Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-28-2005, 02:23
Nukacola's Avatar
Nukacola Nukacola is offline
Friend
 
Join Date: Sep 2004
Location: Germany
Posts: 49
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Nukacola Reputation: 2
Help me to fixing API-Calls

hi,
i'm trying to fix some calls to api's which are made through a "Call api-address". No problem so far replace address with the address of the api. Ok but this isn't working on other OS then mine. So my question is it
possible to fix these calls like call dword ptr:[IAT_address] without increasing in size. Cos for calls like call dword ptr:[IAT_address] i must only change the iat_address to the right api-call. I tried everything with my poor asm maybe a advice from a guru?? I thought about a loader checking the OS and replace the calls
but that's alot of work. I also tried replace call api-address with a jmp to free space where i assembled a Call dword ptr:[iat-address] and a jmp back, but this isn't working.

Greetings

Nukacola

Last edited by Nukacola; 04-28-2005 at 02:34.
Reply With Quote
  #2  
Old 04-28-2005, 02:44
sHice
 
Posts: n/a
look if there is a garbage byte in front of or after the call sth like
90 nop
E8???????? call api-address
then you can convert the 5 byte call into a 6 byte call (call [api-address]).
which protector are you dealing with?
Reply With Quote
  #3  
Old 04-28-2005, 04:56
NeOXOeN NeOXOeN is offline
Friend
 
Join Date: Jan 2005
Posts: 273
Rept. Given: 2
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 18 Times in 18 Posts
NeOXOeN Reputation: 3
Can you plz be more specific or more clear in forming your question ,some example code would be nice.

Sorry but i really didnt understand what are you trying to achive here, but maybe it can be only my english :P



Bye NeO
Reply With Quote
  #4  
Old 04-29-2005, 01:29
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
if i read your post correctly, it seems you have no Import Table. without it, you won't get all entries valid for every OS.

what you can do:
write a resolver through the APIs LoadLibrary, GetModuleHandleA, GetProcAddress (for advanced users)
or
use Imprec to get a valid IT with the option "Create new IAT".
Reply With Quote
  #5  
Old 05-11-2005, 01:24
Nukacola's Avatar
Nukacola Nukacola is offline
Friend
 
Join Date: Sep 2004
Location: Germany
Posts: 49
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Nukacola Reputation: 2
oh sorry but i haven't much time last days so i can't repost.
I see that i have done a big mistake cos i don't
call dword ptr:[IAT_address] i call call dword ptr:[ImportTable_address]
and there's no valid IAT in the file. There are 2 IAT but both aren't valid i guess. And no one is set in the PE header IAT entry field. But i have a Import Table located at 1000h cos vb6 app.

Ok the protection i'm dealing with is again securom v4.8xx.

here a snippet of the code..

Code:
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
PUSH EBP
MOV EBP,ESP
SUB ESP,0C
PUSH s*******.00401AB6                   ; SE handler installation
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0],ESP
SUB ESP,2C
PUSH EBX
PUSH ESI
PUSH EDI
MOV DWORD PTR SS:[EBP-C],ESP
MOV DWORD PTR SS:[EBP-8],s*******.00401338
MOV EDX,DWORD PTR SS:[EBP+8]
XOR ESI,ESI
LEA ECX,DWORD PTR SS:[EBP-24]
MOV DWORD PTR SS:[EBP-1C],ESI
MOV DWORD PTR SS:[EBP-24],ESI
MOV DWORD PTR SS:[EBP-2C],ESI
MOV DWORD PTR SS:[EBP-30],ESI
MOV DWORD PTR SS:[EBP-34],ESI
CALL DWORD PTR DS:[939510]  ;this call guide also to secu but no problem fixing this one
LEA EAX,DWORD PTR SS:[EBP-28]
PUSH EAX
PUSH 800
INC EAX
CALL s*******.00911E00 ;this call also guide to sec but i can't fix it so easy as the one above
MOV ECX,DWORD PTR SS:[EBP+C]
PUSH ESI
PUSH ESI
PUSH ESI
PUSH ECX
LEA EDX,DWORD PTR SS:[EBP-30]
PUSH s*******.006203B0
PUSH EDX
DAA
CALL s*******.00911FC0 ;here again also secu
PUSH EAX
CALL s*******.0061FB50 ;here no secu call
i also try to rip the code for the Call securom out and load it in my dump at the same address, but the ressolver is using code out of the securom sections i have removed so it crashed..
Reply With Quote
  #6  
Old 05-11-2005, 02:30
sHice
 
Posts: n/a
i can't remember exactly how i did it with sec5 but i try to tell you what i can remember.i think there's no big difference between sec5 and 4.8.
like i said in my previous post there's always a garbage byte before/after the call to sec section which has to be overwritten to insert the 6 byte call dword ptr [iat].garbage instructions are for example DAA, inc eax, nop...
at the end of the call to the sec section there is a jmp eax or ret with the right api offset in eax or on the stack so you have to grab the api offset there.then you have to search the api offset in the original IAT of the programm.securom leaves the IAT and IT untouched so we will need no imprec at all.if you have found the api offset in the original iat you can fix the call to the sec section to call dword ptr [iat] (overwriting garbage byte).if you are done with all calls you can dumb and fix IT offset with lordpe.don't forget to paste untouched FirstThunks when you are done.
Reply With Quote
  #7  
Old 05-11-2005, 16:49
Nukacola's Avatar
Nukacola Nukacola is offline
Friend
 
Join Date: Sep 2004
Location: Germany
Posts: 49
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Nukacola Reputation: 2
ohh yes damn i guess the inc eax and the daa is the garbage byte sorry for bothering with this simple problem cos if i was looking for a nop....
lol easy solution...

Thanks Nukacola

Last edited by Nukacola; 05-11-2005 at 16:52.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VB calls obfuscator General Discussion 7 06-04-2014 13:46
How do you find all modular calls with Olly? Fade General Discussion 2 04-09-2007 06:06
Ida 4.6 calls back home??? loman General Discussion 3 09-22-2004 03:29
Fixing an EXE to not call a DLL? Barry General Discussion 11 06-03-2004 00:37
Problem with fixing IAT K3nny General Discussion 5 01-04-2004 19:26


All times are GMT +8. The time now is 16:42.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )