Cheat Engine

[Stylo]

Recently started messing around with packers
and bumped into this packer that set the entry-point for the packed dll outside the dll boundaries.
I mean.. the packed dll size is 14,696 bytes (3968 in hex) and the it's entry-point is located at RVA: 0x01048C
plus, when i set a breakpoint at its EP, it won't even get there when execute.
Could it be hidden or something like that?
pretty new to this whole packing thing

Thanks

[atom0s]

Does the DLL have an exception handler setup to force-crash itself at start to execute the unpacking method?

[Stylo]

even if it does
how could it be executed before the entry point?
isn't it the first place where the execution begins?

it's weird cuz when i debug it with ollydbg it says the entry point for the packed dll
but when opening with PE Explorer the entry point is set for the place after the unpacking process..
O_O ?!
even when i break with olly on every dll loading and stop on the entry point that PE Explorer wrote it break but the dll is already unpacked

[UnIoN]

maybe there are more values at PE Header (aside from entry point) changed to prevent debug? have you tried lenas tutorials?

[atom0s]

Before the entry point.. does the DLL have a TLS entry? That will be executed before you will see the entry point hit.

[Stylo]

Well it turns out that ollydbg was messed up for some reason :S
When used windbg it hit the entry point..
what TLS is?

[atom0s]

TLS is 'thread-local storage'.
http://en.wikipedia.org/wiki/Thread-local_storage

A simple yet good example can be found here:
http://www.hexblog.com/?p=9

You can find full info on the PE header here from Microsoft:
http://msdn.microsoft.com/library/windows/hardware/gg463125