Hello,
I'm having a weird problem with PECompact2. I've tried various different settings and both LZMA and LZMA2 compression settings.
I work on a 3rd party modification for an online game, so our software injects a DLL into the game on launch (our main code is in the DLL).
I was able to pack the DLL just fine at first and it would work, however I then upgraded my code to use some better coded functions.
Now, with the new code, the program works fine unpacked, however once packed, the DLL no longer is injected into the process.
I checked the module listing for process, no sign of our DLL.
I tried MANY different project settings thinking maybe its something wrong with that, and to no avail. So I tried it with a previous backup folder of the code and sure enough it still works when packed.
So to rule out project settings, I brought over the new project to the old source backup to test with new project settings. The app still works just fine when packed.
I was wondering if it was because the Entry Point was moved, but it said it was moved in the old source folder too and it still worked so that was ruled out.
So it has to be some of the new code I have implemented.
edit: Thought it may be one the 3 new functions added, but i commented out the code and simply returned 0 in it since its not ran until later, and it still exhibits the problem.
Do you have any clue what may be causing this?
last ATTEMPTED flags: (I tried MANY if not every possible combination of settings)
/Sd:Y /Ssh:Yes /Hh:pec2hooks_api_ispacked.dll,pec2hooks_break_un2pec.dll,pec2hooks_api_watermark.dll,pec2hooks_fastimport.dll /Lh:pec2ldr_antidebug.dl
Flags I knew worked previously cause I exported it to .bat file, and no longer works:
/Cl:9 /Dt:Fast /Sd:Y /Ssh:Yes /Emp:Yes
heres dump of headers if it helps you :/
E:\Dev\WindowerSVN\hook\branches\DEVEL_3_4\bin>dumpbin /headers hook.dll
Microsoft (R) COFF/PE Dumper Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file hook.dll
PE signature found
File Type: DLL
FILE HEADER VALUES
14C machine (x86)
3 number of sections
49D3113F time date stamp Wed Apr 01 03:01:19 2009
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
2102 characteristics
Executable
32 bit word machine
DLL
OPTIONAL HEADER VALUES
10B magic # (PE32)
9.00 linker version
B7200 size of code
F8C00 size of initialized data
0 size of uninitialized data
5E298 entry point (1005E298)
1000 base of code
B9000 base of data
10000000 image base (10000000 to 101D1FFF)
1000 section alignment
200 file alignment
5.00 operating system version
3.04 image version
5.00 subsystem version
0 Win32 version
1D2000 size of image
400 size of headers
87E5B checksum
2 subsystem (Windows GUI)
0 DLL characteristics
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [ 0] RVA [size] of Export Directory
1CF1D4 [ 179] RVA [size] of Import Directory
1C5000 [ A119] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
1D1000 [ 30] RVA [size] of Base Relocation Directory
0 [ 0] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
1D0110 [ 44] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
0 [ 0] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
SECTION HEADER #1
.text name
1C4000 virtual size
1000 virtual address (10001000 to 101C4FFF)
77400 size of raw data
400 file pointer to raw data (00000400 to 000777FF)
32434550 file pointer to relocation table
4F4E file pointer to line numbers
0 number of relocations
0 number of line numbers
E0000020 flags
Code
Execute Read Write
SECTION HEADER #2
.rsrc name
C000 virtual size
1C5000 virtual address (101C5000 to 101D0FFF)
B200 size of raw data
77800 file pointer to raw data (00077800 to 000829FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
E0000020 flags
Code
Execute Read Write
SECTION HEADER #3
.reloc name
200 virtual size
1D1000 virtual address (101D1000 to 101D11FF)
200 size of raw data
82A00 file pointer to raw data (00082A00 to 00082BFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write
Summary
1000 .reloc
C000 .rsrc
1C4000 .text
And a copy of the binary (Packed ver that wont load): http://aikar.us.to/badhook/Hook.dll
If you need a copy of the unpacked version please let me know and ill email you it.
Heres dump of normal unpacked PE.
Dump of file hook.dll.pec2bac
File Type: DLL
Summary
16000 .data
1000 .data1
1E000 .rdata
B000 .reloc
C8000 .rsrc
A5000 .text
1000 .tls
1000 BSS
18000 CODE
1000 DATA
1000 SHARED
and heres another standard dump of one done properly with GUI with these flags (I notice one above i did with console has SHARED stripped)
/Sd:Y /Ssh:Yes /Hh:pec2hooks_api_ispacked.dll,pec2hooks_break_un2pec.dll,pec2hooks_api_watermark.dll,pec2hooks_fastimport.dll /Lh:pec2ldr_antidebug.dll
E:\Dev\WindowerSVN\hook\branches\DEVEL_3_4\bin>dumpbin hook.dll
Microsoft (R) COFF/PE Dumper Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file hook.dll
File Type: DLL
LINK : warning LNK4078: multiple '.rsrc' sections found with different attribute
s (E0000020)
Summary
1000 .reloc
D3000 .rsrc
C000 .rsrc
F5000 .text
1000 SHARED
I am sure my DllMain is not being called now too, added a MessageBox to test and getting nothing.
need to hit bed now 4am :( hopefully will hear back from ya tomorrow as cant get a new version out to our users to test until i can pack it. (We develop a 'good' 3rd party app for the game, however 'bad' people would love to get ahold of some our info to make cheats and bots, and this next version of the code im using thats improved is using strings instead of byte arrays for its workings, so really need to protect those. and yes I will be putting to use the encrypted strings code from PEHideText, thats going to help alot!)
I will have to do some runtime debugging to determine the cause. I will need an uncompressed copy of the DLL. Please email it to binaries@bitsum.com.
I took a cursory glance at the compressed DLL you sent. All I can say at this point is that there is a memory access violation in the DLL entry code, perhaps in the PECompact loader. I will know more when I get the uncompressed DLL and can compress it with the debug loader (re: in contrast to the anti-debug loader, the debug loader removes protection code in the loader to allow for easier debugging).
Ok let me get all my code reenabled (The parts commented out for testing, all the changes I reverted before were not 'crucial' to be done that way, so just need to uncomment the functionality functions now) and rebuild everything and i'll email both to you.
On a side note, I noticed when I do "Make these settings the default", those dont apply to Console based usage (IE Explorer Context Menu). Would be nice if no flags are passed to pec2.exe to use the default settings, or maybe save a binaryname.pec2settings file with the flags for use in console and gui loading?
Quote from: Aikar on April 01, 2009, 02:49:48 PM
On a side note, I noticed when I do "Make these settings the default", those dont apply to Console based usage (IE Explorer Context Menu). Would be nice if no flags are passed to pec2.exe to use the default settings, or maybe save a binaryname.pec2settings file with the flags for use in console and gui loading?
Yes, I agree. I intend to address this in a future update to PECompact.
note on binaries, I left a TEST messagebox in the DllMain entry point for testing.
It's pretty much first thing called
//DLL Entry Point
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
{
MessageBoxA(NULL,"TEST","TEST",MB_OK);
Ok, thanks. It will likely be tomorrow morning before I get to doing this debugging. I apologize for the wait, I a several things to do at present.
quick answer:
It seems that problem is in shared sections, which are not supported by packers
Quote from: Jupiter on April 02, 2009, 07:00:06 AM
It seems that problem is in shared sections, which are not supported by packers
A good guess, but PECompact actually has the ability to skip shared sections, a parameter he is using (/ssh:yes). This of course lowers compression ratio, but allows those sections to remain shared by all instances of the module.
I have not yet found the time to debug this problem. Please understand that I am quite busy here ;o. I will try to get to it today.
any luck with it jeremy?
Quote from: Aikar on April 08, 2009, 09:05:51 AM
any luck with it jeremy?
I haven't done enough to determine a cause for certain. However, I think it is possible that the problem is the particular way the module was built causes PECompact to relocate the entry point, instead of its normal practice of inserting a 'call' (to the PECompact loader) at the original entry point.
As an experiment, can you try moving the DllMain function higher up in the source code? This may cause it to be positioned earlier in the compiled object, transferring to an earlier positioning in the linked DLL. Basically, you want to end up with the original entry point in a location as early as possible in the built DLL. There are also other ways to do this.
Of course, this may have nothing to do with the crash, and a proper fix is really needed. However, from your description of when this started occurring, it seems like a very likely candidate.
that was one thing i tried too, i had put it in my stdafx file to try that before i even made the topic and it still relocated.
Ok, I am not sure that is the entire problem anyway, as that portion of the code seemed to do ok when I was debugging it. The crash could be manifested by a base collision, but I have not verified that. I obviously haven't spent much time with it, and I apologize. I unfortunately have to prioritize my time in ways other than I would prefer ;(
The investigation is going to take more time for sure. I intend to eventually solve this problem, but still don't know when... nor can I guarantee it will be solved. I am sorry I don't have more immediate help for this problem.
been a while... any chance you can re look into this issue? its still a problem in latest PECompact :(
I even removed almost all code from my DllMain and it still does it. a simple DllMain with a message box only still doesnt trigger the DllMain.
And yes I am getting that "EntryPoint is no longer in the DLL Address space, Relocating" message but I got that on many other DLL's that worked fine too.
Really would love to use PEcompact but havnt been able to use it on our main software due to this :(