Import Rebuilding Without Import Table

#1 01-10-2005, 23:44

I'm trying unpack a protected game. So far I have removed all dummy code from the file, resolved all INT calls to its kernel driver an replaced the code and patched all the imports so that they jump right to the correct API without going through the protection's code.

A normal API call goes like this "CALL DWORD PTR [????????]" (FF 15 ?? ?? ?? ??). However, the calls in this game go like "CALL ????????" (E8 ?? ?? ?? ??) and either before or after this call (6 byte<->5 byte call) there is a one byte dummy instruction like "nop" "cld" or like that. The the "E8 call" points to a direct jump to the API. So there is no problem to resolve the API.

The problem is that the game has no import table anywhere (not on disc or in memory or encrypted or unfilled) but just this kind of calls. So I'm a bit lost how and where I should rebuild the import table. Leaving it like now is not possible since the DLLs are loaded to a different address every time and the system APIs have different addresses on each OS.

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Switch to Hybrid Mode Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Add imports to DLL import table	jonwil	General Discussion	5	09-07-2020 16:47
How to shuffle names in the PE import table?	Newbie_Cracker	General Discussion	5	08-25-2019 03:59
Reliable PE Library or DLL for Adding Functions to Import Table	omidgl	General Discussion	3	06-28-2008 09:53
Can`t restore import table	thechatter	General Discussion	9	11-14-2003 21:01
Changing Import Table??	magic	General Discussion	3	09-14-2003 01:59