Quote:
|
Now do you understand why you need to dump at 4072DC?
|
Yep, I think I've got it; really good explanation by the way. Thanks!
Quote:
|
Note that there are three extra sections in this particular app (assuming you have fixed the IAT using ImpRec in the normal manner): .data, .adata, and .mackt. In other words, everything after the resource section (this has been the case in every ASPR'd app I have seen).
|
Okay. I can see those three sections.
Lord PE gives me the following section table
ROffset
001000 => Code
214000
226000 => 0x4000 zeros in file
22A000
22E000 => 0x1000 zeros in file
22F000 => 0x1000 zeros in file
230000
231000 => 0x21000 zeros in file
252000 (.rsrc)
2EA000 (.data)
312000 (.adata) => 0x1000 zeros in file
313000 (.mackt) => contains IAT
Now I'm not sure about those zero sections. Would it be possible to delete them? I imagine this: Delete, for example, those 0x4000 bytes at ROffset 226000, so file size decreases by 0x4000.
The NumberOfSections becomes 11 instead of 12 and all ROffsets of the sections that come after the deleted one must be decreased by 0x4000.
Would the PE loader be able to load the resulting file correctly?
I don't know, because the 0x4000 bytes in memory at VA ImageBase+0x226000 are no longe initialized with zeros; this part of memory isn't even covered by the section table anymore.
I think I should conduct some experiments...
Regards
Wurstgote