Results 1 to 2 of 2

Thread: Using original .idata instead of creating new section

  1. #1

    Lightbulb Using original .idata instead of creating new section


    I have successfully unpacked a svkp protected application, including working imports etc. I used ImpRec 1.6 Final to do the import job.

    Now, when I select to add the import infos to a new section, the unpacked target runs fine.

    On the other hand, when I select to add the import infos to the existing .idata section of my unpacked target file (I made sure that idata is big enough (physical+virtual) to hold the data, the file cannot be started in windows (0xc00000005).

    I also made sure that characteristics of .idata is set to e0000020.

    Any suggestions what I am doing wrong here?

    Appreciate your help.
    Last edited by doctorow; August 22nd, 2003 at 09:01.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Even though you told ImpREC to add the data into an already existing section, did you check to make sure it changes the Import Table RVA in the header to the right value?

    Also, a good way to check things out is to use LordPE or PEditor (my preference) to look at the import table. Does it look ok? Or are there screwy characters - which would mean some offsets got messed up. Another thing, you DO NOT want to insert the import table where the FIRST THUNKS are going to be, because it will get all hosed up by trying to overwrite itself. In short, it's very risky to insert the table ImpREC builds for you into the orginal .idata section because you might not be sure where the first thunks are. These are the DWORDS that get overwritten by the windows loader with addresses. If you accidentally insert the IAT table in the same area, you'll corrupt your own table. You would have look at it more deeply, to make sure where the first thunks begin and end, so you can insert the new IAT somewhere where it won't screw them up. Not sure if this is what's happening to you, but it's an idea to check for.

    A good thing to do is to open it up in LordPE or PEditor like I said, or even Visual C++'s Dependency Walker, to make sure the table works statically (that other programs see it as valid)


Similar Threads

  1. DRG 10/2013 Challenge: reconstruct original .py from .pyc
    By My Infected Computer in forum Blogs Forum
    Replies: 3
    Last Post: November 15th, 2013, 06:28
  2. Killed the original S@ntinel C plus B
    By Nethacks in forum The Newbie Forum
    Replies: 9
    Last Post: June 13th, 2006, 19:05
  3. How to write a keygen ripping the original asm code
    By achi in forum Mini Project Area
    Replies: 66
    Last Post: January 12th, 2004, 08:32
  4. How to create one section EXE from a multi section exe
    By new_age in forum The Newbie Forum
    Replies: 4
    Last Post: January 27th, 2003, 20:27
  5. icedump crashes on original win95 since 6021
    By nincompoop in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: March 29th, 2001, 03:18


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts