#1
|
|||
|
|||
What's up with this Neolite packed DLL ???
Hey guys !
I've attached an dll. Let me first tell you im not making un unpack request in particual so I think I posted in the right category As you can see, the DLL is packed with Neolite 2. The first bytes at the EP is an E9 A6 00 00 so a short jump to the start of the neolite unpack routine. But I noticed a very strange thing !!! As soon as I load the DLL in olly, those first four bytes are actually CHANGED to E9 24 D9 FA FF which looks like an jump to a routine in the dll itself which almost immideatly terminated the dll. How can that first jump be changed and by who ??? I know it is not a relocation adress as it is not listed in the reloc table.. Really like to know how this is possible ??? Maybe its something small but I cant seem to figure it out ! :P Last edited by wildmans; 10-04-2005 at 19:54. |
#2
|
|||
|
|||
well olly dbg doesnt stop on the dll initialization stage becuase there seems to be no
DllInit code in there so it finsishes up initialisation and directly goes to loaded sode if you really want to step through all the init crap view file --> load the dll then ctrl+g type 50f2 (addr of entry point and change the e9 a6 to ebfe ) right click save in new name load this in ollydbg it will be looping endlessly on the infinite jump hit f12 pause and change back the bytes to e9 a6 and single step through or just right click and break point memory on write at that address you will see who is writing what and when [code] Log data, item 0 Address=10054883 Message=Memory breakpoint when writing to [100540F3] 10054883 8910 MOV DWORD PTR DS:[EAX],EDX eax = 100540F3 edx = FFFAD924 what the heck is this dll for ?? is it really named so weird ?? hope it was not viral Text strings referenced in dfb58hh1:.text, item 34 Address=10002F62 Disassembly=MOV DWORD PTR SS:[EBP-128],dfb58hh1.10009438 Text string=ASCII "A security error of unknown cause has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated. " |
#3
|
|||
|
|||
Thanks for this information ! Man it's great if you're stuck, and someone is willing to give new insights to your problem. Thank you for that. I get it now, just have to read a bit more about dllmain on the MSDN or something :P
The DLL is absolutly not virii It's part of an addon for fs2004. It got my attention because of the neolite2 compression |
|
|