ActiveM***

[Nacho_dj]

Hello:

As I have mentioned in Thread:
http://forum.exetools.com/showthread.php?t=7784

there is the possibility of finding a "second PE header" in the dumped.exe from an AM protected target.

Ok, as far as I know, the rebuilding of sections in order to get the original unpacked and unprotected program remains as follows:

- From 5.0.900 AM release till now AM releases, if a second PE Header does not exist, the rebuilt target PE Header is exactly the dumped.exe PE header, but choosing only the four first sections.

- If a second PE header exists, then the rebuilt PE header has the virtual values (offset & size) as in PE header, and Raw values as the virtual values of second PE header. The names of the sections have to be these of the second PE header.

The following thing to do is deleting all the unuseless sections for the rebuilt target. The sections that normally you find in a .exe file are:
.text
.rdata
.data
.rsrc

.text is the first section, it remains as is.

.rdata contains the first thunk. You have to write there the rebuilt first thunk of the import table. This involves recalculate all the calls to api's.

.data contains the data that the program uses, and normally the IAT. So, you have to rebuild the IAT there. The offset of the IAT comes following the OEP value in the dumped.exe, found with the "_com_err" string searching.

.rsrc is the resources section. You have to "transport" the resources of the dumped.exe to that section, deleting the AM resources, such as "AMTOOLBAR", and so on.

All those operations have to be done modifying conveniently the PE header, because there is where the .exe keeps the information of IAT offset, Import Table offset, Resources virtual address and the size of all of them. Without this fix, the rebuilt target is certainly crashing or even the system does not recognize it as a valid .exe.

I will follow in another post explaining how to delete the unuseless sections.

Cheers

Nacho_dj