Log in

View Full Version : Rebuilding Missing Imports.

riPPadoGG
December 7th, 2001, 00:57
Hi All,
I am back looking for help again.
I am finally trying to manually unpack a packed exe.

Yesterday I gave Aha-Soft Art-Icons a try. (My 1st try for that matter).
I used icedump to find the OEP. I am rather confident that I came along the right path till this point.

I dumped and fixed(dump-fixing, changing OEP) the exe, ran it again. It did not run.
Checked and found out that It was jumping to an INVALID region.
So fired up ReVirgin.

I started the original exe and traced to what appeared to me was the import table...
It looked like this...
mov [eax], al
jmp [some location]
mov [eax], al
jmp [some location]
mov [eax], al
jmp [some location]
mov [eax], al
jmp [some location]
mov [eax], al
jmp [some location]
mov [eax], al
jmp [some location]
.......so on...

The jumps above defenitely pointed to APIs.

I found out the start and end of jump table, Filled in the details in ReVirgin. ReVirgin worked for some time,
and came up with almost nothing.
ie, no imported funtion was resolved.

So, after all this garbage, the question is, Where have I gone WRONG?
Also, are what all are the other programs which will help us to rebuild the IT. I can spend time tracing. So it need not be that AUTOMATIC.

regards,
Thanks in Advance..
riPPadoGG

NB: I WANT TO UNPACK SOMETHING DESPERATELY THIS WEEK-END...
Viper
December 7th, 2001, 23:15
I gave this a try [my first manual unpack too]
i used s-ice, icedump, peditor,procdump{didnt want to look to hard if i didnt have too, for the oep}
also procdump will give you a idea of where too look for the IT and the length. just take those values and put them in revirgin and do a IAT fetch then do IAT Resolver, you will have to resolve again

doing it this way i got more then 95% of the IT then i got stuck
anybody got a idea how to continue from here?
Js
December 7th, 2001, 23:26
Hiya,
Looking forward to a +Splaj special on this myself.
tsehp
December 8th, 2001, 08:51
the missing iat can be found in three ways :
1-use api emulator if it's a aspr
2-use the trace (it can reboot, so better save your stuff)
3-trace manually to locate the api

with those three methods, you can find every iat entry
riPPadoGG
December 10th, 2001, 04:53
Hi Admiral,

I was just praying that someone experienced with Asprotect will reply. (experienced -> has played around with )

What is API Emulator? How do I use it?

Also, please not that, I could not resolve even a single API with Revirgin. Revirgin says that it is redirected/emulated.
So I was guessing that API emulator should be used..

Please come up with some help, or a tutorial for the worst AsProtected program..

regards
riPPadoGG

and HAPPY REVERSING
Solomon
December 10th, 2001, 05:17
In ReVirgin, just press "Resolve again" when you see some "redirected/emulated". Then these entries will be resolved.

If the API name is empty, right click on it and select "trace" or "API emulator" in the pop-up menu. In most cases these entries will change to "redirected/emulated/traced". You can press "Resolve again" now. If it is still empty/unresolved, maybe you have to manually resolve it with your debugger.

Sometimes you may get a GPF, so better save your work by pressing the "save resolved" button.

good luck

Quote:
Originally posted by riPPadoGG
What is API Emulator? How do I use it?

Also, please not that, I could not resolve even a single API with Revirgin. Revirgin says that it is redirected/emulated.
So I was guessing that API emulator should be used..
evaluator
December 11th, 2001, 17:17
Hello!

LETS AUTOMATE ASPR IT REBUILDING!

XXXXC960 is KERNEL32.dll GetCommandLineA
XXXXC90C is KERNEL32.dll GetModuleHandleA
XXXXC958 is KERNEL32.dll GetCurrentProcessId
XXXXC548 is KERNEL32.dll GetProcAddress
XXXXC928 is KERNEL32.dll GetVersion
XXXXC968 any Export from same DLL (I use FATALEXIT
XXXXC974 any Export from same DLL

in other version(new?):
XXXXC914 is KERNEL32.dll GetVersion
XXXXC93C is KERNEL32.dll GetCurrentProcess
XXXXC944 is KERNEL32.dll GetCurrentProcessId
XXXXC8F8 is KERNEL32.dll GetModuleHandleA
XXXXC94C is KERNEL32.dll GetCommandLineA
XXXXC954 any Export from same DLL
XXXXC960 any Export from same DLL

Report bugs
riPPadoGG
December 11th, 2001, 22:52
Hi All,

I just managed to unpack two As-protected apps yesterday.

1. A BIG THANKS to ALL.. especially, the Admiral, Viper, Js, Solomon(Your tips did it btw), Evaluator, and Eternal Bliss, Predator, BlackB..(for the tuts)
2. ReVirgin is a great tool.. but you should know how to USE IT..

regards
riPPadoGG

Viper
December 14th, 2001, 23:16
riPPadoGG

since im sure there will be others asking for unpacking tuts, it seems to be growing in intrest. how about posting links to the tuts u got or upload them, if nobody objects.


Later
Viper
riPPadoGG
December 15th, 2001, 01:25
Hi Viper..

The only up-to-date tuts I KNOW are the ReVirgin essays(Predator, BlackB) in http://www.woodmann.net/fravia/index.htm

and Eternal Bliss tut no 42(Are there other?).. Please search google for this. (Doesn't use Revirgin)

There is a tut by the Admiral himself, but probably written before the Revirgin ERA

These are enough, but you will have to play around with api-emulator and tracer.. The tuts do not discuss these in detail.
Please refer to the previous threads by the Admiral, and Solomon.

THIS IS IT!!(as i know it)

+Splaj tuts are on the way..

regards
riPPadoGG


Eternal Blissssssssssssssssssssssssss...
Is your page down?
riPPadoGG
December 15th, 2001, 01:32
One more thing..

More about +Splaj tuts.. Refer to the thread +Splaj tuts..