Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-29-2013, 14:48
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 70
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 19 Times in 14 Posts
TempoMat Reputation: 6
Runtime Error R6002 - Floating point not loaded after unpacking

Hi,

I am basically having the same problem with two files protected with PeCompact as referenced in this thread:
Quote:
http://forum.exetools.com/showthread.php?t=12459&highlight=peCompact
In both files there are only two sections .text and .rsrc.
For one of the programs in question, I could get from the peHeader the actual VirtualSize for the Code Section as 16D800 and for the Data Section as 167000.

What I need to do is to edit the peHeader correctly to 3 sections (i.e. split the code section into code and data sections) when the program is at the OEP before dumping.

I am however having problems modifying the peHeader in Olly correctly before the dump. Then both LordPe or OllyDump still see only the two sections .text and .rsrc.

This is the peHeader of one of the programs:

Code:
004000F8    50 45 00 00>ASCII "PE"           ; PE signature (PE)
004000FC    4C01        DW 014C              ; Machine = IMAGE_FILE_MACHINE_I386
004000FE    0200        DW 0002              ;  NumberOfSections = 2
00400100    F7AA9651    DD 5196AAF7          ;  TimeDateStamp = 5196AAF7
00400104    00000000    DD 00000000          ;  PointerToSymbolTable = 0
00400108    00000000    DD 00000000          ;  NumberOfSymbols = 0
0040010C    E000        DW 00E0              ;  SizeOfOptionalHeader = E0 (224.)
0040010E    030D        DW 0D03              ;  Characteristics = EXECUTABLE_IMAGE|RUN_FROM_SWAP|32BIT_MACHINE|RELOCS_STRIPPED|800
00400110    0B01        DW 010B              ; MagicNumber = PE32
00400112    09          DB 09                ;  MajorLinkerVersion = 9
00400113    00          DB 00                ;  MinorLinkerVersion = 0
00400114    00D81600    DD 0016D800          ;  SizeOfCode = 16D800 (1497088.)
00400118    007C1600    DD 00167C00          ;  SizeOfInitializedData = 167C00 (1473536.)
0040011C    00000000    DD 00000000          ;  SizeOfUninitializedData = 0
00400120    00100000    DD 00001000          ;  AddressOfEntryPoint = 1000
00400124    00100000    DD 00001000          ;  BaseOfCode = 1000
00400128    00F01600    DD 0016F000          ;  BaseOfData = 16F000
0040012C    00004000    DD 00400000          ; ImageBase = 400000
00400130    00100000    DD 00001000          ;  SectionAlignment = 1000
00400134    00020000    DD 00000200          ;  FileAlignment = 200
00400138    0500        DW 0005              ;  MajorOSVersion = 5
0040013A    0000        DW 0000              ;  MinorOSVersion = 0
0040013C    0000        DW 0000              ;  MajorImageVersion = 0
0040013E    0000        DW 0000              ;  MinorImageVersion = 0
00400140    0500        DW 0005              ;  MajorSubsystemVersion = 5
00400142    0000        DW 0000              ;  MinorSubsystemVersion = 0
00400144    00000000    DD 00000000          ;  Reserved
00400148    00802E00    DD 002E8000          ;  SizeOfImage = 2E8000 (3047424.)
0040014C    00040000    DD 00000400          ;  SizeOfHeaders = 400 (1024.)
00400150    6B220C00    DD 000C226B          ;  CheckSum = C226B
00400154    0200        DW 0002              ;  Subsystem = IMAGE_SUBSYSTEM_WINDOWS_GUI
00400156    0080        DW 8000              ;  DLLCharacteristics = 8000
00400158    00001000    DD 00100000          ;  SizeOfStackReserve = 100000 (1048576.)
0040015C    00100000    DD 00001000          ;  SizeOfStackCommit = 1000 (4096.)
00400160    00001000    DD 00100000          ;  SizeOfHeapReserve = 100000 (1048576.)
00400164    00100000    DD 00001000          ;  SizeOfHeapCommit = 1000 (4096.)
00400168    00000000    DD 00000000          ;  LoaderFlags = 0
0040016C    10000000    DD 00000010          ;  NumberOfRvaAndSizes = 10 (16.)
00400170    00000000    DD 00000000          ;  Export Table address = 0
00400174    00000000    DD 00000000          ;  Export Table size = 0
00400178    00381E00    DD 001E3800          ;  Import Table address = 1E3800
0040017C    B4030000    DD 000003B4          ;  Import Table size = 3B4 (948.)
00400180    00E02D00    DD 002DE000          ;  Resource Table address = 2DE000
00400184    8D7E0000    DD 00007E8D          ;  Resource Table size = 7E8D (32397.)
00400188    00000000    DD 00000000          ;  Exception Table address = 0
0040018C    00000000    DD 00000000          ;  Exception Table size = 0
00400190    00760B00    DD 000B7600          ;  Certificate File pointer = B7600
00400194    28190000    DD 00001928          ;  Certificate Table size = 1928 (6440.)
00400198    00000000    DD 00000000          ;  Relocation Table address = 0
0040019C    00000000    DD 00000000          ;  Relocation Table size = 0
004001A0    70FA1600    DD 0016FA70          ;  Debug Data address = 16FA70
004001A4    1C000000    DD 0000001C          ;  Debug Data size = 1C (28.)
004001A8    00000000    DD 00000000          ;  Architecture Data address = 0
004001AC    00000000    DD 00000000          ;  Architecture Data size = 0
004001B0    00000000    DD 00000000          ;  Global Ptr address = 0
004001B4    00000000    DD 00000000          ;  Must be 0
004001B8    00000000    DD 00000000          ;  TLS Table address = 0
004001BC    00000000    DD 00000000          ;  TLS Table size = 0
004001C0    00000000    DD 00000000          ;  Load Config Table address = 0
004001C4    00000000    DD 00000000          ;  Load Config Table size = 0
004001C8    00000000    DD 00000000          ;  Bound Import Table address = 0
004001CC    00000000    DD 00000000          ;  Bound Import Table size = 0
004001D0    00000000    DD 00000000          ;  Import Address Table address = 0
004001D4    00000000    DD 00000000          ;  Import Address Table size = 0
004001D8    50371E00    DD 001E3750          ;  Delay Import Descriptor address = 1E3750
004001DC    40000000    DD 00000040          ;  Delay Import Descriptor size = 40 (64.)
004001E0    00000000    DD 00000000          ;  COM+ Runtime Header address = 0
004001E4    00000000    DD 00000000          ;  Import Address Table size = 0
004001E8    00000000    DD 00000000          ;  Reserved
004001EC    00000000    DD 00000000          ;  Reserved
004001F0    2E 74 65 78>ASCII ".text"        ; SECTION   <-------------Need to split this section and align properly to .text and .rdata     
004001F8    00D02D00    DD 002DD000          ;  VirtualSize = 2DD000 (3002368.) <----------(Code+Data)
004001FC    00100000    DD 00001000          ;  VirtualAddress = 1000
00400200    00E00A00    DD 000AE000          ;  SizeOfRawData = AE000 (712704.)
00400204    00040000    DD 00000400          ;  PointerToRawData = 400
00400208    50454332    DD 32434550          ;  PointerToRelocations = 32434550
0040020C    544F0000    DD 00004F54          ;  PointerToLineNumbers = 4F54
00400210    0000        DW 0000              ;  NumberOfRelocations = 0
00400212    0000        DW 0000              ;  NumberOfLineNumbers = 0
00400214    20000060    DD 60000020          ;  Characteristics = CODE|EXECUTE|READ
00400218    2E 72 73 72>ASCII ".rsrc"        ; SECTION
00400220    00A00000    DD 0000A000          ;  VirtualSize = A000 (40960.)
00400224    00E02D00    DD 002DE000          ;  VirtualAddress = 2DE000
00400228    00920000    DD 00009200          ;  SizeOfRawData = 9200 (37376.)
0040022C    00E40A00    DD 000AE400          ;  PointerToRawData = AE400
00400230    00000000    DD 00000000          ;  PointerToRelocations = 0
00400234    00000000    DD 00000000          ;  PointerToLineNumbers = 0
00400238    0000        DW 0000              ;  NumberOfRelocations = 0
0040023A    0000        DW 0000              ;  NumberOfLineNumbers = 0
0040023C    200000E0    DD E0000020          ;  Characteristics = CODE|EXECUTE|READ|WRITE
Any suggestion is appreciated.

Thanks TemPoMat

PS: I know there are universal Unpackers in the wide like Nacho_dj's Unpacker_PeCompact which successfully unpack this particular file.
The resulting size of the file is approx. 1MB larger than my manually unpacked one. This is however not the topic here.

I am interested in manually unpacking and properly fixing the unpack file to get raid of the "R6002 floating point error", which according to many sources on the internet is related in this case to the wrong characteristics of the .rdata section, which is totally missing or better to say hidden in the code section.
Reply With Quote
  #2  
Old 10-29-2013, 15:01
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 77 Times in 50 Posts
Syoma Reputation: 77
Check the __fp math initialization function logic and code like
if (IsSectionReadOnly(".rdata")) ...
Reply With Quote
  #3  
Old 10-29-2013, 18:59
RedBlkJck RedBlkJck is offline
Family
 
Join Date: Oct 2011
Posts: 99
Rept. Given: 66
Rept. Rcvd 80 Times in 43 Posts
Thanks Given: 22
Thanks Rcvd at 11 Times in 9 Posts
RedBlkJck Reputation: 80
JFYI Nacho_dj's tool will attempt to rebuild the pe section headers with the sections rebuilt. If the file size is larger than your manual unpacked, you probably are not fully unpacked. Maybe you are only at fake oep where the resource section is repaired/remapped after fake oep. Try editing the resources on your manually unpacked file.

For the R6002 error, you have two options. Leave the sections as is and patch the check like Syoma is referring to or rebuild the section headers. If you manually rebuild the sections, plan on spending much time identifying where the sections are mapped and add/modify the section headers; rebuilding the PE map. Once the code and rdata can have separate permissions you can bypass this check without patching.

more details here. http://forum.exetools.com/showpost.php?p=79880&postcount=16

There is a patcher by manhunter out there that will find and patch the code check if the section is writeable. Never tested it though. ..http://www.manhunter.ru/underground/65_runtime_error_r6002_floating_point_not_loaded.html

btw if rebuilding the sections, might be easier to get the file dumped first then add/modify the sections to the dump.

Last edited by RedBlkJck; 10-29-2013 at 19:13. Reason: add on
Reply With Quote
The Following User Gave Reputation+1 to RedBlkJck For This Useful Post:
giv (10-29-2013)
  #4  
Old 10-29-2013, 20:37
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,656
Rept. Given: 802
Rept. Rcvd 1,283 Times in 561 Posts
Thanks Given: 218
Thanks Rcvd at 550 Times in 233 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
On tuts4you at Execryptor topic LCF-AT pointed how to quick bypass this issue.
Other solution.
Compress the unpacked file with UPX and it will work.
Reply With Quote
  #5  
Old 10-29-2013, 21:30
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,656
Rept. Given: 802
Rept. Rcvd 1,283 Times in 561 Posts
Thanks Given: 218
Thanks Rcvd at 550 Times in 233 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
Later edit.
Here is the link:
Quote:
http://forum.tuts4you.com/topic/31588-problem-unpack-execryptor-2410/#entry148468
And the solution by LCF-AT:
Quote:
Posted 28 March 2013 - 08:04 PM
Hi,

very simple.

R6002 = Section Flag check.So after unpacking your xy section flag was changed [adding writeable flag] and this will checked.Mostly happend in the section where your new IAT is stored.If you change the flag of the section back to original [not writebale] then you get a error so now it can no more write the APIs in this section anymore.So what you have to do now is to find this check and patch the check and save it and then all is working fine again.

You can use a HWBP on the section char in the PE Header....

or try this..

Search this patter #C1E81FF7D083E001#
--------------------------
MOV EAX,DWORD PTR DS:[EAX+24] ; Section char of codesec to eax
SHR EAX,1F
NOT EAX
AND EAX,1
......... ; If eax 0 then R6002 Error So you have always to get value 1 in eax at the end = Not writeable enabled.If you get 0 = Yes writeable enabled for the section xy.Just patch the code first command to mov eax,1 and nop the other 3 commands.

greetz
Reply With Quote
  #6  
Old 10-29-2013, 23:05
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 70
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 19 Times in 14 Posts
TempoMat Reputation: 6
Quote:
Originally Posted by giv View Post
Other solution.
Compress the unpacked file with UPX and it will work.
Tried this as well but UPX could not compress the unpacked exe.
Quote:
Originally Posted by RedBlkJck View Post
Maybe you are only at fake oep where the resource section is repaired/remapped after fake oep. Try editing the resources on your manually unpacked file.
No the OEP in both files are the same.

Quote:
Originally Posted by giv View Post
]
Search this patter #C1E81FF7D083E001#
--------------------------
MOV EAX,DWORD PTR DS:[EAX+24] ; Section char of codesec to eax
SHR EAX,1F
NOT EAX
AND EAX,1
The breakpoint at the location 00541C17 (with the quoted pattern) is hit continuously.
If I set EAX=1 after the AND EAX,1 instruction at the first hit, the unpacked file runs without the error. All other hits will trigger the R6002 error and some other SEHs with EAX modified to 1. So patching here will have to be thoroughly thought of.

Maybe trying to rebuild the peHeader first before dumping might be the most elegant way even though it could be the most time consuming option.
Reply With Quote
  #7  
Old 10-29-2013, 23:42
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 70
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 19 Times in 14 Posts
TempoMat Reputation: 6
Second file works with a patch

In the case of the second file, the check is made only once.
The file therefore runs fine with a patch like this without the R6002 error:

original code=>
Code:
005BDB17   .  8B40 24       MOV EAX,DWORD PTR DS:[EAX+24]
005BDB1A   .  C1E8 1F       SHR EAX,1F
005BDB1D      F7D0          NOT EAX
005BDB1F      83E0 01       AND EAX,1
005BDB22      C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
Patched code=>
Code:
005BDB17   .  8B40 24       MOV EAX,DWORD PTR DS:[EAX+24]
005BDB1A   .  C1E8 1F       SHR EAX,1F
005BDB1D      B8 01000000   MOV EAX,1
005BDB22      C745 FC FEFFF>MOV DWORD PTR SS:[EBP-4],-2
Reply With Quote
  #8  
Old 10-30-2013, 02:12
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,656
Rept. Given: 802
Rept. Rcvd 1,283 Times in 561 Posts
Thanks Given: 218
Thanks Rcvd at 550 Times in 233 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
Allright.
The idea was to do something like:
XOR EAX, EAX
MOV AL, 1
NOP
NOP
Reply With Quote
  #9  
Old 10-30-2013, 10:04
RedBlkJck RedBlkJck is offline
Family
 
Join Date: Oct 2011
Posts: 99
Rept. Given: 66
Rept. Rcvd 80 Times in 43 Posts
Thanks Given: 22
Thanks Rcvd at 11 Times in 9 Posts
RedBlkJck Reputation: 80
I remember running into a problem with bypassing this before but I don't remember the details. Since that procedure is used for other functions you could try following the return address and nop the jump instead.

Extra bytes 'overlay' might be another reason your file size is smaller than from Nacho_DJ unpacker tool. That tool will not leave a huge amount of extra bytes there and it appends the overlay back to the dump. If you think it's a bug, please PM me a link to the target if its not a problem.

You will not see the PE header you modified in memory unless the dumper is set to use PE from memory instead of PE from disk. I always rebuild the PE sections once the file is dumped and dump using the pe from disk option. Since you are playing around with trying to modify the sections prior to dumping, maybe a dumper with more options might be of better use. Try OllyDumpEx. - jack
Reply With Quote
The Following 2 Users Gave Reputation+1 to RedBlkJck For This Useful Post:
giv (10-30-2013), Nacho_dj (10-31-2013)
  #10  
Old 10-30-2013, 22:04
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 70
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 19 Times in 14 Posts
TempoMat Reputation: 6
Quote:
Originally Posted by RedBlkJck View Post
Extra bytes 'overlay' might be another reason your file size is smaller than from Nacho_DJ unpacker tool. That tool will not leave a huge amount of extra bytes there and it appends the overlay back to the dump. If you think it's a bug, please PM me a link to the target if its not a problem.
I tried again the tool on another program with the following results:

Packed File size=10.7 MB
Manually unpacked size=18.0 MB
Size after unpacking with Nacho dj's tool=33.3 MB

I am not automatically thinking that it is a bug, as I have not tried to analyse the unpacked files (manual and with Nacho's tool) more closely to figure out if it is a bug or not. I just realize the version I tried (version 1.1) creates relatively larger files after dumping and fixing a packed file than when manually unpacked.

I have sent you a PM with some links.
Quote:
Originally Posted by RedBlkJck View Post
Try OllyDumpEx. - jack
I will try it and report back later.
Reply With Quote
The Following User Gave Reputation+1 to TempoMat For This Useful Post:
Nacho_dj (10-31-2013)
  #11  
Old 10-31-2013, 01:12
Nacho_dj's Avatar
Nacho_dj Nacho_dj is online now
Lo*eXeTools*rd
 
Join Date: Mar 2005
Posts: 197
Rept. Given: 12
Rept. Rcvd 170 Times in 31 Posts
Thanks Given: 29
Thanks Rcvd at 80 Times in 29 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Please could I get a link to both targets via PM? Recently I fixed a bug related to size of dump but tool has not been released yet... Thanks!

Btw, very interesting topic and posts

Nacho_dj
__________________
http://arteam.accessroot.com
Reply With Quote
The Following User Gave Reputation+1 to Nacho_dj For This Useful Post:
RedBlkJck (10-31-2013)
  #12  
Old 10-31-2013, 02:17
RedBlkJck RedBlkJck is offline
Family
 
Join Date: Oct 2011
Posts: 99
Rept. Given: 66
Rept. Rcvd 80 Times in 43 Posts
Thanks Given: 22
Thanks Rcvd at 11 Times in 9 Posts
RedBlkJck Reputation: 80
@Nacho_dj Tested the new unpacker tool on the targets, all is good again. thx

@TempoMat I followed up on that in PM. Let me know if you still have an issue. I'll try a manual rebuild of the sections later tonight.
Reply With Quote
The Following User Gave Reputation+1 to RedBlkJck For This Useful Post:
Nacho_dj (10-31-2013)
  #13  
Old 10-31-2013, 02:50
Nacho_dj's Avatar
Nacho_dj Nacho_dj is online now
Lo*eXeTools*rd
 
Join Date: Mar 2005
Posts: 197
Rept. Given: 12
Rept. Rcvd 170 Times in 31 Posts
Thanks Given: 29
Thanks Rcvd at 80 Times in 29 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
What I have found by using the new version of unpacker is a value in PE header that the tool is not checking, since it is not most used, it is Debug Directory RVA and Size, if you set them to zero in your dump the error won't appear any more...

Another issue to be fixed in a future release
__________________
http://arteam.accessroot.com
Reply With Quote
The Following User Gave Reputation+1 to Nacho_dj For This Useful Post:
uranus64 (10-31-2013)
  #14  
Old 11-02-2013, 13:53
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 70
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 19 Times in 14 Posts
TempoMat Reputation: 6
Almost there...

Quote:
Originally Posted by RedBlkJck View Post
...Try OllyDumpEx. - jack
Thanks RedBlkJck for the tip.
I managed to rebuild the PeHeader first before dumping with OllyDumpEx, which is able to read the modified PeHeader successful.

I would have been 100% successful if it were not to be some awkward behaviour of ImpRec and Scylla during the fixing of the dumped file.
For some unknown reasons both programs just decide to change the characteristics of the .rdata which I had set to 40000040 = INITIALIZED_DATA|READ before the dump to C0000040 = INITIALIZED_DATA|READ|WRITE

A fixed PEHeader for the code from the initial post will now like this
Code:
00400110    50 45 00 00>ASCII "PE"           ; PE signature (PE)
00400114    4C01        DW 014C              ; Machine = IMAGE_FILE_MACHINE_I386
00400116    0500        DW 0005              ;  NumberOfSections = 5
00400118    92FF3152    DD 5231FF92          ;  TimeDateStamp = 5231FF92
0040011C    00000000    DD 00000000          ;  PointerToSymbolTable = 0
00400120    00000000    DD 00000000          ;  NumberOfSymbols = 0
00400124    E000        DW 00E0              ;  SizeOfOptionalHeader = E0 (224.)
00400126    0301        DW 0103              ;  Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|RELOCS_STRIPPED
00400128    0B01        DW 010B              ; MagicNumber = PE32
0040012A    0A          DB 0A                ;  MajorLinkerVersion = A (10.)
0040012B    00          DB 00                ;  MinorLinkerVersion = 0
0040012C    00001E00    DD 001E0000          ;  SizeOfCode = 1E0000 (1966080.)
00400130    006A2E00    DD 002E6A00          ;  SizeOfInitializedData = 2E6A00 (3041792.)
00400134    00000000    DD 00000000          ;  SizeOfUninitializedData = 0
00400138    41961A00    DD 001A9641          ;  AddressOfEntryPoint = 1A9641
0040013C    00100000    DD 00001000          ;  BaseOfCode = 1000
00400140    00101E00    DD 001E1000          ;  BaseOfData = 1E1000
00400144    00004000    DD 00400000          ; ImageBase = 400000
00400148    00100000    DD 00001000          ;  SectionAlignment = 1000
0040014C    00020000    DD 00000200          ;  FileAlignment = 200
00400150    0500        DW 0005              ;  MajorOSVersion = 5
00400152    0100        DW 0001              ;  MinorOSVersion = 1
00400154    0000        DW 0000              ;  MajorImageVersion = 0
00400156    0000        DW 0000              ;  MinorImageVersion = 0
00400158    0500        DW 0005              ;  MajorSubsystemVersion = 5
0040015A    0100        DW 0001              ;  MinorSubsystemVersion = 1
0040015C    00000000    DD 00000000          ;  Reserved
00400160    00905200    DD 00529000          ;  SizeOfImage = 529000 (5410816.)
00400164    00100000    DD 00001000          ;  SizeOfHeaders = 1000 (4096.)
00400168    BE081500    DD 001508BE          ;  CheckSum = 1508BE
0040016C    0200        DW 0002              ;  Subsystem = IMAGE_SUBSYSTEM_WINDOWS_GUI
0040016E    0081        DW 8100              ;  DLLCharacteristics = 8100
00400170    00001000    DD 00100000          ;  SizeOfStackReserve = 100000 (1048576.)
00400174    00100000    DD 00001000          ;  SizeOfStackCommit = 1000 (4096.)
00400178    00001000    DD 00100000          ;  SizeOfHeapReserve = 100000 (1048576.)
0040017C    00100000    DD 00001000          ;  SizeOfHeapCommit = 1000 (4096.)
00400180    00000000    DD 00000000          ;  LoaderFlags = 0
00400184    10000000    DD 00000010          ;  NumberOfRvaAndSizes = 10 (16.)
00400188    00000000    DD 00000000          ;  Export Table address = 0
0040018C    00000000    DD 00000000          ;  Export Table size = 0
00400190    00505200    DD 00525000          ;  Import Table address = 525000
00400194    7C010000    DD 0000017C          ;  Import Table size = 17C (380.)
00400198    00A05100    DD 0051A000          ;  Resource Table address = 51A000
