|
you were wondering about 1b168 which is the rva of the iat , and posted the stripper finding of the iat which is va 41b168, so I did show you how I got the va 41b168.
This is part of what you posted:
1-
"One interesting thing, if you unpack with Stripper, you get this info on import table:
16:31:08 - processing import table..
ImportAddressTable RVA :0001b168 - kernel32.dll
2-
Whereas when I manually upack it, I get the same result as Ferrari, noting that Brightdream states that IAT starts at 0001b168, rather than 0001b238."
I hope someone can explain this better than I did, so you can understand it.
Last edited by britedream; 03-09-2004 at 05:08.
|