is0x000
August 15th, 2004, 02:14
I've been working the full month trying to unpack a dll crypted with safecast. I've been able to dump the decrypted dll easily. The problem comes rebuilding the IAT, there are 141 unresolved pointers that points to decryptation routine inside ~df394b.tmp that is extracted from the dll at runtime.
The real problem is that the api returned from the decrypter for a given pointer is rva dependent so the same pointer returns different apis depending on the rva where it was called.
Using ImpRec 1.6 I have rebuild the IAT using TrapFlag Trace so at least I have an IAT wih all the apis that are called from the decrypted dll, and now I'm manually fixing each api call to the real value of the api that should be called, but it's a really slow work cause imagine how many times will be called those 141 unresolved pointers... I'm really bored and I probably will make a mistake that will make all my work useless.
Anybody have tryed an easyer aproach or know how to automatize the work?
Any recomendation are wellcomed.
Thank You in advance
The real problem is that the api returned from the decrypter for a given pointer is rva dependent so the same pointer returns different apis depending on the rva where it was called.
Using ImpRec 1.6 I have rebuild the IAT using TrapFlag Trace so at least I have an IAT wih all the apis that are called from the decrypted dll, and now I'm manually fixing each api call to the real value of the api that should be called, but it's a really slow work cause imagine how many times will be called those 141 unresolved pointers... I'm really bored and I probably will make a mistake that will make all my work useless.
Anybody have tryed an easyer aproach or know how to automatize the work?
Any recomendation are wellcomed.
Thank You in advance