Is Import Rebuilding OS-specific? [Archive] - RCE Messageboard's Regroupment

TiGa

August 2nd, 2007, 22:37

Hi,

I have unpacked Scandal0us C0de from crackmes.de and I found something interesting deserving a question.

I have dumped and rebuilt imports under XP SP2, everything works fine, as it should.

Code:

_:004028DE                   start           proc near               ; CODE XREF: _:0044E160j

_:004028DE                                                           ; DATA XREF: _:0044E15Bo

_:004028DE 6A 00                             push    0               ; lpModuleName

_:004028E0 E8 69 06 00 00                    call    GetModuleHandleA

_:004028E5 A3 60 43 40 00                    mov     ds:hInstance, eax

_:004028EA E8 06 00 00 00                    call    sub_4028F5

_:004028EF 50                                push    eax             ; uExitCode

_:004028F0 E8 47 06 00 00                    call    ExitProcess

_:004028F0                   start           endp

Code:

_:004028F5                   sub_4028F5      proc near               ; CODE XREF: start+Cp

_:004028F5 56                                push    esi

_:004028F6 57                                push    edi

_:004028F7 68 00 04 00 00                    push    400h            ; dwBytes

_:004028FC 6A 40                             push    40h             ; uFlags

_:004028FE E8 51 06 00 00                    call    GlobalAlloc

When I look at the same file under Vista x64, I get different APIs:

Code:

_:004028DE                   start           proc near               ; CODE XREF: _:0044E160j

_:004028DE                                                           ; DATA XREF: _:0044E15Bo

_:004028DE 6A 00                             push    0

_:004028E0 E8 69 06 00 00                    call    GetCompressedFileSizeTransactedA

_:004028E5 A3 60 43 40 00                    mov     ds:dword_404360, eax

_:004028EA E8 06 00 00 00                    call    sub_4028F5

_:004028EF 50                                push    eax

_:004028F0 E8 47 06 00 00                    call    DebugActiveProcessStop

_:004028F0                   start           endp

Code:

_:004028F5                   sub_4028F5      proc near               ; CODE XREF: start+Cp

_:004028F5 56                                push    esi

_:004028F6 57                                push    edi

_:004028F7 68 00 04 00 00                    push    400h

_:004028FC 6A 40                             push    40h             ; lpSystemTime

_:004028FE E8 51 06 00 00                    call    GetLocalTime

Are imports OS-specific?

TiGa

upb

August 3rd, 2007, 00:02

YES

evilcry

August 3rd, 2007, 02:34

Hello,
I also reversed this crackme, the way it uses to obtain Import Table is extremely OS dipendand (to understand because just observe that in the first part of the crackme, the IT-Build routine works with Specific Values

)

On XP works fine

On 2k3 executable crashes

Best Regards,
Evilcry

PS: It's a truly nice crackme

LLXX

August 3rd, 2007, 17:04

Trace the code that loads the import table between the two OSs to see the difference.