View Single Post
Old 05-11-2005, 02:30
Posts: n/a
i can't remember exactly how i did it with sec5 but i try to tell you what i can remember.i think there's no big difference between sec5 and 4.8.
like i said in my previous post there's always a garbage byte before/after the call to sec section which has to be overwritten to insert the 6 byte call dword ptr [iat].garbage instructions are for example DAA, inc eax, nop...
at the end of the call to the sec section there is a jmp eax or ret with the right api offset in eax or on the stack so you have to grab the api offset there.then you have to search the api offset in the original IAT of the programm.securom leaves the IAT and IT untouched so we will need no imprec at all.if you have found the api offset in the original iat you can fix the call to the sec section to call dword ptr [iat] (overwriting garbage byte).if you are done with all calls you can dumb and fix IT offset with lordpe.don't forget to paste untouched FirstThunks when you are done.
Reply With Quote