PDA

View Full Version : Idea request please


LaptoniC
January 3rd, 2002, 18:06
I am requesting an idea for my current problem.I am trying to fix IAT table of cd-copsed exes.Only kernel32.dll imports are crypted and decryption is version dependant.So I need generic way for rebuilding IAT.I have important datas
1.In the original exe adress pointers are virgin.
2.I know which functions will be used from kernel32.dll because I store input and output of GetProcAddress.I made a struct like this

hookiat struct
fname db 40 dup(?) ;function name
fof dd ? ;function address
hookiat ends
I have allocated iatsize of this struct.Filled memory are with input and output of GetProcAddress.

3.I have initialized IAT so I will have address of functions from import dlls

Problems
1.First Thunk and Name members of kernel32.dll import are missing.I can find the name member but there is no *generic* way to find first thunk.
2.I dont know how to find which one comes from kernel32.dll imports or other dlls so I can skip it.
Could you suggest me a pseudo code or better asm code for this.Thanks.I have uploaded 4 files,
calisan.exe working rebuilded exe.
dump.exe dumped executable with my unpacker.
init.exe exe with initialized IAT.
origin.exe crypted original exe.
htxp://misterstop.kolayweb.com/files/hookproj.zip

IcyDee
January 3rd, 2002, 19:17
I gather you have trapped the API GetProcAddress which you are using to store the function name. Would it help to also trap LoadLibrary and then associate the name of the library with the handle used by GetProcAddress. They you would know which ones were for kernel32.dll.

Otherwise can't everything be worked out from the address of the function? For example, if you look at the PE structure of kernel32.dll you will see what address ranges there are, you can look through the export table of kernel32.dll to find the function names which match the function address. I am sure all this is possible with ReVirgin.