Log in

View Full Version : New Tool: First_Thunk_Rebuilder 1.2

nikolatesla20
April 19th, 2002, 21:32
Ok, ok, maybe YOU won't need this tool, but *I* do, so there
Plus it is good learning for me anyway Especially how to use pointers on Memory Mapped files in Delphi ...what a pain 'til I figured it out...

Anyway the purpose of this tool is to fix your dumped file, once you have it up and running. No, it's not some magical dumpfixer. Remember, this is AFTER you have the program running . The whole point of the utility is to make sure that BOTH your import thunk tables point to the same imported function names. ( For those of you not in the know, an EXE file has TWO arrays pointing to the import functions, well, at least it's supposed to)

The main reason I made this tool is because I like to have the option to add code to a program. To do this I use Izcelion's Code Snippet Creator. Problem is, Code Snippet Creator has a bug. When it looks for imported functions, it only sees the ones in the FirstThunk table. (Which makes sense, because it needs to know THOSE in order to hook any api's you use to the correct call).

Anyway, when you dump a file from memory and rebuilt the IAT, you usually paste it into a new section, or whatever. Meanwhile, your FirstThunk table, which got dumped from memory with it, is full of B.S. addresses from **Protect or whatever packer messed with it. Luckily for us the PE loader looks for the OriginalFirstThunk table FIRST, which is the one we rebuild, and patches the addresses in the FirstThunk table based off of it, so the program will RUN just fine.

But Code Snippet Creator won't work with only the OriginalFirstThunk table, it needs to know the correct address to call for any api's you use in your code snippet, and it can only get that from the FirstThunk table. And plus hey, don't you want your dump to be as virgin as possible?

Fire up the First_Thunk_Rebuilder and fix that FirstThunk table back to pristine OEM condition

Coded in 2 days with Borland Delphi 6.0.

Check it out at :

THIS LINK WAS BROKEN
PLEASE SEE BELOW FOR THE CORRECT LINK !


-nt20

ATTENTION Shareware Authors:
********* I RESERVE THE LEGAL RIGHT TO REMOVE YOUR "PROTECTION" VIRUS FROM MY COMPUTER *******
nikolatesla20
April 20th, 2002, 06:14
I'll have to reupload it on Monday.

-nt20
The_Philosopher
April 23rd, 2002, 08:30
Hi nikolatesla20

Did you reupload it?
Link is still broken.


The_Philosopher
nikolatesla20
April 23rd, 2002, 14:38
For some reason my Charter account corrupts any files I upload..grrr.

So I put it on my angelfire site instead for now. Don't worry, I killed the popups for you. Here is the new link:


h**p://www.angelfire.com/nt/teklord/FirstThunk.htm


Hope someone finds it useful.

-nt20
foxthree
April 23rd, 2002, 15:02
Hi Tesla:

Seems u r obsessed with ASPR User Interface. May be looking at it far too long, my friend Anyway, nice work! Delphi is really cool. May be I'll rewrite one of my tools using Delphi ... someday

Signed,
-- FoxThree
nikolatesla20
April 23rd, 2002, 16:02
Heh heh

I was wondering if anyone would notice the similarity

I thought it would be a good joke for Alexey, a tool to help against his software, that looks just like his software.

BWA hahahahahahah

-nt20
bedrock
January 8th, 2003, 16:20
I just loaded a working dump i have made of an AsPacked target into the FirstThunk rebuilder, but it says Original First Thunks MISSING, cannot repair.

My dump runs okay, i rebuilded the IAT with ImpRec and put this in a new section. How can i get the FirstThunk table back?
nikolatesla20
January 9th, 2003, 15:56
If its says "Original First Thunks missing" the tool cannot work, since it depends on the "Original first thunks" to do anything.

I just ran it on my dumped armadillo and it looks like there might be a problem using it on files with an IAT rebuilt with ImpREC. I'll have to look into it some more...

I can also upload the source to this program here if anyone wants it. It's Delphi 6.0.

-nt20
nikolatesla20
January 9th, 2003, 16:35
Well, here's the reason.

On files rebuilt with ImpREC you don't need to rebuild the FirstThunk table, it appears the ImpREC does it for you already. Yay I checked out the FirstThunk table in my dumped armadillo, which was created with ImpREC, and the first thunks are already ok.

Revirgin does not repair the first thunks, it simply creates a new "Original First Thunk" table, which the loader uses first if it sees it.

I can add a check for this perhaps ? It would be quite complex as of my thinking right now, because I am only patching tables to match. To test for an already valid First Thunk table would be difficult. Basically, if the tool says "Original First Thunks missing" it means that your First Thunks are already probably in good order, especially if the file runs. Guess I should change the "error" message then huh hehe.

I also then loaded this file into Code Snippet Creator and it works just fine already, which means the FirstThunks are already good.

So I guess pretty much you only need my tool if you use Revirgin...



-nt20