Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-13-2006, 06:03
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
ImpRec bug ?!!

Hello everybody,

Have you encounter any problem during using ImpRec if your targat uses both FF 15 & FF 25 for addressing imports?

Is there any fix for this?

Today I unpacked a dll, then it crashed. After an hour (!!!), I noticed this bug that ImpRec didn't patch all of JUMP DWORD [xxxx], so I had to use Revirgin and fix some imports manually to rebuild the IAT of dll.

Is there a better solution for this?
__________________
In memory of UnREal RCE...
Reply With Quote
  #2  
Old 11-13-2006, 17:03
Human
 
Posts: n/a
well imprec changes all addresses to point to new firstthunks he creates, but i dont know if it has a bug, have you checked correct iat size, maybe thats why he doesnt changed it, or maybe apis arent separated with 0 and he got problems with that
Reply With Quote
  #3  
Old 11-14-2006, 21:06
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
There is no problem with IAT. I got a fully unpacked file by Revirgin.
I couldn't attach the sample,so get it from rapidshare.com.

h++p://rapidshare.com/files/3315837/Sample_DLL.rar.html

The archive contains the dumped & unpacked DLL. Load unpacked DLL by OllyDbg, grap its imports address using ImpRec, then try to fix the dumped DLL.
Now, plz look at 0F588AB8. It should be VirtualQuery (first error in run-time). Use Hiew to see the API. 'Cause I dumped it in WinXP SP2, maybe you'll see correct API in OllyDbg.
__________________
In memory of UnREal RCE...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problems with Imprec 1.6f > ILCH General Discussion 6 11-18-2004 09:16
ImpREC.dll & reversing FEUERRADER General Discussion 0 02-17-2004 22:41
imprec question fotisl General Discussion 1 09-20-2002 06:09


All times are GMT +8. The time now is 17:06.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )