Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Can`t restore import table (https://forum.exetools.com/showthread.php?t=2951)

thechatter 11-13-2003 04:52
Can`t restore import table
 
If this seems like a crack request, that`s not the case since there is not much to crack in this file, only for educational purposes , ahum ..

The file i`m talking about is the program aworld.exe which can be found in the archive hxxp://objects.activeworlds.com/downloads/awb34.exe

I`m trying to recover the import table. Till so far I have been succesful with different programs by using the simple, but effective ollydbg+import reconstructur approach.

But unfortunately that doesn`t work, for me at least, this time. I tried to find the OEP of the program, which is 4A28B4 or 4A37E5 i think. And import recovery show a nice table of imported functions.

HOWEVER when I try to execute my dumped executable it crashes, can anyone give me some tips, or a good tutorial ...

britedream 11-13-2003 20:28
oep= 4a37e5
IAT=4b0000 size 528
dump is working on this info,but didn't test any function.

thechatter 11-13-2003 21:33
Hmm I tried it again, since you confirm my OEP, but I still can`t create a workable dump. The only time i got something useful was when the splash screen shows up, but then I got an error because it was referencing to a memory address which was not in the dump.

Can you tell me how you made the dump, and perhaps post the dump here for me to download ?

In anycase thanks for the help !

britedream 11-13-2003 21:57
just dump at 4a37e5, if u like to use ollydbg to dump, fine,just uncheck rebuild imoprt option, then
use imporTRec to rebuild yr iat with info I gave u as follow
oep 000a37e5
RVA 000b0000 size 528

thechatter 11-14-2003 00:02
But if I do that the program will run, but after 5 seconds I`ll get :

The instruction at 0x004a28b4 referenced memory at 0x69b82b04. The memory could not be written.

So what am I doing wrong ?

Thanks for the help I really appriciate it.

MaRKuS-DJM 11-14-2003 00:39
here's a valid dump and the iat is fixed... hope you will study it...

britedream, do you know which packer it is??? i didn't find it out...

@thechatter: it isn't cracked, this is your work ;)

thechatter 11-14-2003 02:51
Both of you, many thanks ! Still find it strange it didn`t work for me, but hey since i`m just starting i`m allowed to make some mistakes :)

For the cracking part, i`ve got the server running , now let`s hope i can point the browser to it :)

britedream 11-14-2003 03:24
Please note that the info I gave u is done on xp pro sp1
regards

britedream 11-14-2003 03:50
To markus , my guess is homemade upx

MaRKuS-DJM 11-14-2003 21:01
thanks britedream :) but i was wondering that peid didn't identify it... in olly the first lines really look like upx

thx
MaRKuS TH-DJM


All times are GMT +8. The time now is 11:58.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX