4

I googled so much but I just couldn't find a real answer to my question. Im currently writing a packer which encrypts the sections of an exe or dll file and modifies the Entry Point so my decrypter stub can decrypt the file at runtime, after that I jump to the OEP of the program. That works just fine with native exe and dll files, but it won't work with .net files / managed code... As soon as I change the entry point of a .net file in the pe header the file won't run (not even my decryption stub in entry point). I was using OllyDbg to see whats going on and I noticed that the file is loading mscoree.dll from the Import Table. This file does some checkings on my exe before run it and it seems it doesnt like my native decryption stub so it simply exits the program with this error message:

---------------------------
Launcher2.exe - This application could not be started.
---------------------------
This application could not be started.

Do you want to view information about this issue?
---------------------------
Ja   Nein   
---------------------------

Would be nice if someone could enlight me on how to finish my packer :) Thanks in advance!

Humayun Shabbir
  • 2,961
  • 4
  • 20
  • 33
user3903022
  • 41
  • 2
  • 1
    Haven't hit this issue myself but the [.Netz documentation](http://madebits.com/netz/trouble.php#w6) may point you in the right direction. It does something similar and has a number of caveats and limitations imposed by the .Net framework implementation. I suspect they've had to work around the same issue so you might find some hints – Basic Aug 02 '14 at 23:27
  • Cool thanks, gonna check that out :) – user3903022 Aug 02 '14 at 23:35
  • Is the DLL signed? If so, you might want to place two signatures in it - one for the packed, and one for the non-packed. Microsoft's Authicode spec allow multiple signatures. The signature resides on disk and is *not* mapped into memory during load. You need to add them after compiling and linking. You can't do fixup tricks in-memory. – jww Aug 03 '14 at 02:24
  • At the moment I dont inject any DLLs, but a self written stub in asm. Do I need to code a managed DLL to do the job for managed files? – user3903022 Aug 03 '14 at 07:00
  • .NET files are notoriously difficult to pack, IIRC it has something to do with the framework expecting a certain ep/layout for .NET exes. – Mathemats Dec 05 '14 at 01:06

0 Answers0