Help me to fixing API-Calls
 

hi,
i'm trying to fix some calls to api's which are made through a "Call api-address". No problem so far replace address with the address of the api. Ok but this isn't working on other OS then mine. So my question is it
possible to fix these calls like call dword ptr:[IAT_address] without increasing in size. Cos for calls like call dword ptr:[IAT_address] i must only change the iat_address to the right api-call. I tried everything with my poor asm maybe a advice from a guru?? I thought about a loader checking the OS and replace the calls
but that's alot of work. I also tried replace call api-address with a jmp to free space where i assembled a Call dword ptr:[iat-address] and a jmp back, but this isn't working. :mad:

Greetings

Nukacola

look if there is a garbage byte in front of or after the call sth like
90 nop
E8???????? call api-address
then you can convert the 5 byte call into a 6 byte call (call [api-address]).
which protector are you dealing with?

Can you plz be more specific or more clear in forming your question ,some example code would be nice.

Sorry but i really didnt understand what are you trying to achive here, but maybe it can be only my english :P



Bye NeO

if i read your post correctly, it seems you have no Import Table. without it, you won't get all entries valid for every OS.

what you can do:
write a resolver through the APIs LoadLibrary, GetModuleHandleA, GetProcAddress (for advanced users)
or
use Imprec to get a valid IT with the option "Create new IAT".

oh sorry but i haven't much time last days so i can't repost.
I see that i have done a big mistake cos i don't
call dword ptr:[IAT_address] i call call dword ptr:[ImportTable_address]
and there's no valid IAT in the file. There are 2 IAT but both aren't valid i guess. And no one is set in the PE header IAT entry field. But i have a Import Table located at 1000h cos vb6 app. :)

Ok the protection i'm dealing with is again securom v4.8xx.

here a snippet of the code..

i also try to rip the code for the Call securom out and load it in my dump at the same address, but the ressolver is using code out of the securom sections i have removed so it crashed..

i can't remember exactly how i did it with sec5 but i try to tell you what i can remember.i think there's no big difference between sec5 and 4.8.
like i said in my previous post there's always a garbage byte before/after the call to sec section which has to be overwritten to insert the 6 byte call dword ptr [iat].garbage instructions are for example DAA, inc eax, nop...
at the end of the call to the sec section there is a jmp eax or ret with the right api offset in eax or on the stack so you have to grab the api offset there.then you have to search the api offset in the original IAT of the programm.securom leaves the IAT and IT untouched so we will need no imprec at all.if you have found the api offset in the original iat you can fix the call to the sec section to call dword ptr [iat] (overwriting garbage byte).if you are done with all calls you can dumb and fix IT offset with lordpe.don't forget to paste untouched FirstThunks when you are done.

ohh yes damn i guess the inc eax and the daa is the garbage byte sorry for bothering with this simple problem cos if i was looking for a nop....
lol easy solution...

Thanks Nukacola