#1
|
|||
|
|||
Difference dumping @ OEP or runtime ?
I am wondering.. Why is is essential to dump an compressed DLL while locking it (eg jmp eip) at the OEP ?? I mean why not just let it finish loading and dump it while it is active in memory ? Does it get recompressed after finishing the init code or something ?
Just wondering... I dumped a (compressed) dll while locking it at the OEP, and I dumped the same dll while it was loaded by the host app. I saw no major differences... |
#2
|
||||
|
||||
Rule of dumping at OEP relates not only to dll-s, but to exe-s too. It helps to avoid difficulties. For example: dll when runs, decrypts itself using xor. You dump it after part was decrypted. When you run dumped, it tries to decrypt again (but part of it is decrypted already), and you get junk instead of decrypted code. It's just an example, there are other possible problems like getting initial values from data section and then overwriting them. To avoid such things it's better to dump at OEP. Sometimes dump works OK if you dump later, but sometimes it crashes.
|
#3
|
|||
|
|||
Yeah, I get the general idea thanks
|
#4
|
|||
|
|||
Hmm...
I thought your DLL have relocation table. Most of DLLs have relocation table for preventing load same imagebase. For Dumping, you can choose some method. I usually used that PE characteristics change. If change DLL characteristic bit to OFF(0). you can loading DLL directly at 0x10000000 on Olly or other debugger. It is for non relocated DLL. If DLL needs relocation. You must set memory break at relocation instruction. eg. When ORG 0x10000000 10001000 : 8D05 45230010 : LEA EAX,[0x10002345] <-- will relocated instruction. If relocated ORG to 0x12000000 12001000 : 8D05 45230012 : LEA EAX,[0x12002345] <-- Changed. After code decrypting, memory Break set 10001002 or 12001002. You can find where it relocated and information for relocation. If you caught a relocation info, You can recover relocation table. |
#5
|
|||
|
|||
Thanks for the additional info Oriononion
The DLL im currently unpacking has more then 20000 relocations(done by the packer maybe?) so I used Relox to search for those changes and recreate an Relocation table. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
[Off Topic] Difference between ATX12V 2.0 and EPS12V power supply | Kerlingen | General Discussion | 0 | 01-23-2005 02:36 |
runtime libs linked in to exe, IDA question. | Wannabe | General Discussion | 7 | 08-02-2004 11:00 |
Compuware Difference DriverStudio and DrvierSuite | X-ten | General Discussion | 5 | 02-27-2004 23:38 |