#1
|
||||
|
||||
ImpRec bug ?!!
Hello everybody,
Have you encounter any problem during using ImpRec if your targat uses both FF 15 & FF 25 for addressing imports? Is there any fix for this? Today I unpacked a dll, then it crashed. After an hour (!!!), I noticed this bug that ImpRec didn't patch all of JUMP DWORD [xxxx], so I had to use Revirgin and fix some imports manually to rebuild the IAT of dll. Is there a better solution for this?
__________________
In memory of UnREal RCE... |
#2
|
|||
|
|||
well imprec changes all addresses to point to new firstthunks he creates, but i dont know if it has a bug, have you checked correct iat size, maybe thats why he doesnt changed it, or maybe apis arent separated with 0 and he got problems with that
|
#3
|
||||
|
||||
There is no problem with IAT. I got a fully unpacked file by Revirgin.
I couldn't attach the sample,so get it from rapidshare.com. h++p://rapidshare.com/files/3315837/Sample_DLL.rar.html The archive contains the dumped & unpacked DLL. Load unpacked DLL by OllyDbg, grap its imports address using ImpRec, then try to fix the dumped DLL. Now, plz look at 0F588AB8. It should be VirtualQuery (first error in run-time). Use Hiew to see the API. 'Cause I dumped it in WinXP SP2, maybe you'll see correct API in OllyDbg.
__________________
In memory of UnREal RCE... |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Problems with Imprec 1.6f > | ILCH | General Discussion | 6 | 11-18-2004 09:16 |
ImpREC.dll & reversing | FEUERRADER | General Discussion | 0 | 02-17-2004 22:41 |
imprec question | fotisl | General Discussion | 1 | 09-20-2002 06:09 |