Results 1 to 4 of 4

Thread: question about rebuilding IT of dumped program (finding/fixing unresolved)

  1. #1
    axle
    Guest

    question about rebuilding IT of dumped program (finding/fixing unresolved)

    Hi

    I wonder if anyone could answer a question for me.
    After you've dumped a program that you're trying to crack, and now you're using ReVirgin or ImportREConstructor to rebuild the import table, how exactly do you go about fixing any unresolved import functions? I've tried to find an answer to this question but have been unable to. (At least one I could understand).

    thanks for any help anyone can give me.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    What I usually do is note down the address that ImpREC says the import is in the table.

    Now, run the program again, and go into SoftICE. Switch to the program's context using the ADDR command in softice (ADDR <processname>). Then go to the address that ImpREC reported (DD <address>). The value you now see in the data window at the first location on the top left is the value stored at the location ImpREC reported. This is ANOTHER address, which points the the "imported" function. However, it probably points to a protector routine instead.

    So, just go to THIS address now, so you can see what the code looks like. If it's not being resolved, it's obviously another type of routine in the protector, right? Well, you can just look at the code and figure out where it goes eventually !

    Do a (U <address from import table>). Now you're looking at the code thats gets called when this import runs. How does it look? Does it jump somewhere else? Does it simply move in a value from another memory location and return? Having some knowledge of ASM is necessary for this work. If it's moving a value in from another location you can sometimes just (DD <location>) to see what the value is. From that you can extrapolate what the routine should be, most windows API's, like GetCurrentThreadId(), return a specific value. For example, suppose you see a weird value. It COULD be a value from GetCurrentThreadId(). Well, you can type the PROC command in SoftICE and it will list all processes and their thread ID's - so you can see what your program's thread ID is and compare it with that value you saw to see if that's what it is! That's just one example. To find out if it's the GetCommandLine(), simply follow the value one more time like it's an address (cause GetCommandLine returns a pointer). Type in (DD <value found again>) and see if you land in a text string for the command line. If so, the API should be GetCommandLineA(), etc.

    Note the above examples are for when the "Import" is simply a register or memory value being moved into EAX and then returning. If not, you can look at the ASM and figure out what it's doing before the routine does a RET. Some routines, you can simply look at the last API called before the RET. Others calculate where to go, so you have to grab a hex calculator and figure out where it's gonna land.

    Those are the techniques I use all the time for unresolved imports.

    -nt20

  3. #3
    axle
    Guest
    hey nt20

    Thanks alot for the help....I'll try out your suggestions
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    forwarder
    Guest
    @nikolatesla20: thanks for the very informative reply to axle's question, i just added it to my FAQ snippets - i never read any better explanation for that topic.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Odbg newbie question (finding passwrod)
    By pmolson in forum The Newbie Forum
    Replies: 7
    Last Post: November 26th, 2011, 02:06
  2. program text displayed as multiple question marks
    By steve in forum OllyDbg Support Forums
    Replies: 1
    Last Post: April 7th, 2005, 06:37
  3. IAT rebuilding question
    By Silver in forum The Newbie Forum
    Replies: 12
    Last Post: May 13th, 2004, 11:56
  4. a question to kayaker about OEP finding
    By r00t in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: August 28th, 2002, 08:29
  5. Help with finding keyfile a program used by program
    By Polt in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: August 14th, 2001, 15:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •