Risotto
May 21st, 2002, 22:38
1.
This part concerns import table:
018F:0112F757 AD LODSD
018F:0112F758 09C0 OR EAX,EAX
018F:0112F75A 744A JZ 0112F7A6
018F:0112F75C 89C7 MOV EDI,EAX
018F:0112F75E 033D60351301 ADD EDI,[01133560]
018F:0112F764 897DF8 MOV [EBP-08],EDI
018F:0112F767 89F3 MOV EBX,ESI
018F:0112F769 31C9 XOR ECX,ECX
018F:0112F76B 49 DEC ECX
018F:0112F76C 87FE XCHG EDI,ESI
018F:0112F76E 30C0 XOR AL,AL
018F:0112F770 F2AE REPNZ SCASB
018F:0112F772 87FE XCHG EDI,ESI
018F:0112F774 AC LODSB
018F:0112F775 80F800 CMP AL,00
018F:0112F778 74DD JZ 0112F757
018F:0112F77A 80F806 CMP AL,06
018F:0112F77D 7506 JNZ 0112F785
018F:0112F77F 8345F804 ADD DWORD PTR [EBP-08],04
018F:0112F783 EBEF JMP 0112F774
018F:0112F785 53 PUSH EBX
018F:0112F786 56 PUSH ESI
018F:0112F787 53 PUSH EBX
018F:0112F788 8D5DF8 LEA EBX,[EBP-08]
018F:0112F78B 53 PUSH EBX
018F:0112F78C 80F802 CMP AL,02
018F:0112F78F 7406 JZ 0112F797
018F:0112F791 0FB60E MOVZX ECX,BYTE PTR [ESI]
018F:0112F794 41 INC ECX
018F:0112F795 EB05 JMP 0112F79C
018F:0112F797 B904000000 MOV ECX,00000004
018F:0112F79C 01CE ADD ESI,ECX
018F:0112F79E E8B1FCFFFF CALL 0112F454
018F:0112F7A3 5B POP EBX
018F:0112F7A4 EBCE JMP 0112F774
As far as i understood, there are APIs that are called directly (jumps inside the IAT), but also there are encrypted ones which begin by push xxxxxx, call this address. How can i correctle reverse it? I've just redirected 018F:0112F79E CALL 0112F454 to 018F:0112F79E JMP 0049CB60. There i called 0112F454 and saved registers. Then making a dump <moduleName>0<procName/ordinal_number>0<corresponding target's address to copy the API address>, like Thesp wrote in his essay. But i failed to do this with crypted APIs. How to find decrypting call (address)? Moreover the program goes down without initializing all APIs (even not all APIs from KERNEL32.DLL). How to do it correctly? And if someone knows how ImpREC and Revirgin get imoprt table, describe me, please, in general terms? Or in details, who aren't lazy, of course.
PS: for ex., it was implemented on ASProtect 1.2
2.
I've got a little question about AsProtect: i want to extend Size of Image to put the code of my own function, 'cause it's not enough space. On enlarging the actual size (from 0x0001D000 to 0x0001E000), messagebox pops up saying that the file is corrupted, blah, blah, check it with Anti-Vitus. How to reverse it? I've already tried to search for byte which could point the size, but it was pointless.
PS: As an example i took NotePad.exe.
PPS: Sorry for my English.
R!50770
This part concerns import table:
018F:0112F757 AD LODSD
018F:0112F758 09C0 OR EAX,EAX
018F:0112F75A 744A JZ 0112F7A6
018F:0112F75C 89C7 MOV EDI,EAX
018F:0112F75E 033D60351301 ADD EDI,[01133560]
018F:0112F764 897DF8 MOV [EBP-08],EDI
018F:0112F767 89F3 MOV EBX,ESI
018F:0112F769 31C9 XOR ECX,ECX
018F:0112F76B 49 DEC ECX
018F:0112F76C 87FE XCHG EDI,ESI
018F:0112F76E 30C0 XOR AL,AL
018F:0112F770 F2AE REPNZ SCASB
018F:0112F772 87FE XCHG EDI,ESI
018F:0112F774 AC LODSB
018F:0112F775 80F800 CMP AL,00
018F:0112F778 74DD JZ 0112F757
018F:0112F77A 80F806 CMP AL,06
018F:0112F77D 7506 JNZ 0112F785
018F:0112F77F 8345F804 ADD DWORD PTR [EBP-08],04
018F:0112F783 EBEF JMP 0112F774
018F:0112F785 53 PUSH EBX
018F:0112F786 56 PUSH ESI
018F:0112F787 53 PUSH EBX
018F:0112F788 8D5DF8 LEA EBX,[EBP-08]
018F:0112F78B 53 PUSH EBX
018F:0112F78C 80F802 CMP AL,02
018F:0112F78F 7406 JZ 0112F797
018F:0112F791 0FB60E MOVZX ECX,BYTE PTR [ESI]
018F:0112F794 41 INC ECX
018F:0112F795 EB05 JMP 0112F79C
018F:0112F797 B904000000 MOV ECX,00000004
018F:0112F79C 01CE ADD ESI,ECX
018F:0112F79E E8B1FCFFFF CALL 0112F454
018F:0112F7A3 5B POP EBX
018F:0112F7A4 EBCE JMP 0112F774
As far as i understood, there are APIs that are called directly (jumps inside the IAT), but also there are encrypted ones which begin by push xxxxxx, call this address. How can i correctle reverse it? I've just redirected 018F:0112F79E CALL 0112F454 to 018F:0112F79E JMP 0049CB60. There i called 0112F454 and saved registers. Then making a dump <moduleName>0<procName/ordinal_number>0<corresponding target's address to copy the API address>, like Thesp wrote in his essay. But i failed to do this with crypted APIs. How to find decrypting call (address)? Moreover the program goes down without initializing all APIs (even not all APIs from KERNEL32.DLL). How to do it correctly? And if someone knows how ImpREC and Revirgin get imoprt table, describe me, please, in general terms? Or in details, who aren't lazy, of course.
PS: for ex., it was implemented on ASProtect 1.2
2.
I've got a little question about AsProtect: i want to extend Size of Image to put the code of my own function, 'cause it's not enough space. On enlarging the actual size (from 0x0001D000 to 0x0001E000), messagebox pops up saying that the file is corrupted, blah, blah, check it with Anti-Vitus. How to reverse it? I've already tried to search for byte which could point the size, but it was pointless.
PS: As an example i took NotePad.exe.
PPS: Sorry for my English.
R!50770