Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Unpack OneWay.dll problem,Import REConstructor v1.6 Final fails.
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-06-2006, 23:47
winndy winndy is offline
VIP
  
Join Date: Sep 2005
Posts: 236
Rept. Given: 104
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 27
Thanks Rcvd at 16 Times in 13 Posts
winndy Reputation: 26
Unpack OneWay.dll problem,Import REConstructor v1.6 Final fails.
I unpacked OneWay.dll.(www.atma-software.com/1way)
This is the OEP I thought .
Code:
003D8458     55         push ebp
003D8459     8BEC       mov ebp,esp
003D845B     83C4 C4    add esp,-3C
003D845E     B8 58833D0>mov eax,OneWay.003D8358
003D8463     E8 BCDCFDF>call OneWay.003B6124
003D8468     33C0       xor eax,eax
I click the "Pick DLL" button.And I can see the Imagebase is 003B0000.
But When I choose OneWay.dll.
The Imagebase in the Log window is 00400000.
So I couldnot fix the unpacked dll.

see the attachment for two pictures discribe the problem I met.

What's the problem?
Import REConstructor bug?
Are there any alternative tools to fix the import table?
Confused.
Any comment is appreciated.
Thx!
------
Is this the same question of my previous thread?
http://forum.exetools.com/showthread.php?t=8612

Maybe this dll first packed with asprotect,then PEcompact.

Regards
Attached Files
File Type: rar Oneway .rar (140.9 KB, 11 views)
Last edited by winndy; 01-06-2006 at 23:55.
Reply With Quote
  #2  
Old 01-07-2006, 01:20
adaptor adaptor is offline
Friend
  
Join Date: Jan 2006
Posts: 27
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
adaptor Reputation: 0
You probably need to change ImageBase in PE header of dumped dll to 003B0000
Reply With Quote
  #3  
Old 01-07-2006, 01:22
Frequency
 
Posts: n/a
hey


in your options..
make sure this is unticked " use PE Header from disk"

otherwise then yes you pick up the 004xxxxx instead of 35xxxxxxx ..
i just tried it.. and it picks up base...
Reply With Quote
  #4  
Old 01-07-2006, 10:22
winndy winndy is offline
VIP
  
Join Date: Sep 2005
Posts: 236
Rept. Given: 104
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 27
Thanks Rcvd at 16 Times in 13 Posts
winndy Reputation: 26
Quote:
Originally Posted by Frequency
hey


in your options..
make sure this is unticked " use PE Header from disk"

otherwise then yes you pick up the 004xxxxx instead of 35xxxxxxx ..
i just tried it.. and it picks up base...
Well,Thank you very much.I got it.
I always learn so much from ARteam.You did very well.

--------------------------
Quote:
Originally Posted by adaptor
You probably need to change ImageBase in PE header of dumped dll to 003B0000
Yes,you are right.
There is a crash when I fixed the Import table.
But I found the cause:the imagebase of the dumped dll is still 00400000.
I should be 003B0000.
I corrected it with lordPE.It works.

If you donnot want to do so.
When you dump the dll,You could tick the "Full dump:Rebuild Imagebase"
and make sure tick "change Imagebase to" and set it to 003B0000.

That's it.

Thanks again.

Regards
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
MackT's Import Reconstructor 1.4.2 JackD General Discussion 1 08-10-2002 04:37


All times are GMT +8. The time now is 05:36.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )