Jump to content

looking for a tutorial how to debug a dll with IDA Pro


tonyblair

Recommended Posts

Hi can someone help me?

I need a tutorial on how to debug a dll in a standalone mode

with IDA Pro.

1-The dll is packed or encrypted

2-I want to avoid loading the calling program

Tanks in advance for the gurus who could helps.

ps: @ Moderators

  you can delete this thread if it is in conflict with the rules.

Link to comment
Share on other sites


  • Replies 4
  • Views 3.2k
  • Created
  • Last Reply

Well I found this, dunno if it is exactly what you're looking for. I will keep looking just incase :dance2:

► Rock Lee

Link to comment
Share on other sites


@Rock Lee

I found an interresting tip in your link :load two or more files into the same single IDA Pro database. for example, we have CLTLMH.EXE and want to load an additional file: cltLMSx.dll to see how they interact with each other. As IDA debugger do no launch a dll but only an exe (a dll is called by an exe, it is not a standalone program).

the library cltLMSx.dll is encrypted

Consumer_Licensing_Technologies_r9.5

I will try what was recommended in the link you provide, and see if I move forward.

My aim is to decrypt the dll

Thanks for your help, I appreciate. :dance2:

Link to comment
Share on other sites


No problem, I've been on the look out for more. Havent seen too many.

This one is another tutorial but in .pdf form which means you'll need adobe reader (if you

dont already have it). I didnt get a chance to look it over but it may be able to help you.

*Note to view it, click the download arrow at the end of the decription

Link to comment
Share on other sites


@Rock Lee

Yes I have adobe, Thanks again for the document and for the site also, it seems to be a golden mine.

This a flavor of what I am seeing under the "microscope": (for fun and curiosity)

.data:6C3535B4 dd offset aTrialmaxdays ; "TrialMaxDays"

.data:6C3535B8 dd offset aTrialremaini_0 ; "TrialRemainingDays"

.data:6C3535BC dd offset aActivationkey ; "ActivationKey"

.data:6C3535C0 dd offset aActivationdate ; "ActivationDate"

.data:6C3535C4 dd offset aEnddate ; "EndDate"

.data:6C3535C8 dd offset aCustomerid ; "CustomerID"

.data:6C3535CC dd offset aProductserialn ; "ProductSerialNumber"

.data:6C3535D0 dd offset aEndpointid ; "EndPointID"

.data:6C3535D4 dd offset aSeatcount ; "SeatCount"

.data:6C3535D8 dd offset aComputername ; "ComputerName"

.data:6C3535DC dd offset aSymskucurrent ; "SymSKUCurrent"

.data:6C3535E0 dd offset aSymskufamily ; "SymSKUFamily"

.data:6C3535E4 dd offset aSymskumedia ; "SymSKUMedia"

.data:6C3535E8 dd offset aProductid ; "ProductID"

.data:6C3535EC dd offset aSymantecvendor ; "SymantecVendorId"

.data:6C3535F0 dd offset aSku ; "SKU"

.data:6C3535F4 dd offset aEarlyrenewmaxd ; "EarlyRenewMaxDays"

.data:6C3535F8 dd offset aEarlyremaining ; "EarlyRemainingDays"

.data:6C3535FC dd offset aSubscriptionma ; "SubscriptionMaxDays"

.data:6C353600 dd offset aSubscription_0 ; "SubscriptionRemainingDays"

.data:6C353604 dd offset aSubscriptionwa ; "SubscriptionWarningDays"

.data:6C353608 dd offset aRemainingdays ; "RemainingDays"

Or this :

clui.jpg

But all this is a misleading Fake statements (all in plain text in non encrypted libraries).

The true ones are hidden in the encrypted dll's 

cryp.jpg

in a segment like this :

cryp1.jpg

We know the meaning of these segments:

.txt

.rdata

.data

But my question is : who knows the meaning of this .asdfas segment? is it a well known

encryptor, packer or whatever? :lmao:

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...