Hi,
there is no problem with IAT. main problem is VM unvirtualize or decrypttion.
also there is changes in calling some IAT functions with EDI,ESI,EBX,EBP. like:
Code:
006DF06A MOV ESI,0x5D2C2BD9
006DF06F NOP
006DF070 CALL ESI
but original code is:
Code:
006DF06A MOV ESI,DWORD PTR DS:[0x6F9EB4]
006DF070 CALL ESI
calling with register is a common method in VC++ compilers. I wrote a little script to restore original code. (change code section address, IAT start and end addresses if desired. (target EditorGIF.exe))
Code:
VAR CONST
VAR CODE_SECTION
VAR IAT_START
VAR IAT_END
MOV IAT_START,006F9000
MOV IAT_END,006FA2A8
MOV CODE_SECTION,00401000
FINDCMD CODE_SECTION, "MOV R32,CONST;NOP"
MOV LINE,0
DONEXTCALL:
INC LINE
GREF LINE
MOV C_ADDR,$RESULT
CMP C_ADDR,0
JE DONE
MOV CONST,[C_ADDR+1]
FIND IAT_START,CONST
CMP $RESULT,0
JE DONEXTCALL
CMP $RESULT, IAT_END
JG DONEXTCALL
CMP [C_ADDR],0BF,1
JNE NOEDI
EVAL "MOV EDI, DWORD PTR DS:[{$RESULT}]"
ASM C_ADDR,$RESULT
NOEDI:
CMP [C_ADDR],0BB,1
JNE NOEBX
EVAL "MOV EBX, DWORD PTR DS:[{$RESULT}]"
ASM C_ADDR,$RESULT
NOEBX:
CMP [C_ADDR],0BE,1
JNE NOESI
EVAL "MOV ESI, DWORD PTR DS:[{$RESULT}]"
ASM C_ADDR,$RESULT
NOESI:
CMP [C_ADDR],0BD,1
JNE NOEBP
EVAL "MOV EBP, DWORD PTR DS:[{$RESULT}]"
ASM C_ADDR,$RESULT
NOEBP:
JMP DONEXTCALL
DONE:
RET