Results 1 to 4 of 4

Thread: Is Import Rebuilding OS-specific?

  1. #1
    Registered User
    Join Date
    Jul 2007
    Posts
    107
    Blog Entries
    6

    Question Is Import Rebuilding OS-specific?

    Hi,

    I have unpacked Scandal0us C0de from crackmes.de and I found something interesting deserving a question.

    I have dumped and rebuilt imports under XP SP2, everything works fine, as it should.

    Code:
    _:004028DE                   start           proc near               ; CODE XREF: _:0044E160j
    _:004028DE                                                           ; DATA XREF: _:0044E15Bo
    _:004028DE 6A 00                             push    0               ; lpModuleName
    _:004028E0 E8 69 06 00 00                    call    GetModuleHandleA
    _:004028E5 A3 60 43 40 00                    mov     ds:hInstance, eax
    _:004028EA E8 06 00 00 00                    call    sub_4028F5
    _:004028EF 50                                push    eax             ; uExitCode
    _:004028F0 E8 47 06 00 00                    call    ExitProcess
    _:004028F0                   start           endp
    Code:
    _:004028F5                   sub_4028F5      proc near               ; CODE XREF: start+Cp
    _:004028F5 56                                push    esi
    _:004028F6 57                                push    edi
    _:004028F7 68 00 04 00 00                    push    400h            ; dwBytes
    _:004028FC 6A 40                             push    40h             ; uFlags
    _:004028FE E8 51 06 00 00                    call    GlobalAlloc

    When I look at the same file under Vista x64, I get different APIs:

    Code:
    _:004028DE                   start           proc near               ; CODE XREF: _:0044E160j
    _:004028DE                                                           ; DATA XREF: _:0044E15Bo
    _:004028DE 6A 00                             push    0
    _:004028E0 E8 69 06 00 00                    call    GetCompressedFileSizeTransactedA
    _:004028E5 A3 60 43 40 00                    mov     ds:dword_404360, eax
    _:004028EA E8 06 00 00 00                    call    sub_4028F5
    _:004028EF 50                                push    eax
    _:004028F0 E8 47 06 00 00                    call    DebugActiveProcessStop
    _:004028F0                   start           endp
    Code:
    _:004028F5                   sub_4028F5      proc near               ; CODE XREF: start+Cp
    _:004028F5 56                                push    esi
    _:004028F6 57                                push    edi
    _:004028F7 68 00 04 00 00                    push    400h
    _:004028FC 6A 40                             push    40h             ; lpSystemTime
    _:004028FE E8 51 06 00 00                    call    GetLocalTime
    Are imports OS-specific?

    TiGa

  2. #2
    Registered User upb's Avatar
    Join Date
    May 2003
    Posts
    50
    Blog Entries
    4
    YES

  3. #3
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31
    Hello,
    I also reversed this crackme, the way it uses to obtain Import Table is extremely OS dipendand (to understand because just observe that in the first part of the crackme, the IT-Build routine works with Specific Values )

    On XP works fine
    On 2k3 executable crashes

    Best Regards,
    Evilcry

    PS: It's a truly nice crackme

    http://evilcry.netsons.org (Repository)
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com

  4. #4
    Trace the code that loads the import table between the two OSs to see the difference.

Similar Threads

  1. IAT Rebuilding of a safecasted dll
    By is0x000 in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: August 16th, 2004, 11:30
  2. Help Rebuilding IAT
    By canuckcracker in forum The Newbie Forum
    Replies: 5
    Last Post: August 2nd, 2004, 01:04
  3. A - maybe - new approach to Import Section Rebuilding
    By Zwyzum in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: November 2nd, 2003, 11:57
  4. PE Rebuilding Topic
    By Bengaly in forum Malware Analysis and Unpacking Forum
    Replies: 15
    Last Post: February 25th, 2003, 12:22
  5. Rebuilding Import Tables Manually
    By Jon in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: September 18th, 2002, 13:24

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •