFBFF JMP wwDisp.00463274 <----jmp to OEP Set Break point here F7 to OEP 00463274 55 PUSH EBP <-----OEP 00463275 8BEC MOV EBP,ESP 00463277 33C9 XOR ECX,ECX olly dump prog and turn off rebuild imports dump as unpacked.exe do not shut down olly yet we are now going to get the imports Start ImpRec Select process changes oep: 00063274 click get imports and check for invalid click fix dump ans select unpacked.exe shut down olly done all works great now I hope this helps Last edited by R@dier; 01-10-2004 at 00:40.
|
|
#11
01-10-2004, 00:42
|
|||
|
|||
|
Run the new file which will be saved as
unpacked_.exe Best Wishes R@dier
|
|
#12
01-10-2004, 00:55
|
|||
|
|||
|
Ahh can't believe that my problem was because I was fixing the original not the dump! UGH! Feel so stupid such a silly little mistake.
|
|
#13
01-10-2004, 01:14
|
|||
|
|||
|
Reload the program in Olly please R@dier (the one you unpacked) do you get a error message saying:
"Module 'exenamehere' has entry point outside the code..." etc, then when you click ok it tells you it may still be packed, I mean everything looks fine and everything, just curious.
|
|
#14
01-10-2004, 07:23
|
|||
|
|||
|
You need to fix the base of code so that the base of code falls in the section where the OEP is. After that you wont get a warning anymore. Use LordPE or something similiar for this.
Example: ImageBase: 0x00400000 OEP:0x0000137c BaseOfCode:0x00001000 The warning is nothing special or important. Just a notice. The file is unpacked correctly.
|
|
#15
01-10-2004, 08:19
|
|||
|
|||
|
@ Nilrem
No Error warnings here  R@dier
|
 |
|
|
Linear Mode
