Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Question about packed files

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes
View previous topic :: View next topic  
Author Message
Stylo
Grandmaster Cheater Supreme
Reputation: 3

Joined: 16 May 2007
Posts: 1072
Location: Israel

PostPosted: Sun Jan 19, 2014 12:20 pm    Post subject: Question about packed files Reply with quote

Recently started messing around with packers
and bumped into this packer that set the entry-point for the packed dll outside the dll boundaries.
I mean.. the packed dll size is 14,696 bytes (3968 in hex) and the it's entry-point is located at RVA: 0x01048C
plus, when i set a breakpoint at its EP, it won't even get there when execute.
Could it be hidden or something like that?
pretty new to this whole packing thing

Thanks

_________________
Stylo
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 137

Joined: 25 Jan 2006
Posts: 7258
Location: 127.0.0.1

PostPosted: Tue Jan 21, 2014 10:09 pm    Post subject: Reply with quote

Does the DLL have an exception handler setup to force-crash itself at start to execute the unpacking method?
_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Stylo
Grandmaster Cheater Supreme
Reputation: 3

Joined: 16 May 2007
Posts: 1072
Location: Israel

PostPosted: Wed Jan 22, 2014 3:41 am    Post subject: Reply with quote

even if it does
how could it be executed before the entry point?
isn't it the first place where the execution begins?

it's weird cuz when i debug it with ollydbg it says the entry point for the packed dll
but when opening with PE Explorer the entry point is set for the place after the unpacking process..
O_O ?!
even when i break with olly on every dll loading and stop on the entry point that PE Explorer wrote it break but the dll is already unpacked Confused

_________________
Stylo
Back to top
View user's profile Send private message
UnIoN
Expert Cheater
Reputation: 2

Joined: 17 May 2011
Posts: 145

PostPosted: Wed Jan 22, 2014 5:43 am    Post subject: Reply with quote

maybe there are more values at PE Header (aside from entry point) changed to prevent debug? have you tried lenas tutorials?
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 137

Joined: 25 Jan 2006
Posts: 7258
Location: 127.0.0.1

PostPosted: Thu Jan 23, 2014 12:56 am    Post subject: Reply with quote

Before the entry point.. does the DLL have a TLS entry? That will be executed before you will see the entry point hit.
_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Stylo
Grandmaster Cheater Supreme
Reputation: 3

Joined: 16 May 2007
Posts: 1072
Location: Israel

PostPosted: Mon Feb 10, 2014 3:38 am    Post subject: Reply with quote

Well it turns out that ollydbg was messed up for some reason :S
When used windbg it hit the entry point..
what TLS is?

_________________
Stylo
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 137

Joined: 25 Jan 2006
Posts: 7258
Location: 127.0.0.1

PostPosted: Mon Feb 10, 2014 2:51 pm    Post subject: Reply with quote

TLS is 'thread-local storage'.
http://en.wikipedia.org/wiki/Thread-local_storage

A simple yet good example can be found here:
http://www.hexblog.com/?p=9

You can find full info on the PE header here from Microsoft:
http://msdn.microsoft.com/library/windows/hardware/gg463125

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites