Quote:
[Originally Posted by LLXX;67871]. . .Also, isn't the IAT address supposed to be determined by a fixed value in the PE header? |
Yes. Two problems:
-The PE header entry is a raw offset, ergo in the memory image it gets randomized along with all addresses within the executable, while olly, at least in its simplest implementations, require absolute addresses for effective breakpoint placement.
- In an Armadillo (or any) packed file the PE header value points to the IAT of the unpacker stub. The IAT address of the underlying app is not explicit.
This suggests a solution to the problem cps530 proposes:
I would make the assumption that the relative addresses remain constant, if not within the whole exe at least within the segment that contains the scrambled IAT.
So in run 1 (Packed PE under Olly):
-Find the base address (Of the PE or of the IAT containing segment).
-Find the address of a unique byte signature within the segment of interest.
-Store the absolute addresses of the BP you are interested in re-placing from run to run
In Run 2
-Find the new base address (From the PE header).
-Find the Address of the byte signature by binary searching.
-Compare the distances between old base address and old byte signature versus new base address new byte signature. I'd assume is constant.
Even if not, you have enough information to calculate a correction offset you need to add or subtract to the BP absolute addresses you stored before to find the corresponding locations and place correct BP in the new instance of the PE.
The whole process can be implemented in a Olly script.