Import OS Fixing

[JMI]

From what I've read elsewhere, I believe the main issue is that some of the API's have different names and maybe ordinals between 9X and NT based OS systems. I've never used a dual boot system and never tried to use a patched program I'd made on another OS, so didn't pay that close attention, other than the quick read.

I think I read some threads on the issue on the Woodmann Forum, but don't have time at the moment to try to find them for you. I'll post something later, if I get the chance.

Regards,

Study more, my friend. The answer is easy - it is called OriginalFirstThunk.

Long ago I wrote an article about all that, but it is in Russian - sorry...
http://wasm.ru/article.php?article=packlast01

You could probably just see the pictures. I can translate them right here.

yah, now when you want to create patches..this becames problematic..

first of all: better is not to use automated tools, but try clear manual unpacking;
ok, this can be too much hard for you.

than 2nd suggestion:
unpack on both W9x & Nt systems, then compare RESOLVED imports;
when you see difference, now you need in debugger confirm exact import name;

(usually RestoreLastError sux:)

[MaRKuS-DJM]

Quote:

Originally Posted by JMI

I think I read some threads on the issue on the Woodmann Forum, but don't have time at the moment to try to find them for you. I'll post something later, if I get the chance.

thanks JMI. i have already read some threads on Woodman of this issue, but didn't find something really helpful. maybe you saw other threads

Quote:

Originally Posted by volodya

Study more, my friend. The answer is easy - it is called OriginalFirstThunk.

There's a option in ImpRec... "Import Original FT".
does this solve the problem? i never tried it.

Quote:

Originally Posted by evaluator

first of all: better is not to use automated tools, but try clear manual unpacking;

i'm getting closer to it. but all i did for now was to write some functions which resolved imports for me, no ImpRec Disassembly or Tracer fix. so i got only valid imports in ImpRec. i'm at some "semi-manual" unpacker level.

Quote:

Originally Posted by evaluator

unpack on both W9x & Nt systems, then compare RESOLVED imports;
when you see difference, now you need in debugger confirm exact import name;

do you think this is a good method? it seems a bit time-consuming to do this for every packer...

huh?
if you are seeking COMFORT, than big sorriE!

1. you need do this comparision if only you are going to share your workz;
2. also there is old future for w9x, called import Renormalizing.. can be usefull;
(but some prots can detect it)

[MaRKuS-DJM]

i'm not searching comfort, but i thought there would be a easier way to get OriginalFirstThunk. for very much targets i did inline-patching, but i've never seen a inline-patch for Asprotect 1.23. but as i see, ASPR-Stripper is able to fix the imports for every OS without any problems

mostly i think, aspr-stripper not resolves imports but grabs them from aspr;
so all is ok;


>OriginalFirstThunk
?? you are messing something..

[MaRKuS-DJM]

OriginalFirstThunk
i think it should fix the problem?

maybe i should read some tutorials for Import Table... do you know a good one?
PS: i found some description how to fix for every OS in safedisc... it's a very long article, but maybe it helps

[Jay]

If I remember correctly Lunar_Dust released a First_Thunk_Rebuilder, never had occasion to use it so I don't know if will help you with your problem, may be worth checking out.

[britedream]

Quote:

Originally Posted by MaRKuS-DJM

i'm not searching comfort, but i thought there would be a easier way to get OriginalFirstThunk.

Hi ,
I am only responding to your quotation above, I don't have the target.but after adding 80h, you will have VA, at this Va , there is Rva pointing to importDirectory, where you can find the OriginalFirstThunk you are looking for.

[MaRKuS-DJM]

Quote:

Originally Posted by britedream

Hi ,
I am only responding to your quotation above, I don't have the target.but after adding 80h, you will have VA, at this Va , there is Rva pointing to importDirectory, where you can find the OriginalFirstThunk you are looking for.

oh thanks it looks interesting... i'll see what i can do with it