Quote:
|
Originally Posted by Kerlingen
A normal API call goes like this "CALL DWORD PTR [????????]" (FF 15 ?? ?? ?? ??). However, the calls in this game go like "CALL ????????" (E8 ?? ?? ?? ??) and either before or after this call (6 byte<->5 byte call) there is a one byte dummy instruction like "nop" "cld" or like that. The the "E8 call" points to a direct jump to the API. So there is no problem to resolve the API.
|
You have to rebuild the IAT from scratch, ImportRec. should help you with
this. Or to learn about IAT stuff do it manually
One thing you can do is the following: build a table with all API addresses
the e8-calls refer to, then patch all e8-calls back to
ff15(address of the api entry in your table) and let ImportRec rebuild a new IAT.