Raygun
January 14th, 2005, 12:49
At the moment I'm looking at a progam where (as is common now) the linker has merged the import table of the .idata section into the .rdata section .... but done it in a strange way so the import table is fragmented on either sides of the other data.
And the other data in the .rdata section is hard-coded addresses of subroutines that get called by the code in the .text section.
To reverse the code (which keeps calling the .rdata section to get the address of the routines to call ) you have to figure out how and why the linker did this. Or is it the linker at all? Or some new anti-debugging method? Or Ollydbg error? Has anyone seen anything like this before?
And the other data in the .rdata section is hard-coded addresses of subroutines that get called by the code in the .text section.
To reverse the code (which keeps calling the .rdata section to get the address of the routines to call ) you have to figure out how and why the linker did this. Or is it the linker at all? Or some new anti-debugging method? Or Ollydbg error? Has anyone seen anything like this before?