#1
|
|||
|
|||
Unpack OneWay.dll problem,Import REConstructor v1.6 Final fails.
I unpacked OneWay.dll.(www.atma-software.com/1way)
This is the OEP I thought . Code:
003D8458 55 push ebp 003D8459 8BEC mov ebp,esp 003D845B 83C4 C4 add esp,-3C 003D845E B8 58833D0>mov eax,OneWay.003D8358 003D8463 E8 BCDCFDF>call OneWay.003B6124 003D8468 33C0 xor eax,eax But When I choose OneWay.dll. The Imagebase in the Log window is 00400000. So I couldnot fix the unpacked dll. see the attachment for two pictures discribe the problem I met. What's the problem? Import REConstructor bug? Are there any alternative tools to fix the import table? Confused. Any comment is appreciated. Thx! ------ Is this the same question of my previous thread? http://forum.exetools.com/showthread.php?t=8612 Maybe this dll first packed with asprotect,then PEcompact. Regards Last edited by winndy; 01-06-2006 at 23:55. |
#2
|
|||
|
|||
You probably need to change ImageBase in PE header of dumped dll to 003B0000
|
#3
|
|||
|
|||
hey
in your options.. make sure this is unticked " use PE Header from disk" otherwise then yes you pick up the 004xxxxx instead of 35xxxxxxx .. i just tried it.. and it picks up base... |
#4
|
|||
|
|||
Quote:
I always learn so much from ARteam.You did very well. -------------------------- Quote:
There is a crash when I fixed the Import table. But I found the cause:the imagebase of the dumped dll is still 00400000. I should be 003B0000. I corrected it with lordPE.It works. If you donnot want to do so. When you dump the dll,You could tick the "Full dump:Rebuild Imagebase" and make sure tick "change Imagebase to" and set it to 003B0000. That's it. Thanks again. Regards |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
MackT's Import Reconstructor 1.4.2 | JackD | General Discussion | 1 | 08-10-2002 04:37 |