Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page What's up with this Neolite packed DLL ???
Register Forum Rules FAQ Calendar

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-04-2005, 19:51
wildmans
 
Posts: n/a
What's up with this Neolite packed DLL ???
Hey guys !

I've attached an dll. Let me first tell you im not making un unpack request in particual so I think I posted in the right category

As you can see, the DLL is packed with Neolite 2. The first bytes at the EP is an E9 A6 00 00 so a short jump to the start of the neolite unpack routine.

But I noticed a very strange thing !!! As soon as I load the DLL in olly, those first four bytes are actually CHANGED to E9 24 D9 FA FF which looks like an jump to a routine in the dll itself which almost immideatly terminated the dll.

How can that first jump be changed and by who ??? I know it is not a relocation adress as it is not listed in the reloc table..

Really like to know how this is possible ??? Maybe its something small but I cant seem to figure it out ! :P
Attached Files
File Type: rar dfb58hh.rar (204.7 KB, 9 views)
Last edited by wildmans; 10-04-2005 at 19:54.
Reply With Quote
  #2  
Old 10-05-2005, 00:24
JuneMouse
 
Posts: n/a
well olly dbg doesnt stop on the dll initialization stage becuase there seems to be no
DllInit code in there so it finsishes up initialisation and directly goes to loaded sode

if you really want to step through all the init crap
view file --> load the dll
then ctrl+g type 50f2 (addr of entry point and change the e9 a6 to ebfe )
right click save in new name

load this in ollydbg it will be looping endlessly on the infinite jump
hit f12 pause
and change back the bytes to e9 a6 and single step through
or just right click and break point memory on write at that address

you will see who is writing what and when

[code]
Log data, item 0
Address=10054883
Message=Memory breakpoint when writing to [100540F3]

10054883 8910 MOV DWORD PTR DS:[EAX],EDX

eax = 100540F3
edx = FFFAD924

what the heck is this dll for ?? is it really named so weird ??
hope it was not viral
Text strings referenced in dfb58hh1:.text, item 34
Address=10002F62
Disassembly=MOV DWORD PTR SS:[EBP-128],dfb58hh1.10009438
Text string=ASCII "A security error of unknown cause has been detected which has
corrupted the program's internal state. The program cannot safely
continue execution and must now be terminated.
"
Reply With Quote
  #3  
Old 10-05-2005, 14:47
wildmans
 
Posts: n/a
Thanks for this information ! Man it's great if you're stuck, and someone is willing to give new insights to your problem. Thank you for that. I get it now, just have to read a bit more about dllmain on the MSDN or something :P

The DLL is absolutly not virii It's part of an addon for fs2004. It got my attention because of the neolite2 compression
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


All times are GMT +8. The time now is 11:13.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )