URL: http://abroaddesign.hypermart.net/picview/picview.zip

Problem: When resolving, there are large gaps between groups of API's.

General info:
Base: 400000
OEip: 42322c
IAT Start: 106230
Length: 7a8 (not sure)

When looking to dumped and 'fixed' file with IDA:

1. End of OLEAUT32.DLL
00506278 extrn SysAllocStringLen:dword ; DATA XREF: j_SysAllocStringLenr
00506280 extrn byte_506280:byte:18h ; DATA XREF: sub_4070FCr

2. End of ADVAPI32.DLL
005062B4 extrn RegCreateKeyExA:dword ; DATA XREF: j_RegCreateKeyExAr
005062B8 extrn RegCloseKey_0:dword ; DATA XREF: j_RegCloseKey_0r
005062C0 extrn byte_5062C0:byte:158h ; DATA XREF: sub_407560r


so every .DLL has missing api's

When writing this I worked about 10 Mins on the target.....examining it further, but just wanted to give a notice

greets

BlackB

Thanks blackB, I'll look for this.
I already had some iat's with very large gaps, it's normally working anyway.

.....gaps in import were due to softice detection.
Unloading sice or using frogsice solves the prob.
importtable resolves completely. inserted everything.....dumped fixed program runs without error, but the program doesn't start at all....it's like executing an .exe that does nothing but start and exit.
I traced through the code from start (OEiP) and there 'seem' to be additional checks, ....but whatever is done: or the program exits or the program crashes......investigating further.....

greets

BlackB

hi,
like I wrote you it's normal because the OEP you found is not a good one.
You have to trace the program from the start using icedump, it will first land to the usual ret, then trace again and you land to 0x4fe86c
insert the it.bin from revirgin and the target works.

I'm actually fixing the imports problem that we talked about with the owl on past threads, then I'll extend the tracer to work on the full app
to find the OEP, but only if the process is not too much time consuming.

regards,

+Tsehp