Results 1 to 11 of 11

Thread: Rebuilding Missing Imports.

  1. #1
    riPPadoGG
    Guest

    Question Rebuilding Missing Imports.

    Hi All,
    I am back looking for help again.
    I am finally trying to manually unpack a packed exe.

    Yesterday I gave Aha-Soft Art-Icons a try. (My 1st try for that matter).
    I used icedump to find the OEP. I am rather confident that I came along the right path till this point.

    I dumped and fixed(dump-fixing, changing OEP) the exe, ran it again. It did not run.
    Checked and found out that It was jumping to an INVALID region.
    So fired up ReVirgin.

    I started the original exe and traced to what appeared to me was the import table...
    It looked like this...
    mov [eax], al
    jmp [some location]
    mov [eax], al
    jmp [some location]
    mov [eax], al
    jmp [some location]
    mov [eax], al
    jmp [some location]
    mov [eax], al
    jmp [some location]
    mov [eax], al
    jmp [some location]
    .......so on...

    The jumps above defenitely pointed to APIs.

    I found out the start and end of jump table, Filled in the details in ReVirgin. ReVirgin worked for some time,
    and came up with almost nothing.
    ie, no imported funtion was resolved.

    So, after all this garbage, the question is, Where have I gone WRONG?
    Also, are what all are the other programs which will help us to rebuild the IT. I can spend time tracing. So it need not be that AUTOMATIC.

    regards,
    Thanks in Advance..
    riPPadoGG

    NB: I WANT TO UNPACK SOMETHING DESPERATELY THIS WEEK-END...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Viper
    Guest
    I gave this a try [my first manual unpack too]
    i used s-ice, icedump, peditor,procdump{didnt want to look to hard if i didnt have too, for the oep}
    also procdump will give you a idea of where too look for the IT and the length. just take those values and put them in revirgin and do a IAT fetch then do IAT Resolver, you will have to resolve again

    doing it this way i got more then 95% of the IT then i got stuck
    anybody got a idea how to continue from here?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3

    ..

    Hiya,
    Looking forward to a +Splaj special on this myself.

  4. #4
    tsehp
    Guest
    the missing iat can be found in three ways :
    1-use api emulator if it's a aspr
    2-use the trace (it can reboot, so better save your stuff)
    3-trace manually to locate the api

    with those three methods, you can find every iat entry
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    riPPadoGG
    Guest

    Thumbs up What is API emulator?

    Hi Admiral,

    I was just praying that someone experienced with Asprotect will reply. (experienced -> has played around with )

    What is API Emulator? How do I use it?

    Also, please not that, I could not resolve even a single API with Revirgin. Revirgin says that it is redirected/emulated.
    So I was guessing that API emulator should be used..

    Please come up with some help, or a tutorial for the worst AsProtected program..

    regards
    riPPadoGG

    and HAPPY REVERSING
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6

    Re: What is API emulator?

    In ReVirgin, just press "Resolve again" when you see some "redirected/emulated". Then these entries will be resolved.

    If the API name is empty, right click on it and select "trace" or "API emulator" in the pop-up menu. In most cases these entries will change to "redirected/emulated/traced". You can press "Resolve again" now. If it is still empty/unresolved, maybe you have to manually resolve it with your debugger.

    Sometimes you may get a GPF, so better save your work by pressing the "save resolved" button.

    good luck

    Originally posted by riPPadoGG
    What is API Emulator? How do I use it?

    Also, please not that, I could not resolve even a single API with Revirgin. Revirgin says that it is redirected/emulated.
    So I was guessing that API emulator should be used..
    Last edited by Solomon; December 10th, 2001 at 05:21.
    :DWARNING: Shareware authors are reading your detailed discussions without paying you!:D

  7. #7
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    Hello!

    LETS AUTOMATE ASPR IT REBUILDING!

    XXXXC960 is KERNEL32.dll GetCommandLineA
    XXXXC90C is KERNEL32.dll GetModuleHandleA
    XXXXC958 is KERNEL32.dll GetCurrentProcessId
    XXXXC548 is KERNEL32.dll GetProcAddress
    XXXXC928 is KERNEL32.dll GetVersion
    XXXXC968 any Export from same DLL (I use FATALEXIT
    XXXXC974 any Export from same DLL

    in other version(new?):
    XXXXC914 is KERNEL32.dll GetVersion
    XXXXC93C is KERNEL32.dll GetCurrentProcess
    XXXXC944 is KERNEL32.dll GetCurrentProcessId
    XXXXC8F8 is KERNEL32.dll GetModuleHandleA
    XXXXC94C is KERNEL32.dll GetCommandLineA
    XXXXC954 any Export from same DLL
    XXXXC960 any Export from same DLL

    Report bugs

  8. #8
    riPPadoGG
    Guest

    Cool Thank You!!!!

    Hi All,

    I just managed to unpack two As-protected apps yesterday.

    1. A BIG THANKS to ALL.. especially, the Admiral, Viper, Js, Solomon(Your tips did it btw), Evaluator, and Eternal Bliss, Predator, BlackB..(for the tuts)
    2. ReVirgin is a great tool.. but you should know how to USE IT..

    regards
    riPPadoGG

    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Viper
    Guest
    riPPadoGG

    since im sure there will be others asking for unpacking tuts, it seems to be growing in intrest. how about posting links to the tuts u got or upload them, if nobody objects.


    Later
    Viper
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    riPPadoGG
    Guest

    Thumbs up TUTS...

    Hi Viper..

    The only up-to-date tuts I KNOW are the ReVirgin essays(Predator, BlackB) in http://www.woodmann.net/fravia/index.htm

    and Eternal Bliss tut no 42(Are there other?).. Please search google for this. (Doesn't use Revirgin)

    There is a tut by the Admiral himself, but probably written before the Revirgin ERA

    These are enough, but you will have to play around with api-emulator and tracer.. The tuts do not discuss these in detail.
    Please refer to the previous threads by the Admiral, and Solomon.

    THIS IS IT!!(as i know it)

    +Splaj tuts are on the way..

    regards
    riPPadoGG


    Eternal Blissssssssssssssssssssssssss...
    Is your page down?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    riPPadoGG
    Guest

    +Splaj tuts

    One more thing..

    More about +Splaj tuts.. Refer to the thread +Splaj tuts..

    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Merging Imports with Exports?
    By 5aLIVE in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: August 2nd, 2006, 12:25
  2. Automated Imports Reconstruction
    By Admiral in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: January 11th, 2005, 09:15
  3. PE and Imports and more questions....
    By nyx in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: March 26th, 2002, 17:12
  4. Missing address
    By catalis in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: October 11th, 2001, 09:21
  5. Imports Libraries
    By Hoof Arted in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: April 27th, 2001, 03:47

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •