Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Difference dumping @ OEP or runtime ?
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-30-2005, 14:59
wildmans
 
Posts: n/a
Difference dumping @ OEP or runtime ?
I am wondering.. Why is is essential to dump an compressed DLL while locking it (eg jmp eip) at the OEP ?? I mean why not just let it finish loading and dump it while it is active in memory ? Does it get recompressed after finishing the init code or something ?

Just wondering... I dumped a (compressed) dll while locking it at the OEP, and I dumped the same dll while it was loaded by the host app. I saw no major differences...
Reply With Quote
  #2  
Old 08-30-2005, 15:19
Archer's Avatar
Archer Archer is offline
retired
  
Join Date: Aug 2005
Posts: 239
Rept. Given: 1
Rept. Rcvd 46 Times in 19 Posts
Thanks Given: 3
Thanks Rcvd at 387 Times in 57 Posts
Archer Reputation: 46
Rule of dumping at OEP relates not only to dll-s, but to exe-s too. It helps to avoid difficulties. For example: dll when runs, decrypts itself using xor. You dump it after part was decrypted. When you run dumped, it tries to decrypt again (but part of it is decrypted already), and you get junk instead of decrypted code. It's just an example, there are other possible problems like getting initial values from data section and then overwriting them. To avoid such things it's better to dump at OEP. Sometimes dump works OK if you dump later, but sometimes it crashes.
Reply With Quote
  #3  
Old 08-30-2005, 15:44
wildmans
 
Posts: n/a
Yeah, I get the general idea thanks
Reply With Quote
  #4  
Old 08-30-2005, 16:58
OrionOnion
 
Posts: n/a
Hmm...

I thought your DLL have relocation table.
Most of DLLs have relocation table for preventing load same imagebase.

For Dumping, you can choose some method.
I usually used that PE characteristics change.
If change DLL characteristic bit to OFF(0).
you can loading DLL directly at 0x10000000 on Olly or other debugger.

It is for non relocated DLL.

If DLL needs relocation.

You must set memory break at relocation instruction.

eg.
When ORG 0x10000000
10001000 : 8D05 45230010 : LEA EAX,[0x10002345] <-- will relocated instruction.

If relocated ORG to 0x12000000
12001000 : 8D05 45230012 : LEA EAX,[0x12002345] <-- Changed.

After code decrypting, memory Break set 10001002 or 12001002.
You can find where it relocated and information for relocation.
If you caught a relocation info, You can recover relocation table.
Reply With Quote
  #5  
Old 08-30-2005, 20:51
wildmans
 
Posts: n/a
Thanks for the additional info Oriononion

The DLL im currently unpacking has more then 20000 relocations(done by the packer maybe?) so I used Relox to search for those changes and recreate an Relocation table.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[Off Topic] Difference between ATX12V 2.0 and EPS12V power supply Kerlingen General Discussion 0 01-23-2005 02:36
runtime libs linked in to exe, IDA question. Wannabe General Discussion 7 08-02-2004 11:00
Compuware Difference DriverStudio and DrvierSuite X-ten General Discussion 5 02-27-2004 23:38


All times are GMT +8. The time now is 07:10.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )