Results 1 to 4 of 4

Thread: ASPACK problems with DLL (relocations?)

Threaded View

  1. #1

    ASPACK problems with DLL (relocations?)


    Searched already the board but find no solution for my problem. I think it might have to do with some relocations. I unpacked dll (use aspackdie because itīs faster/but itīs an "unknown algorithm 3"-for aspack 2.12b as PEid said.) but if i load dll with loadlibrary it has another base than loading with ollydbg!

    Example Olly:
    01A71000 | |EB 10 jmp short 01A71012
    01A71002 | |66 db 66 ; CHAR 'f'
    01A71003 | |62 db 62 ; CHAR 'b'
    01A71004 | |3A db 3A ; CHAR ':'
    01A71005 | |43 db 43 ; CHAR 'C'
    01A71006 | |2B db 2B ; CHAR '+'
    01A71007 | |2B db 2B ; CHAR '+'
    01A71008 | |48 db 48 ; CHAR 'H'
    01A71009 | |4F db 4F ; CHAR 'O'
    01A7100A | |4F db 4F ; CHAR 'O'
    01A7100B | |4B db 4B ; CHAR 'K'
    01A7100C | |90 nop
    01A7100D | |E9 db E9
    01A71012 |> \A1 F3A3AF01 mov eax, [dword ds:1AFA3F3]
    01A71017 |. C1E0 02 shl eax, 2
    01A7101A |. A3 F7A3AF01 mov [dword ds:1AFA3F7], eax
    01A7101F |. 8B4424 08 mov eax, [dword ss:esp+8]
    01A71023 |. A3 65A4AF01 mov [dword ds:1AFA465], eax
    01A71028 |. FF1485 55A4AF>call near [dword ds:eax*4+1AFA455]
    01A7102F |. 833D 65A4AF01>cmp [dword ds:1AFA465], 1
    01A71036 |. 75 5E jnz short flash001.01A71096
    01A71038 |. 803D FFA3AF01>cmp [byte ds:1AFA3FF], 0

    This works because for example at 1A71012 mov eax is pointing to memory which is available! (non shared dll memory at 1afa3f7)

    But if i load with LoadLibrary it looks like this:
    01F91000 > /EB 10 jmp short 01F91012
    01F91002 |66:623A bound di, [word ds:edx]
    01F91005 |43 inc ebx
    01F91006 |2B2B sub ebp, [dword ds:ebx]
    01F91008 |48 dec eax
    01F91009 |4F dec edi
    01F9100A |4F dec edi
    01F9100B |4B dec ebx
    01F9100C |90 nop
    01F9100D -|E9 6CA4AF01 jmp 03A8B47E
    01F91012 \A1 F3A3AF01 mov eax, [dword ds:1AFA3F3]
    01F91017 C1E0 02 shl eax, 2
    01F9101A A3 F7A3AF01 mov [dword ds:1AFA3F7], eax
    01F9101F 8B4424 08 mov eax, [dword ss:esp+8]
    01F91023 A3 65A4AF01 mov [dword ds:1AFA465], eax
    01F91028 FF1485 55A4AF01 call near [dword ds:eax*4+1AFA455]
    01F9102F 833D 65A4AF01 0>cmp [dword ds:1AFA465], 1

    So the Base is changed from 1A10000 to 1F90000 but the mov eax is still pointing to 1afa3f3. ?!

    I just thought a dll is like an exe, so i should not bother with relocations but i think i am wrong? anyway, dumping the file with petools and copying the reloc section changes nothing at this point.

    i am at the end of my knowledge.. may be somebody can explain this to me and how to solve this?!
    (Btw. itīs on a Windows XP system, i did not test under other os)

    Last edited by friedo; November 2nd, 2004 at 11:11.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Cant unpack ASPACK, even Aspack fails...
    By dipeshrestha in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: August 6th, 2006, 12:46
  2. More problems with XP SP2...
    By dELTA in forum Off Topic
    Replies: 13
    Last Post: August 28th, 2004, 10:12
  3. Coding ASPACK dumper
    By canuckcracker in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: August 3rd, 2004, 10:25
  4. Aspack unpacked dll relocations ignored
    By djpaul1963 in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: August 5th, 2003, 12:24
  5. WinSniffer 1.3 [ASPACK???]
    By foxthree in forum Malware Analysis and Unpacking Forum
    Replies: 20
    Last Post: February 21st, 2002, 07:39


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts