Results 1 to 7 of 7

Thread: Petite 2.3 -> how to rebuild the import table ?

  1. #1

    Unhappy Petite 2.3 -> how to rebuild the import table ?

    Hello all. I am trying unpack one file for 2 days but without success.
    Its packed with Petite 2.3,i found the olly script for it and it works,I dumped it,but how to rebuild import table ???

    I tried Import Rebuilder,I loaded with ImpRec the process (from olly),it found me oep then I clicked on "Import" button,it show me the import calls,then I clicked on "Show Invalid" and I clicked on Level1.
    After all,I tried to fix Dump but it show me that AIT is still invalid and dup not working.... I tried different options,ollyDump plugin too,with repairing import table or without it too.

    Please can somebody help me ??? maybe I did something wrong ??? old tuts for 2.2 not working (i think).

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Imprec as a tool does an excellent job in writing a fixed functional IAT into a dumped file.
    It does an OK job finding the Import table, but if the IT is split or has some minor irregularities, Imprec gets lost. You shall check manually the IT that Imprec finds, making sure it is correct by examining the disassembly in Olly.

    The invalid import resolution options 1,2,3 of imprec used to work reasonably OK with old, very simple packers/versions. Most new packers have quite more convoluted import hiding/resolution algos. And I am 99% sure Packer authors look at imprec making sure their IT redirection will fool this tool.

    So you either have to figure out how the right API is found by fearlessly tracing/analyzing those false calls to its ultimate consequences or hope that some Petite guru has done that job for you and put out a tut

  3. #3
    Hmm thank you naides for your answer

    Its little bit strange because I also tried unpack it with Quick Unpack (RC1),and it doesnt shown me any error,only that file was unpacked and that IT was successfully rebuilded. But program wont start I also tried unpack it with many different options (with/without brute force,different types of IT rebuilding) and it still not working.

    Once I got error 0xc0000005, or on other fixed dumps it doesnt shown any error but program wont start again.

    I never tried to unpack this packer before,but i think that there is any hidden trick in this protector/packer.

    With ollydbg,program run without any problems...

    Please help me


  4. #4
    Double post Thank you naides,i found the fake IT calls Now it works....

  5. #5
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    I'm so glad you found the light.
    Now, kindly tell others in this board or write a tut on how you did it.

    After all, that IS the point of this board!!

  6. #6
    Oki here it tut Its for newbies I think,skilled reversers can do it without tutorial.

    -Level:Newbiest
    -Tools Used:
    +OllyDbg -> Used Plugins : OllyDump,OllyScript + Script below
    +Quick Unpack
    +ImpRec (Import Reconstructor)
    +Target
    +And notepad

    1. Load the target with OllyDbg,then run this script for finding OEP:

    // Petite 2.3 UnPacking Script By : Magic_h2001
    // magic_h2001@yahoo.com - www.zahackers.20m.com

    // Please Active "Memory Access violation"
    // in : Debugging options/Exceptions then run script

    var x
    eob L1
    mov x,eip
    bphws x, "x"
    esto
    L1:
    bphwc x
    sti
    msg "Now try to Dump - Script By : Magic_h2001"
    If you can see,script jumped directly on "Entry Point",and code is releaved.
    Now click on OK button,and lclick on Plugins->OllyDump->Dump Debugged Process,now you can see new address of OEP,write it somewhere,you"ll need it.

    2. Then run Quick Unpack -> Load that targed file,write OEP and select option "Do not recover" in "Import Table Recovering" feature,other options can be unchanged.
    Now click on "Unpack" button
    Ok if everything is correct,you can see in Log window that targed was unpacked,but do NOT close Quick Unpack yet,you can find very usefull information in this log.

    Try find "IATRVA" and "IATSize",write is somewhere you"ll need it.

    3. Now run that target and load that process with Import Reconstructor,now write OEP,RVA (IATRVA which you found in log window) and Size.
    Then click on "Get Imports" button. Ok now you can see,it loads import table,you also see that there are some invalid import calls,
    click on "Show Invalid" button and then click on selected items by right mouse button and select "Trace Level 1" option.

    4. Now click on "Fix Dump" button and select that dumped file (made by Quick Unpack).

    Thats all,pretty easy

    Note: You can also use for dumping OllyDump plugin,but then untick Rebuild Import feature,and RVA and Size of AIT you must find handy.
    Last edited by DeViaN; March 24th, 2007 at 16:03.

  7. #7
    Double post Finally,there was no hidden trick except detecting IsDebuggerPresent.

    The reason that it wouldn't work before,was that I didnt find the correct Size and Rva of IAT
    ImpRec shown me incorrect values of RVA and Size when I entered correct OEP

    4Ever apperentice
    Last edited by DeViaN; March 24th, 2007 at 15:59.

Similar Threads

  1. import table problem
    By hpr0xx in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: May 3rd, 2012, 20:22
  2. import table - add a dll -
    By sefo in forum The Newbie Forum
    Replies: 3
    Last Post: October 12th, 2004, 02:22
  3. Delayed import table?
    By dELTA in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: December 21st, 2003, 20:27
  4. rebuild import table
    By andyboll in forum OllyDbg Support Forums
    Replies: 1
    Last Post: May 22nd, 2003, 02:36
  5. How to rebuild import table?
    By testing999 in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: May 10th, 2002, 12:51

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •