Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Thread Tools Display Modes
Old 09-19-2006, 08:18 AM
badu badu is offline
Junior Member
Join Date: Sep 2006
Posts: 2

I've been trying to uncompress the attached DLL which has been packed with PECompact 2.4x (guessed!). Used OllyDbg and following the code, I've found the OEP at RVA(offset):16D708 (RVA:16E708).
After that, I've dumped the DLL using the OllyDumper plugin and modified the entry point according to what I've previously found.

The problem is that, even I'm able to see all the imports, exports and resource sections correctly with various tools (e.g. lordPe, importRec, peEditor) - I'm not being able to load the DLL in any application. I keep receiveing the following error:

"The application or DLL excel.uncompressed.dll is not a valid Windows image. Please check this against your installation diskette."

If someone has previous experience with this, please share it with me.

Thanks in advance!
Note: Because of the 500k "global space left" on this board, I couldn't attach the compressed/uncompressed file here. The files can be found here!
Reply With Quote
Old 09-21-2006, 03:10 AM
badu badu is offline
Junior Member
Join Date: Sep 2006
Posts: 2

More details:

1) I've tried all the unpackers existing on the web related to PECompact
2) I've tried all the OllyScripts existing also
3) I've compared the DLLMain procedure (being an Delphi compiled DLL) with one that I've constructed myself, therefor I'm certain that I found the OEP.
The DLLMain (Delphi compiled) looks like:
push ebp
mov ebp,esp
add esp,-3C
mov eax,<addr>
call <addr>
call <addr>
4) To be certain, the following code is showing me where the real OEP is located:
mov eax,esi ; the value of EAX will be the real OEP (009DE708)
pop edx
pop esi
pop edi
pop ecx
pop ebx
pop ebp
jmp eax

So, EAX = 009DE708, base is 00870000, the difference is 16E708 (offset : 5DE708)

5) from what I've realized, the PECompact is relocating (correctly) the resources, imports and exports. They are viewable with any resource editor.
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.