0040019C    E0910000    DD 000091E0          ;  Resource Table size = 91E0 (37344.)
004001A0    00000000    DD 00000000          ;  Exception Table address = 0
004001A4    00000000    DD 00000000          ;  Exception Table size = 0
004001A8    00781400    DD 00147800          ;  Certificate File pointer = 147800
004001AC    E01B0000    DD 00001BE0          ;  Certificate Table size = 1BE0 (7136.)
004001B0    00000000    DD 00000000          ;  Relocation Table address = 0
004001B4    00000000    DD 00000000          ;  Relocation Table size = 0
004001B8    78465200    DD 00524678          ;  Debug Data address = 524678
004001BC    1C000000    DD 0000001C          ;  Debug Data size = 1C (28.)
004001C0    00000000    DD 00000000          ;  Architecture Data address = 0
004001C4    00000000    DD 00000000          ;  Architecture Data size = 0
004001C8    00000000    DD 00000000          ;  Global Ptr address = 0
004001CC    00000000    DD 00000000          ;  Must be 0
004001D0    00000000    DD 00000000          ;  TLS Table address = 0
004001D4    00000000    DD 00000000          ;  TLS Table size = 0
004001D8    00000000    DD 00000000          ;  Load Config Table address = 0
004001DC    00000000    DD 00000000          ;  Load Config Table size = 0
004001E0    00000000    DD 00000000          ;  Bound Import Table address = 0
004001E4    00000000    DD 00000000          ;  Bound Import Table size = 0
004001E8    00000000    DD 00000000          ;  Import Address Table address = 0
004001EC    00000000    DD 00000000          ;  Import Address Table size = 0
004001F0    88673000    DD 00306788          ;  Delay Import Descriptor address = 306788
004001F4    E0000000    DD 000000E0          ;  Delay Import Descriptor size = E0 (224.)
004001F8    00000000    DD 00000000          ;  COM+ Runtime Header address = 0
004001FC    00000000    DD 00000000          ;  Import Address Table size = 0
00400200    00000000    DD 00000000          ;  Reserved
00400204    00000000    DD 00000000          ;  Reserved
00400208    2E 74 65 78>ASCII ".text"        ; SECTION
00400210    00001E00    DD 001E0000          ;  VirtualSize = 1E0000 (1966080.)
00400214    00100000    DD 00001000          ;  VirtualAddress = 1000
00400218    00001E00    DD 001E0000          ;  SizeOfRawData = 1E0000 (1966080.)
0040021C    00100000    DD 00001000          ;  PointerToRawData = 1000
00400220    00000000    DD 00000000          ;  PointerToRelocations = 0
00400224    00000000    DD 00000000          ;  PointerToLineNumbers = 0
00400228    0000        DW 0000              ;  NumberOfRelocations = 0
0040022A    0000        DW 0000              ;  NumberOfLineNumbers = 0
0040022C    200000E0    DD E0000020          ;  Characteristics = CODE|EXECUTE|READ|WRITE
00400230    2E 72 64 61>ASCII ".rdata"       ; SECTION
00400238    00702E00    DD 002E7000          ;  VirtualSize = 2E7000 (3043328.)
0040023C    00101E00    DD 001E1000          ;  VirtualAddress = 1E1000
00400240    00702E00    DD 002E7000          ;  SizeOfRawData = 2E7000 (3043328.)
00400244    00101E00    DD 001E1000          ;  PointerToRawData = 1E1000
00400248    00000000    DD 00000000          ;  PointerToRelocations = 0
0040024C    00000000    DD 00000000          ;  PointerToLineNumbers = 0
00400250    0000        DW 0000              ;  NumberOfRelocations = 0
00400252    0000        DW 0000              ;  NumberOfLineNumbers = 0
00400254    400000C0    DD C0000040          ;  Characteristics = INITIALIZED_DATA|READ|WRITE    <--Modified by ImpRec or Scylla when fixing the dump
00400258    2E 6D 64 61>ASCII ".mdata"       ; SECTION
00400260    00200500    DD 00052000          ;  VirtualSize = 52000 (335872.)
00400264    00804C00    DD 004C8000          ;  VirtualAddress = 4C8000
00400268    00200500    DD 00052000          ;  SizeOfRawData = 52000 (335872.)
0040026C    00804C00    DD 004C8000          ;  PointerToRawData = 4C8000
00400270    00000000    DD 00000000          ;  PointerToRelocations = 0
00400274    00000000    DD 00000000          ;  PointerToLineNumbers = 0
00400278    0000        DW 0000              ;  NumberOfRelocations = 0
0040027A    0000        DW 0000              ;  NumberOfLineNumbers = 0
0040027C    40000042    DD 42000040          ;  Characteristics = INITIALIZED_DATA|DISCARDABLE|READ
00400280    2E 72 73 72>ASCII ".rsrc"        ; SECTION
00400288    00B00000    DD 0000B000          ;  VirtualSize = B000 (45056.)
0040028C    00A05100    DD 0051A000          ;  VirtualAddress = 51A000
00400290    00B00000    DD 0000B000          ;  SizeOfRawData = B000 (45056.)
00400294    00A05100    DD 0051A000          ;  PointerToRawData = 51A000
00400298    00000000    DD 00000000          ;  PointerToRelocations = 0
0040029C    00000000    DD 00000000          ;  PointerToLineNumbers = 0
004002A0    0000        DW 0000              ;  NumberOfRelocations = 0
004002A2    0000        DW 0000              ;  NumberOfLineNumbers = 0
004002A4    200000E0    DD E0000020          ;  Characteristics = CODE|EXECUTE|READ|WRITE
004002A8    2E 6D 61 63>ASCII ".mackt"       ; SECTION
004002B0    00400000    DD 00004000          ;  VirtualSize = 4000 (16384.)
004002B4    00505200    DD 00525000          ;  VirtualAddress = 525000
004002B8    00400000    DD 00004000          ;  SizeOfRawData = 4000 (16384.)
004002BC    00505200    DD 00525000          ;  PointerToRawData = 525000
004002C0    00000000    DD 00000000          ;  PointerToRelocations = 0
004002C4    00000000    DD 00000000          ;  PointerToLineNumbers = 0
004002C8    0000        DW 0000              ;  NumberOfRelocations = 0
004002CA    0000        DW 0000              ;  NumberOfLineNumbers = 0
004002CC    600000E0    DD E0000060          ;  Characteristics = CODE|INITIALIZED_DATA|EXECUTE|READ|WRITE
The .rdata was ripped from the .text section and the .mdata is the overlay to the .rsrc section.

Continue...
Reply With Quote
  #15  
Old 11-02-2013, 14:05
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 70
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 19 Times in 14 Posts
TempoMat Reputation: 6
...continuation

At first I thought OllyDumpEx was the culprit but after opening all the dumps from OllyDumpEx without fixed IAT in Hiew, it was obvious that the dumps are exactly as wanted at this location (0x254).

Any attempt to modify the PeHeader of any of the wrongly fixed files with PeEditors like LordPe or PeTools rendered the resulting files useless.
However if I first load any of the fixed files in Olly and modify the characteristic of the second section ".rdata" to 40000040 before executing, the progis run without the R6002 errors. Otherwise not.

All other unpacked and fixed files (at least 3 programs I packed with PeCompact v. 3.02.2) with the modification of the PEHeader before dumping run as long as they don't have the floating point checks on the second section.

Cheers TempoMat.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
WinCE Floating-Point operators - HELP leader General Discussion 0 01-31-2018 03:18
Runtime Error R6002 - Floating point not loaded MrGneissGuy's General Discussion 1 09-14-2009 03:08
reverse engineering floating point code jonwil General Discussion 3 11-04-2008 09:08


All times are GMT +8. The time now is 13:28.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )