Hi,

I've been reading a tutorial by TiTi on how to rebuilt the IAT.

I have everything done except I don't understand this part:

4. For each function name in the 3rd part of the import table, we call the
GetProcAddress API. When this API returns 77E7897Fh, that's it, we reached
the right function. So we make the corrupted IAT point to the right
function name. (in this case that is 'wsprintfA').


www.yates2k.net/rebuild.txt

He talks about the "3rd part of the import table" where all the function names are, read in each name, call GetProcAddress on it and compare to the address I read in from IMPORT_THUNK_DATA.u1.Function, if its the same, convert the address.

My problem is, I don't know how to go to the start of this "3rd part" of the import table??

Any help appreciated,

thanks,

edit:

while googling for info i stumbled across this nice article on PE format
http://msdn.microsoft.com/msdnmag/issues/02/03/PE2/default.aspx

There is a whole lot of information about IAT rebuilding on this Forum. In fact, there is so much information we had to invent something special, called the "SEARCH" button to handle access to all the information.

Perhaps you've heard of it? It's mentioned in the FAQ, you know, the one mentioned in the BIG RED LETTERS which says what you are supposed to do before you ask a question.

Please go back and read those FAQ topics now, then search the forum for information using "IAT rebuild*" (without the quotes) as your search term and then post again after you've done some basic homework on your own.

Oh. And your edit, saved me from giving you this for the rest of your homework assignment:

http://board.win32asmcommunity.net/attachment.php?postid=144294

Regards,

I have searched the forum. I've read TiTi's tutorial, I've also searched on google. I'm stumped about one section of TiTi's tutorial.

How do you know I have not searched? if you can check logs, perhaps you should and you will see a search for iat rebuilding, with variations on the keywords. I just simply do not understand a part of the tutorial and I'm asking for help.

While one or more of my other posts perhaps should have been researched better, you really discourage any kind of posts looking for help by your constant flaming of "use search! use search!"

Thank You

canuckcracker:

You have posted several threads in the last several days which demonstrate that you are indeed a newbie. That, in and of itself is no problem. We were all newbies at one time or another and even after we have some experience on some, or many subjects, we remain newbies on other subjects.

The problems is that you keep asking the most basic of questions which demonstrate that you have too limited a background in cracking, that is explained ONLY by the fact that you have failed to do very much BASIC reading of the broad subject matter.

This is not a kindergarden where we take you by the hand and teach you everything you should want or need to know. This is a place where YOU are supposed to DO THE BASIC WORK YOURSELF .

Your stuck on "part three" because you haven't a clue about what an IAT is or how one is constructed or how one is messed with by a protector and you "just" want someone to explain this "one" simple thing to you, while you have certainly apparently done NOTHING to study the problem by reading MANY tutorials and threads on rebuilding IATs. That is your problem. Not how to do "step three in a 1999 tutorial."

Now stop posting such question and particularly stop posting such questions in the Advanced Forum and spend some quality time just reading and reading and reading, until you have some better idea what IAT is all about and what protectors try to do to it. The object isn't just to get through this ONE ancient tut, but to LEARN SOMETHING ABOUT IAT REBUILDING.

Regards,

I have read numerous papers on PE format. TiTi's tutorial is the only one which explains rebuilding the IAT. While I understand what he does, I don't understand what he means by "3rd part of the import table" -- This doesn't mean I don't understand what an Import Table is, or what it's used for.

And yes the object IS to learn about the PE format & specifically the IAT & how protections/packers may "mess it up" excuse if while in my search for this knowledge(yes, SEARCH, because i have SEARCHED) despite what you would like "think". I will refrain from ever posting again.

It's no wonder there is no discussion on this board. You're simply anal & over jealous about your "moderating" duties.

Regards to you!

p.s: you shouldn't waste your time replying as I am deleting my account & will not read it.

Well, seems canuckcracker's taken his marbles and gone home in a huff.

I wouldn't want any subsequent readers to suspect that TiTi's tutorial on IAT Rebuilding "is the only one which explains rebuilding the IAT." Heck, it's not even the only only on the Yates link at the bottom of the forums.

http://www.woodmann.com/yates/Import_tables.txt

titled: Understanding Import Tables, written for the beginner.

There are many, many others on the net and some of the other links at the bottom of the Forums discussing how the IAT works, what it does and how various protectors attempt to screw it up.

Searching on this Forum using "rebuild IAT" (without the quotes) produced 174 Threads discussing IAT rebuilding, including specific ones for a large variety of protector schemes that mess with the IAT.

Regards,