View Single Post
  #5  
Old 07-03-2026, 09:20
Jasi2169's Avatar
Jasi2169 Jasi2169 is offline
Family
 
Join Date: Sep 2015
Location: India/TSRh
Posts: 338
Rept. Given: 3
Rept. Rcvd 78 Times in 53 Posts
Thanks Given: 47
Thanks Rcvd at 559 Times in 214 Posts
Jasi2169 Reputation: 78
v1.2 (02/Jul/2026)
- Added --iat-force arguments to ignore the import descriptor chain and rebuild imports by SCANNING memory for the IAT, needed if dumped using oep arguments in Jasi Native Assembly Dumper.
- Enhanced import rebuilder with bitness check and supplied x86 PE Builder for x86 files.

Quote:
Usages:
Normal target (MSVC / Delphi, not packed):
JasiNativeDumper --target app.exe --out dumped
JasiPEBuilder dumped\0_app.exe

--target gives a clean pre-init dump; the descriptor chain is intact, strategies 1/2a resolve everything.

Running process (attach):
JasiNativeDumper --attach <pid> --out dumped
JasiPEBuilder dumped\0_app.exe

Attach dumps hold runtime VAs - Strategy 2b resolves via modules.map.

Packed target (UPX / ASPack / compressor-class), via OEP:
1. Load target in x64dbg; run to the real OEP
(UPX: break on the tail jmp after popad; step once onto OEP).
2. JasiNativeDumper --attach <pid> --oep-va 0x<OEP-from-x64dbg> --out oep
3. JasiPEBuilder oep\0_app.exe --iat-force --strip-relocs

--oep-va takes the absolute address from x64dbg; the dumper subtracts the live base to get the RVA and stamps AddressOfEntryPoint.
--iat-force scans for the packer-rebuilt IAT (chain is a stub).
--strip-relocs is required: the dump is already relocated, so keeping relocations double-applies them and crashes at startup.

Notes:
- Use x86 builder for 32-bit dumps, x64 builder for 64-bit dumps.
- modules.map is required for --attach and --iat-force resolution (it carries the actual module bases). Optional for --target/MSVC.
- Use --iat-force only for packed dumps. Normal dumps have a valid descriptor chain and full strategy ladder - don't force-scan them.
- Handles unpacked binaries and compressor-class packers (UPX, ASPack, PECompact) via OEP. Not code-virtualization protectors (VMProtect, Themida) or heavy import-obfuscation (ASProtect) - those need dedicated devirtualization.

Last edited by Jasi2169; 07-03-2026 at 11:02.
Reply With Quote
The Following 4 Users Say Thank You to Jasi2169 For This Useful Post:
Gyrus (07-03-2026), user_hidden (07-03-2026), wilson bibe (07-03-2026), wx69wx2023 (07-03-2026)