Jump to content
Tuts 4 You

ap0x's Blog

Sign in to follow this  
  • entries
    3
  • comments
    24
  • views
    3,524

Relocater 1.0

Sign in to follow this  
ap0x

1,569 views

This is a separate part of Unpacking Engine made to deal with relocations whose fixing is crucial in process of dll unpacking. So how does it work? There are two ways. First which is very, very slow gets relocations addresses by setting the breakpoint directly in packers relocation code (you do this!). This is very slow due to the fact the number of relocations is always very large. That is why another way of fixing relocations was developed. It is very fast, simple, generic and easy to use. To fix relocations you need to do the following:

1) Make sure that debugee dll gets loaded on any bases address other than its ImageBase (done with dll loader)

2) Set two breakpoints. One before relocation code, other just after.

3) Make two memory snapshots of target memory. One before relocation, one after.

4) Export relocation table created by memory state compare.

This is very easy but it does not recreate the original relocation table. Why? Because null relocations which can be present in the relocation table are either stripped by the packer or can't be detected by comparing since they don't invoke any memory change. Therefore this method is simple and painless especially when we consider that all decent packers compress relocation table, not just walk trough the original one.

Sign in to follow this  


4 Comments


Recommended Comments

Killboy

Posted

Is there already an available version ? :wub:

Share this comment


Link to comment

No, you will have to wait until UE 1.5 :whistling:

Share this comment


Link to comment
Killboy

Posted

I reckon "When it's done" ? :D

Share this comment


Link to comment

Quality instead of quantity :)

Share this comment


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...