Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   ImpRec bug ?!! (https://forum.exetools.com/showthread.php?t=10359)

Newbie_Cracker 11-13-2006 06:03
ImpRec bug ?!!
 
Hello everybody,

Have you encounter any problem during using ImpRec if your targat uses both FF 15 & FF 25 for addressing imports?

Is there any fix for this?

Today I unpacked a dll, then it crashed. After an hour (!!!), I noticed this bug that ImpRec didn't patch all of JUMP DWORD [xxxx], so I had to use Revirgin and fix some imports manually to rebuild the IAT of dll.

Is there a better solution for this?

Human 11-13-2006 17:03
well imprec changes all addresses to point to new firstthunks he creates, but i dont know if it has a bug, have you checked correct iat size, maybe thats why he doesnt changed it, or maybe apis arent separated with 0 and he got problems with that

Newbie_Cracker 11-14-2006 21:06
There is no problem with IAT. I got a fully unpacked file by Revirgin.
I couldn't attach the sample,so get it from rapidshare.com.

h++p://rapidshare.com/files/3315837/Sample_DLL.rar.html

The archive contains the dumped & unpacked DLL. Load unpacked DLL by OllyDbg, grap its imports address using ImpRec, then try to fix the dumped DLL.
Now, plz look at 0F588AB8. It should be VirtualQuery (first error in run-time). Use Hiew to see the API. 'Cause I dumped it in WinXP SP2, maybe you'll see correct API in OllyDbg.


All times are GMT +8. The time now is 01:29.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX