Thread: ASPack2.1 unpacking
View Single Post
  #14  
Old 08-17-2002, 01:03
snyper
 
Posts: n/a
R@dier ::
another approach to fixing imports in a dumped file; move your unresolved import address straight into the IAT.
here's some notes i made when unpacking aspack2.1, maybe it could be useful for you in other versions ::

original import table :: pep + 0x2b
- this is a dword which holds the original ImportTable RVA.

dll name eraser :: pep + 0x4c6
- this replaces the first dword of a dll name (eg kernell32.dll) with 0. just nop it.

import resolves :: pep + 0x4b8
- the routine call to resolve an import-function address for the IAT. you can just move the unresolved address to the IAT.

oep write :: pep + 0x4ec
- this moves the oep to the oep jmp at ::

oep jmp :: pep + 0x4fd
- the oep jmp.

in the pe-scan unpacking routines i patched the loader and put a breakpoint at the oep jump, _then_ dumped the file and fixed the header. basically, the loader does all the work for you. =)
however it's not failsafe; it does rely on the asm opcodes being in a set offset. i'm working on a search-and-destroy patcher for the opcodes found at the above offsets.
Reply With Quote