Results 1 to 4 of 4

Thread: ASPACK problems with DLL (relocations?)

  1. #1
    friedo
    Guest

    ASPACK problems with DLL (relocations?)

    Hi.

    Searched already the board but find no solution for my problem. I think it might have to do with some relocations. I unpacked dll (use aspackdie because itīs faster/but itīs an "unknown algorithm 3"-for aspack 2.12b as PEid said.) but if i load dll with loadlibrary it has another base than loading with ollydbg!

    Example Olly:
    01A71000 | |EB 10 jmp short 01A71012
    01A71002 | |66 db 66 ; CHAR 'f'
    01A71003 | |62 db 62 ; CHAR 'b'
    01A71004 | |3A db 3A ; CHAR ':'
    01A71005 | |43 db 43 ; CHAR 'C'
    01A71006 | |2B db 2B ; CHAR '+'
    01A71007 | |2B db 2B ; CHAR '+'
    01A71008 | |48 db 48 ; CHAR 'H'
    01A71009 | |4F db 4F ; CHAR 'O'
    01A7100A | |4F db 4F ; CHAR 'O'
    01A7100B | |4B db 4B ; CHAR 'K'
    01A7100C | |90 nop
    01A7100D | |E9 db E9
    01A71012 |> \A1 F3A3AF01 mov eax, [dword ds:1AFA3F3]
    01A71017 |. C1E0 02 shl eax, 2
    01A7101A |. A3 F7A3AF01 mov [dword ds:1AFA3F7], eax
    01A7101F |. 8B4424 08 mov eax, [dword ss:esp+8]
    01A71023 |. A3 65A4AF01 mov [dword ds:1AFA465], eax
    01A71028 |. FF1485 55A4AF>call near [dword ds:eax*4+1AFA455]
    01A7102F |. 833D 65A4AF01>cmp [dword ds:1AFA465], 1
    01A71036 |. 75 5E jnz short flash001.01A71096
    01A71038 |. 803D FFA3AF01>cmp [byte ds:1AFA3FF], 0


    This works because for example at 1A71012 mov eax is pointing to memory which is available! (non shared dll memory at 1afa3f7)

    But if i load with LoadLibrary it looks like this:
    01F91000 > /EB 10 jmp short 01F91012
    01F91002 |66:623A bound di, [word ds:edx]
    01F91005 |43 inc ebx
    01F91006 |2B2B sub ebp, [dword ds:ebx]
    01F91008 |48 dec eax
    01F91009 |4F dec edi
    01F9100A |4F dec edi
    01F9100B |4B dec ebx
    01F9100C |90 nop
    01F9100D -|E9 6CA4AF01 jmp 03A8B47E
    01F91012 \A1 F3A3AF01 mov eax, [dword ds:1AFA3F3]
    01F91017 C1E0 02 shl eax, 2
    01F9101A A3 F7A3AF01 mov [dword ds:1AFA3F7], eax
    01F9101F 8B4424 08 mov eax, [dword ss:esp+8]
    01F91023 A3 65A4AF01 mov [dword ds:1AFA465], eax
    01F91028 FF1485 55A4AF01 call near [dword ds:eax*4+1AFA455]
    01F9102F 833D 65A4AF01 0>cmp [dword ds:1AFA465], 1



    So the Base is changed from 1A10000 to 1F90000 but the mov eax is still pointing to 1afa3f3. ?!

    I just thought a dll is like an exe, so i should not bother with relocations but i think i am wrong? anyway, dumping the file with petools and copying the reloc section changes nothing at this point.

    i am at the end of my knowledge.. may be somebody can explain this to me and how to solve this?!
    (Btw. itīs on a Windows XP system, i did not test under other os)

    regards,
    friedo
    Last edited by friedo; November 2nd, 2004 at 11:11.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    yep dlls need relocation data, chances are when the protection was applied the reloc information was destroyed and the protection handles it all runtime.. u got no choice really but to try and get 2 dumps of the dll loaded at a diff base, then compare, and rebuild some form of relocation information from that.. should work then

  3. #3
    friedo
    Guest
    Okay. So i was on the right way. I used a simple Ollyscript for ASPACK to determine the real relocation table, patched the whole .reloc section and adapt the relocation table in pe header (thatīs what i missed last time and why it doesnīt work.)

    Such a changed DLL works at different Imagebases!

    Thx so far.

    p.s.:
    I thought aspackdie would adapt this reloctable automatically... tztztz
    Anyway, i got big problems to dump such a unpacked dll with ollydbg oder petools because everytime i do it and adapt the import table with imprec i got an error thatīs not a "win32-executable-file". because donīt know how to solve i let aspackdie do the workfor me and changes some things manually...

    May be thereīs a tutorial out there which explains why my dumped file is not a win32 executable?
    Last edited by friedo; November 2nd, 2004 at 05:17.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Registered User
    Join Date
    Jan 2002
    Location
    Ger***y
    Posts
    39

    ..

    That could be a problem due to wrong sizes for sections (virtualsize), and sizeofimage. simply try to use pe-editor / rebuild pe-header fro 2k/nt and check if rebuilded exe works... if so,could some small subroutine that aligns ur files vsizes + sizeofimage..voila

Similar Threads

  1. Cant unpack ASPACK, even Aspack fails...
    By dipeshrestha in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: August 6th, 2006, 12:46
  2. More problems with XP SP2...
    By dELTA in forum Off Topic
    Replies: 13
    Last Post: August 28th, 2004, 10:12
  3. Coding ASPACK dumper
    By canuckcracker in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: August 3rd, 2004, 10:25
  4. Aspack unpacked dll relocations ignored
    By djpaul1963 in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: August 5th, 2003, 12:24
  5. WinSniffer 1.3 [ASPACK???]
    By foxthree in forum Malware Analysis and Unpacking Forum
    Replies: 20
    Last Post: February 21st, 2002, 07:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •