Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-16-2005, 05:21
tester
 
Posts: n/a
Professional (!!!) Neolite 2.0 unpacking, please help ¡­

Hi All ,
It¡¯s about 2 weeks that I¡¯m in hell, in disappointment point !
I have a dll file that it packed with neolite 2.0 ( PEid said). I ¡®m read all of the tutorials that exist on the web,& I unpacked all those samples without any problem (easy exe and dll files!) , and I think that I know principles of :unpacking ¡®Neolite¡¯.

My method for unpacking dll :

With ollydbg I found the ¡®OEP¡¯ of the file =10001A12 => (1A12).
With ¡®LordPE¡¯ I dumped it fully.
With ¡®Imprec¡¯ I repair IAT of the file .
& finally, I corrected manually OEP of the dump file to new value ( with Lord PE)
( also I was try dumping with ollyDump & repaired IAT with it ¡­)


but in any case , my program (exe file that used unpack dll) crashed,,,,
I ¡®m haven¡¯t any experience in IAT structures (my weakness point) and I think it is crash reason ¡­

At below, you can see data extraction¡­. Thanks for Any idea ,any help , ¡­¡­ thanks guys¡­


Data Results :

***************** Before unpacking (Original Packed File):
Basic PE Header Information =================================
Entry Point 000A91A7
ImageBase 10000000
SizeofImage 000B10F4
BaseofCode 000A9000
BaseofData 00001000
[Section Table]============================================
Name Voffset Vsize Roffset Rsize Flags
.text 00001000 0000C000 00000000 0000C000 C0000080
.rdata 0000D000 00004000 00000000 00004000 40000080
.data 00011000 000036C4 00001000 00001000 C0000040
.rsrc 00015000 000904DC 00002000 00004000 40000040
Oreloc 000A6000 00003000 00000000 00003000 42000080
.neolit 000A9000 000071A7 00006000 00002000 E0000020
.reloc 000B1000 000000F4 00008000 00001000 42000040
[Dierctory Table]============================================
RVA Size
ExportTable 000A9172 00000035
ImportTable 000A9000 0000008C
¡­.
IAT 000A908C 00000030
¡­.




***************** After unpacking:

Basic PE Header Information =================================
Entry Point 00001A12 (Manually change)
ImageBase 10000000
SizeofImage 000B3000
BaseofCode 000A9000
BaseofData 00001000
[Section Table]============================================
Name Voffset Vsize Roffset Rsize Flags
.text 00001000 0000C000 00001000 0000C000 C0000080
.rdata 0000D000 00004000 0000D000 00004000 40000080
.data 00011000 000036C4 00011000 000036C4 C0000040
.rsrc 00015000 000904DC 00015000 000904DC C0000040
Oreloc 000A6000 00003000 000A6000 00003000 42000080
.neolit 000A9000 000071A7 000A9000 000071A7 E0000020
.reloc 000B1000 000000F4 000B1000 000000F4 42000040
.makt 000B2000 00001000 000B2000 00001000 E0000060

[Dierctory Table]============================================
RVA Size
ExportTable 000A9172 00000035
ImportTable 000B2000 0000003C
¡­.
IAT 00000000 00000000 (??!!!!!)
¡­
Attached Files
File Type: rar arb_.rar (140.1 KB, 9 views)

Last edited by tester; 08-18-2005 at 02:05.
Reply With Quote
  #2  
Old 08-16-2005, 22:43
al-kaiser
 
Posts: n/a
Try this tut that worked for me on upacking Neolite apps

hxxp://rapidshare.de/files/4040543/NeoLite_2.0__Unpacking_.rar.html
Reply With Quote
  #3  
Old 08-17-2005, 14:30
tester
 
Posts: n/a
Exclamation

Thank you first al-kaiser;
but i can't got that file,,, server say error:

Fatal error: Maximum execution time of 30 seconds exceeded in /home/admin1/public_html/src1-index.php on line 116


can you attach the file on forum for me , pelase?
Reply With Quote
  #4  
Old 08-17-2005, 16:18
wildmans
 
Posts: n/a
Well I unpacked neolite 2 DLL's in the past without much problems.. Only thing I did different was that I manually restored the IAT instead of letting a tool create a new section with the iat in it.
Not sure if that causes your problems. But for instance peexplorer gives a warning if the IAT is in a seperate section AFTER the .rsrc section(with the export table)
Reply With Quote
  #5  
Old 08-17-2005, 23:27
tester
 
Posts: n/a
Unhappy

it's true wildmans,,,
you have complete knowledge about IAT & about what are you needed to changes... but i havent good mentality about that!!! i'm rally newbie.

PEexplorer gives NO warning... if assume that it gives some error, I don't know what i must doing .... I think i need to get some refernces to read about IAT and PE sections first,,, but it takes long time

further help plz



=================== Now:
one of my freinds chaged RVA of ImportTable and now it isn't crash ,,,, but when exe file started, an error message say:"Failed to initialize the program",,,,like when i remove that dll or change it's name !!!

Last edited by tester; 08-20-2005 at 17:23.
Reply With Quote
  #6  
Old 08-19-2005, 18:58
suddenLy suddenLy is offline
Friend
 
Join Date: Jan 2005
Posts: 60
Rept. Given: 2
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 1
Thanks Rcvd at 7 Times in 7 Posts
suddenLy Reputation: 3
I'm not sure what the problem is, cos there is not enough info. about ur target.

But did u check the relocation problem?

Usually unpacking of dll has a problem of relocation.

If other dll - which has a same image base address with ur target dll - is loaded before ur target dll, it may cause a problem.

Because image base address of the target dll is changed, and then relocation problem occured.

So how about trying another image base address in dumping or using Reloxa tool?
Reply With Quote
  #7  
Old 08-20-2005, 20:39
tester
 
Posts: n/a
suddenLy thanX,,,
there is some dll's that they have same image base addresses,,, but i think about other things:

i suggested that "Failed to initialize the program" message maybe ceated from some check routines like 'CRC Checks...' & etc... , I founded that message in the main exe file ( this exe file load dll's & program started) , but i can't trace it to find check points!(poor knowledge!)

thanks to all- to help & clarify me!

(as soon as possible , I will send related request on the 'Request section board' , if 'Registered User Limitions' Let me!!!)


attachment = Main exe file -&- Original Name of target dll=Ararbres.dll
Attached Files
File Type: rar exe.rar (918.4 KB, 8 views)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What's up with this Neolite packed DLL ??? wildmans General Discussion 2 10-05-2005 14:47


All times are GMT +8. The time now is 05:14.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2022 )