Hi,
I'm having trouble with imports too :/
I've been trying to unpack certain app for whole day now. I got dump, eop, i think stolen bytes are good but program crashes. Tracing through exe that crashes i noticed that i didnt resolve one (for now) import correctly. Now i attempt to resolve it correctly by debugging packed app. I run packed app, break on place where this function is called and trace into it. It was very weird. Seems that whole function is in packer code. It never jumps/calls real dll. Btw this is kernel32 function. When function is executed only eax changes and before function executes eax is address inside code section (something like 4xxxxx). BUT result doesnt seem to be parameter dependent. Here is some code (this is some really obfuscated shit):
Code:
00C69B75 9C PUSHFD
00C69B76 55 PUSH EBP
00C69B77 E8 00000000 CALL 00C69B7C
00C69B7C 5D POP EBP
00C69B7D 81ED 7C9B0100 SUB EBP,19B7C
00C69B83 50 PUSH EAX
00C69B84 60 PUSHAD
00C69B85 8BEC MOV EBP,ESP
00C69B87 55 PUSH EBP
00C69B88 29F6 SUB ESI,ESI
00C69B8A 0FBDF6 BSR ESI,ESI
00C69B8D B9 6E990020 MOV ECX,2000996E
00C69B92 31D2 XOR EDX,EDX
00C69B94 D1C1 ROL ECX,1
00C69B96 29DB SUB EBX,EBX
00C69B98 D1CE ROR ESI,1
00C69B9A 29C0 SUB EAX,EAX
00C69B9C 29C3 SUB EBX,EAX
00C69B9E 81EB 9942F43E SUB EBX,3EF44299
00C69BA4 C1C3 03 ROL EBX,3
.
.
.
and goes on like that.... and then:
Code:
00C69BF3 89E1 MOV ECX,ESP
00C69BF5 81F0 FFFFA262 XOR EAX,62A2FFFF
00C69BFB 01C8 ADD EAX,ECX
00C69BFD 39F3 CMP EBX,ESI
00C69BFF 7E 01 JLE SHORT 00C69C02
00C69C01 F7DB NEG EBX
00C69C03 FFD0 CALL EAX
where EAX is address in other part of packer code :/ This is all that happens there:
Code:
0012FEC4 8BE5 MOV ESP,EBP
0012FEC6 61 POPAD
0012FEC7 58 POP EAX
0012FEC8 8B85 87AB0100 MOV EAX,DWORD PTR SS:[EBP+1AB87]
0012FECE 5D POP EBP
0012FECF 9D POPFD
0012FED0 C3 RETN
So eax gets value of [EBP+1AB87]. What API could this be? It's really annoying :/