xkrylonx
October 7th, 2002, 04:46
I'm having some trouble getting the imports to come up in w32dasm, after unpacking a neolite1.1 packed exe.
I've been reading alot trying to get a better understanding of how to manually rebuild/unpack files, but its been a bit confusing (I'm learning more each time I re-read the tuts and threads though!)
So my approach was determining how the exe was packed using PE-Scan, then I unpacked it with ProcDump. After dumping it, the program would give an error that it could not initalize properly. I rebuilt the PE using ProcDumps rebuilder, all the standard options except I chose "rebuild the import table". It worked succesfully and the program executed fine then.
However, when I check out the exe in w32dasm, the imports don't come up. After searching the threads I found what I thought was the answer to my problems:
-------------------------
The Imports aren't encrypted with Neolite and the program should run fine as dumped, but if you want to see them with PEditor or W32Dasm, you need to change the RVA of the Import Table to the real one, not the one pointed to in unpacking code. This is an address in the Optional Header that points to the Image_Import_Descriptor (IID) table, a set of 5 DWORDS that gives information about each dll. One way to find this address is to do a hex search for the starting address of the IAT, which is at 89000, the beginning of the .rdata section. If you search for "009008" you'll land in the middle of the IID table. Find the starting address offset for this table and change the RVA and size of the Import Table as shown in PEditor to the correct values (A4F90 and 104) and you should see the proper Imports in a disassembly.
Kayaker
--------------------------
But I'm having a hell of a time getting this to work. I tried a few different approaches, like loading up the dumped/working exe into ReVirgin and having it dump the IT, then I tried inserting that into a new section of the exe and pointing the IT RVA to that... all with no success.
I'm not giving up, I'm just hoping to get some insight! I'm probably just too tired.. maybe another set of eyes will help. Thanks.
I've been reading alot trying to get a better understanding of how to manually rebuild/unpack files, but its been a bit confusing (I'm learning more each time I re-read the tuts and threads though!)
So my approach was determining how the exe was packed using PE-Scan, then I unpacked it with ProcDump. After dumping it, the program would give an error that it could not initalize properly. I rebuilt the PE using ProcDumps rebuilder, all the standard options except I chose "rebuild the import table". It worked succesfully and the program executed fine then.
However, when I check out the exe in w32dasm, the imports don't come up. After searching the threads I found what I thought was the answer to my problems:
-------------------------
The Imports aren't encrypted with Neolite and the program should run fine as dumped, but if you want to see them with PEditor or W32Dasm, you need to change the RVA of the Import Table to the real one, not the one pointed to in unpacking code. This is an address in the Optional Header that points to the Image_Import_Descriptor (IID) table, a set of 5 DWORDS that gives information about each dll. One way to find this address is to do a hex search for the starting address of the IAT, which is at 89000, the beginning of the .rdata section. If you search for "009008" you'll land in the middle of the IID table. Find the starting address offset for this table and change the RVA and size of the Import Table as shown in PEditor to the correct values (A4F90 and 104) and you should see the proper Imports in a disassembly.
Kayaker
--------------------------
But I'm having a hell of a time getting this to work. I tried a few different approaches, like loading up the dumped/working exe into ReVirgin and having it dump the IT, then I tried inserting that into a new section of the exe and pointing the IT RVA to that... all with no success.
I'm not giving up, I'm just hoping to get some insight! I'm probably just too tired.. maybe another set of eyes will help. Thanks.
I think you've got the same situation, the RVA in the Import Table entry of PEditor needs to point to the start of the IID. Try it on notepad and see where and what this actually is (at the start of the .idata section at 6000, the IAT proper starts at 62E0 (Win98SE). For a good explanation of the Image_Import_Descriptor I usually recommend Understanding Import Tables by Yates (Immortal Descendants Archives).