|
|
#1
11-13-2003, 04:52
|
|||
|
|||
|
Can`t restore import table
If this seems like a crack request, that`s not the case since there is not much to crack in this file, only for educational purposes , ahum ..
The file i`m talking about is the program aworld.exe which can be found in the archive hxxp://objects.activeworlds.com/downloads/awb34.exe I`m trying to recover the import table. Till so far I have been succesful with different programs by using the simple, but effective ollydbg+import reconstructur approach. But unfortunately that doesn`t work, for me at least, this time. I tried to find the OEP of the program, which is 4A28B4 or 4A37E5 i think. And import recovery show a nice table of imported functions. HOWEVER when I try to execute my dumped executable it crashes, can anyone give me some tips, or a good tutorial ... 
|
|
#2
11-13-2003, 20:28
|
|||
|
|||
|
oep= 4a37e5
IAT=4b0000 size 528 dump is working on this info,but didn't test any function.
|
|
#3
11-13-2003, 21:33
|
|||
|
|||
|
Hmm I tried it again, since you confirm my OEP, but I still can`t create a workable dump. The only time i got something useful was when the splash screen shows up, but then I got an error because it was referencing to a memory address which was not in the dump.
Can you tell me how you made the dump, and perhaps post the dump here for me to download ? In anycase thanks for the help !
|
|
#4
11-13-2003, 21:57
|
|||
|
|||
|
just dump at 4a37e5, if u like to use ollydbg to dump, fine,just uncheck rebuild imoprt option, then
use imporTRec to rebuild yr iat with info I gave u as follow oep 000a37e5 RVA 000b0000 size 528 Last edited by britedream; 11-13-2003 at 22:01.
|
|
#5
11-14-2003, 00:02
|
|||
|
|||
|
But if I do that the program will run, but after 5 seconds I`ll get :
The instruction at 0x004a28b4 referenced memory at 0x69b82b04. The memory could not be written. So what am I doing wrong ? Thanks for the help I really appriciate it.
|
|
#6
11-14-2003, 00:39
|
||||
|
||||
|
here's a valid dump and the iat is fixed... hope you will study it...
britedream, do you know which packer it is??? i didn't find it out... @thechatter: it isn't cracked, this is your work 
|
|
#7
11-14-2003, 02:51
|
|||
|
|||
|
Both of you, many thanks ! Still find it strange it didn`t work for me, but hey since i`m just starting i`m allowed to make some mistakes
 For the cracking part, i`ve got the server running , now let`s hope i can point the browser to it
|
|
#8
11-14-2003, 03:24
|
|||
|
|||
|
Please note that the info I gave u is done on xp pro sp1
regards Last edited by britedream; 11-14-2003 at 03:28.
|
|
#9
11-14-2003, 03:50
|
|||
|
|||
|
To markus , my guess is homemade upx
|
|
#10
11-14-2003, 21:01
|
||||
|
||||
|
thanks britedream
but i was wondering that peid didn't identify it... in olly the first lines really look like upxthx MaRKuS TH-DJM
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Add imports to DLL import table | jonwil | General Discussion | 5 | 09-07-2020 16:47 |
| How to shuffle names in the PE import table? | Newbie_Cracker | General Discussion | 5 | 08-25-2019 03:59 |
| Injective Code inside Import Table (Tutorial) | Franeppe | General Discussion | 1 | 06-08-2006 00:24 |
| Import Rebuilding Without Import Table | Kerlingen | General Discussion | 11 | 01-13-2005 10:24 |
| Changing Import Table?? | magic | General Discussion | 3 | 09-14-2003 01:59 |
Linear Mode
