Quote:
Originally Posted by Carbon
I really recommend to update due to the bug fixes.
Direct import scanner fix methods:
- Normal: Patch memory with jmp/call only
- Universal: Works with everything, creates a jump table in the scylla section, watch for relocation information in the log file
:
|
I was watch ur update ,My friend Universal import scanner fix is a Good Idea .
but it is limited with some Protector ,in other it is Difficult to handle it .
Let take the Themida/Winlicense : through the unpacked rutine ,it pass through IAT Table rebuild which write the API to the file .here it decide to write the
Quote:
NOP
Jmp xxxxx
or
Call xxxxx
Nop
|
so this nop it Defined through this rutine ,and I think it is random .
Quote:
00412893 CC int3
00412894 > 90 nop
00412895 .- E9 96287477 jmp msvcr100.__set_app_type
0041289A > 90 nop
0041289B .- E9 60587477 jmp msvcr100._amsg_exit
004128A0 > 90 nop
004128A1 .- E9 3A647477 jmp msvcr100.__wgetmainargs
004128A6 CC int3
+++++++++++++++++++++++++++++++++++++
004129C7 CC int3
004129C8 > 90 nop
004129C9 .- E9 D2567477 jmp msvcr100._exit
004129CE > 90 nop
004129CF .- E9 BCA68177 jmp msvcr100._XcptFilter
004129D4 >- E9 E7567477 jmp msvcr100._cexit
004129D9 . 6F outs dx, dword ptr es:[edi]
004129DA >- E9 A1567477 jmp msvcr100.exit
004129DF 13 db 13
004129E0 > 90 nop
004129E1 .- E9 DA708177 jmp msvcr100._CrtSetCheckCount
004129E6 CC int3
|
so guessing which NOP is the right to replce for Fix This import will fault by 70%
pls check this Image :
http://postimg.org/image/6fzu4kr8v/
and u will see what I was talking about .I have write a lot of tut on rebuild IAT for Themedi I can send it to u and through this tut u will see when and where the nop is written .
and so on for other Protector ,which each one his privacy .
Quote:
|
I also found some weird thing in Windows 7 x64. I don't know yet why this happens
|
can u give example (code or File ) ?
Thanks for ur great work ,pls keep up.