PDA

View Full Version : Petite 2.3 -> how to rebuild the import table ?

DeViaN
March 23rd, 2007, 02:15
Hello all. I am trying unpack one file for 2 days but without success.
Its packed with Petite 2.3,i found the olly script for it and it works,I dumped it,but how to rebuild import table ???

I tried Import Rebuilder,I loaded with ImpRec the process (from olly),it found me oep then I clicked on "Import" button,it show me the import calls,then I clicked on "Show Invalid" and I clicked on Level1.
After all,I tried to fix Dump but it show me that AIT is still invalid and dup not working.... I tried different options,ollyDump plugin too,with repairing import table or without it too.

Please can somebody help me ??? maybe I did something wrong ??? old tuts for 2.2 not working (i think).
naides
March 23rd, 2007, 06:39
Imprec as a tool does an excellent job in writing a fixed functional IAT into a dumped file.
It does an OK job finding the Import table, but if the IT is split or has some minor irregularities, Imprec gets lost. You shall check manually the IT that Imprec finds, making sure it is correct by examining the disassembly in Olly.

The invalid import resolution options 1,2,3 of imprec used to work reasonably OK with old, very simple packers/versions. Most new packers have quite more convoluted import hiding/resolution algos. And I am 99% sure Packer authors look at imprec making sure their IT redirection will fool this tool.

So you either have to figure out how the right API is found by fearlessly tracing/analyzing those false calls to its ultimate consequences or hope that some Petite guru has done that job for you and put out a tut
DeViaN
March 23rd, 2007, 07:54
Hmm thank you naides for your answer

Its little bit strange because I also tried unpack it with Quick Unpack (RC1),and it doesnt shown me any error,only that file was unpacked and that IT was successfully rebuilded. But program wont start I also tried unpack it with many different options (with/without brute force,different types of IT rebuilding) and it still not working.

Once I got error 0xc0000005, or on other fixed dumps it doesnt shown any error but program wont start again.

I never tried to unpack this packer before,but i think that there is any hidden trick in this protector/packer.

With ollydbg,program run without any problems...

Please help me

DeViaN
March 24th, 2007, 07:38
Double post Thank you naides,i found the fake IT calls Now it works....
naides
March 24th, 2007, 07:45
I'm so glad you found the light.
Now, kindly tell others in this board or write a tut on how you did it.

After all, that IS the point of this board!!
DeViaN
March 24th, 2007, 14:29
Oki here it tut Its for newbies I think,skilled reversers can do it without tutorial.

-Level:Newbiest
-Tools Used:
+OllyDbg -> Used Plugins : OllyDump,OllyScript + Script below
+Quick Unpack
+ImpRec (Import Reconstructor)
+Target
+And notepad

1. Load the target with OllyDbg,then run this script for finding OEP:

Quote:
// Petite 2.3 UnPacking Script By : Magic_h2001
// magic_h2001@yahoo.com - www.zahackers.20m.com

// Please Active "Memory Access violation"
// in : Debugging options/Exceptions then run script

var x
eob L1
mov x,eip
bphws x, "x"
esto
L1:
bphwc x
sti
msg "Now try to Dump - Script By : Magic_h2001"

If you can see,script jumped directly on "Entry Point",and code is releaved.
Now click on OK button,and lclick on Plugins->OllyDump->Dump Debugged Process,now you can see new address of OEP,write it somewhere,you"ll need it.

2. Then run Quick Unpack -> Load that targed file,write OEP and select option "Do not recover" in "Import Table Recovering" feature,other options can be unchanged.
Now click on "Unpack" button
Ok if everything is correct,you can see in Log window that targed was unpacked,but do NOT close Quick Unpack yet,you can find very usefull information in this log.

Try find "IATRVA" and "IATSize",write is somewhere you"ll need it.

3. Now run that target and load that process with Import Reconstructor,now write OEP,RVA (IATRVA which you found in log window) and Size.
Then click on "Get Imports" button. Ok now you can see,it loads import table,you also see that there are some invalid import calls,
click on "Show Invalid" button and then click on selected items by right mouse button and select "Trace Level 1" option.

4. Now click on "Fix Dump" button and select that dumped file (made by Quick Unpack).

Thats all,pretty easy

Note: You can also use for dumping OllyDump plugin,but then untick Rebuild Import feature,and RVA and Size of AIT you must find handy.
DeViaN
March 24th, 2007, 15:44
Double post Finally,there was no hidden trick except detecting IsDebuggerPresent.

The reason that it wouldn't work before,was that I didnt find the correct Size and Rva of IAT
ImpRec shown me incorrect values of RVA and Size when I entered correct OEP

4Ever apperentice