reply to crusaders reloc issue on rce

don't have rce login, sorry. thought i'd post something

Quote:

Ok, I have this unpacked dll which wont load at certain image base... meaning :

if i use LordPE to to rebuild PE image with option Change ImageBase to 10000000h then LoadLibraryA call to this dll will fail, giving error 2E6 which is ERROR_BAD_PIPE.

if i use LordPE to rebuild PE image but with new ImageBase set to say, 1F700000h then the dll works fine, can be loaded with no problem...

So the question is what the hell is wrong ?
I have checked and it must be that Reloc info are correct or else LordPE wont be able to rebuild it, but it seems Windows is unable to utilise this reloc information and throw up when it cant load the dll at the designated ImageBase?

Anyone got any idea? This is the weirdest thing i have seen whole week

bpm(w) on first reloc address and dump at that point. this will preserve its original structure much like dumping before an iat is resolved. you will then be able to set its imagebase at its native space.

another tip for dumping dll's is to use the ollyloader. it is nice cuz most of the time it will load the dll into its native imagebase making it easier to dump.

you will notice that it will load if you change the imagebase to what you had dumped it to because the reloc addresses have already been fixed to that imagebase and will not work simply by changing the imagebase value in the pe header cuz the values simply don't align.

if this wasn't the problem you were having and i have misunderstood you, then forget what you just read

otherwise, please try the aforementioned advise.

heh.. what is this ?
Thread hijacking ?

Anyway, thanks for the reply... but that wasnt exactly my problem... my dll loaded at its native imagebase when unpacking... it works fine unless there is another dll already loaded at that iamge base then it wont load...

I can rebase the dll with lordpe and it works fine again as long as there is no dll already loaded at the same imagebase... so while LordPE seems to recognise the reloc struct, windows doesnt :/

Quote:

bpm(w) on first reloc address and dump at that point. this will preserve its original structure much like dumping before an iat is resolved. you will then be able to set its imagebase at its native space.

Do you mean to say that reloc structure is modifed during loading process??? Are you sure on this?

[Darren]

just a stab in the dark, have set correct reloc size in the header ?

- Darren

Quote:

Do you mean to say that reloc structure is modifed during loading process??? Are you sure on this?

absolutely! this is how i've dumped many aspr'd dll's. if you're simply loading the dll with ollyloader, then make sure to check 'System breakpoint' in the Events tab under 'Make first pause at:'. then place your bpm.

Quote:

it works fine unless there is another dll already loaded at that iamge base then it wont load...

that is strange. is it trying to occupy the space of a system dll? cuz then obviously it wouldn't work. if not a windows dll, then is it always the same dll that is hijacking it's native spot?

still tho, with relocs in place it should be assigned a different area to live. i know this is of little or no help, just putting thoughts out there

Darren makes a good point as well