#1
|
||||
|
||||
Help me to fixing API-Calls
hi,
i'm trying to fix some calls to api's which are made through a "Call api-address". No problem so far replace address with the address of the api. Ok but this isn't working on other OS then mine. So my question is it possible to fix these calls like call dword ptr:[IAT_address] without increasing in size. Cos for calls like call dword ptr:[IAT_address] i must only change the iat_address to the right api-call. I tried everything with my poor asm maybe a advice from a guru?? I thought about a loader checking the OS and replace the calls but that's alot of work. I also tried replace call api-address with a jmp to free space where i assembled a Call dword ptr:[iat-address] and a jmp back, but this isn't working. Greetings Nukacola Last edited by Nukacola; 04-28-2005 at 02:34. |
#2
|
|||
|
|||
look if there is a garbage byte in front of or after the call sth like
90 nop E8???????? call api-address then you can convert the 5 byte call into a 6 byte call (call [api-address]). which protector are you dealing with? |
#3
|
|||
|
|||
Can you plz be more specific or more clear in forming your question ,some example code would be nice.
Sorry but i really didnt understand what are you trying to achive here, but maybe it can be only my english :P Bye NeO |
#4
|
||||
|
||||
if i read your post correctly, it seems you have no Import Table. without it, you won't get all entries valid for every OS.
what you can do: write a resolver through the APIs LoadLibrary, GetModuleHandleA, GetProcAddress (for advanced users) or use Imprec to get a valid IT with the option "Create new IAT". |
#5
|
||||
|
||||
oh sorry but i haven't much time last days so i can't repost.
I see that i have done a big mistake cos i don't call dword ptr:[IAT_address] i call call dword ptr:[ImportTable_address] and there's no valid IAT in the file. There are 2 IAT but both aren't valid i guess. And no one is set in the PE header IAT entry field. But i have a Import Table located at 1000h cos vb6 app. Ok the protection i'm dealing with is again securom v4.8xx. here a snippet of the code.. Code:
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP PUSH EBP MOV EBP,ESP SUB ESP,0C PUSH s*******.00401AB6 ; SE handler installation MOV EAX,DWORD PTR FS:[0] PUSH EAX MOV DWORD PTR FS:[0],ESP SUB ESP,2C PUSH EBX PUSH ESI PUSH EDI MOV DWORD PTR SS:[EBP-C],ESP MOV DWORD PTR SS:[EBP-8],s*******.00401338 MOV EDX,DWORD PTR SS:[EBP+8] XOR ESI,ESI LEA ECX,DWORD PTR SS:[EBP-24] MOV DWORD PTR SS:[EBP-1C],ESI MOV DWORD PTR SS:[EBP-24],ESI MOV DWORD PTR SS:[EBP-2C],ESI MOV DWORD PTR SS:[EBP-30],ESI MOV DWORD PTR SS:[EBP-34],ESI CALL DWORD PTR DS:[939510] ;this call guide also to secu but no problem fixing this one LEA EAX,DWORD PTR SS:[EBP-28] PUSH EAX PUSH 800 INC EAX CALL s*******.00911E00 ;this call also guide to sec but i can't fix it so easy as the one above MOV ECX,DWORD PTR SS:[EBP+C] PUSH ESI PUSH ESI PUSH ESI PUSH ECX LEA EDX,DWORD PTR SS:[EBP-30] PUSH s*******.006203B0 PUSH EDX DAA CALL s*******.00911FC0 ;here again also secu PUSH EAX CALL s*******.0061FB50 ;here no secu call |
#6
|
|||
|
|||
i can't remember exactly how i did it with sec5 but i try to tell you what i can remember.i think there's no big difference between sec5 and 4.8.
like i said in my previous post there's always a garbage byte before/after the call to sec section which has to be overwritten to insert the 6 byte call dword ptr [iat].garbage instructions are for example DAA, inc eax, nop... at the end of the call to the sec section there is a jmp eax or ret with the right api offset in eax or on the stack so you have to grab the api offset there.then you have to search the api offset in the original IAT of the programm.securom leaves the IAT and IT untouched so we will need no imprec at all.if you have found the api offset in the original iat you can fix the call to the sec section to call dword ptr [iat] (overwriting garbage byte).if you are done with all calls you can dumb and fix IT offset with lordpe.don't forget to paste untouched FirstThunks when you are done. |
#7
|
||||
|
||||
ohh yes damn i guess the inc eax and the daa is the garbage byte sorry for bothering with this simple problem cos if i was looking for a nop....
lol easy solution... Thanks Nukacola Last edited by Nukacola; 05-11-2005 at 16:52. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
VB calls | obfuscator | General Discussion | 7 | 06-04-2014 13:46 |
How do you find all modular calls with Olly? | Fade | General Discussion | 2 | 04-09-2007 06:06 |
Ida 4.6 calls back home??? | loman | General Discussion | 3 | 09-22-2004 03:29 |
Fixing an EXE to not call a DLL? | Barry | General Discussion | 11 | 06-03-2004 00:37 |
Problem with fixing IAT | K3nny | General Discussion | 5 | 01-04-2004 19:26 |