b41ulu
07-20-2009, 11:35 PM
Ok, before i get flammed about not using the search tool. I have, and I've read the tutorials on Asprotect. I've also read countless others out on other sites, yet I still can't seem to find any clues for repairing my IAT.
The target is SFrame.exe
http://rapidshare.com/files/258187320/SFrame_old.exe.html
I've successfully dumpped the program, but the IAT repair isn't going well. About 90% of the Thunks seem to be taken care of with ImpRec's "Trace Level 1 (Disam)" feature, but the other ~10% remain invalid. I've tried every other trace feature including the plugins for aspr 1.23 rc4 and all other asprotect plugins, but still I am left with invalid thunks.
I have a read that nProtect mods protectors, and I have a sinking suspicion that this is another case of it.
What I've observed thus far:
-Calls are redirected to segment at end of code (Api redirection. Right?)
-the segment doesn't exist at load time
-It is created right before an alg that does the api redirection (I can't decipher it :( )
I don't mean to beg, but I have been working on this for the last week or so and have made no headway. If anyone can explain how the Api's are being redirected / document an unpacking strategy for the target it would be greatly appreciated and I will be sure to re-work it into a tutorial so that noobs like me can stop bugging the intelligent people on message boards.
The target is SFrame.exe
http://rapidshare.com/files/258187320/SFrame_old.exe.html
I've successfully dumpped the program, but the IAT repair isn't going well. About 90% of the Thunks seem to be taken care of with ImpRec's "Trace Level 1 (Disam)" feature, but the other ~10% remain invalid. I've tried every other trace feature including the plugins for aspr 1.23 rc4 and all other asprotect plugins, but still I am left with invalid thunks.
I have a read that nProtect mods protectors, and I have a sinking suspicion that this is another case of it.
What I've observed thus far:
-Calls are redirected to segment at end of code (Api redirection. Right?)
-the segment doesn't exist at load time
-It is created right before an alg that does the api redirection (I can't decipher it :( )
I don't mean to beg, but I have been working on this for the last week or so and have made no headway. If anyone can explain how the Api's are being redirected / document an unpacking strategy for the target it would be greatly appreciated and I will be sure to re-work it into a tutorial so that noobs like me can stop bugging the intelligent people on message boards.