|
|
#11
02-12-2004, 21:43
|
|||
|
|||
|
Quote:
 So the .mackt section is completely gone! But, man, that was tedious work! First, I've examined the .mackt part at 313000. It starts with a bunch of IMAGE_IMPORT_DESCRIPTORs, with everything but Name and FirstThunk zeroed. Name points again to the .mackt section, while FirstThunk points to section 22a000. So I took a look there: The RVAs in FirstThunk lead to RVAs pointing to IMAGE_IMPORT_BY_NAMEs, which are again located in the 313000 section. Next I fired up a hex editor and changed all pointers to Names in .mackt, so that they point now to corresponding addresses in 22B000 space. After that I've copied the whole .mackt stuff to 22B000, overwriting the data there. Next step was to change all RVAs that pointed to IMAGE_IMPORT_BY_NAMEs to point to the 22B000 area. Then I only had to fix the "Import Table" directory entry to the new value 22B000 and delete the .mackt section. And guess what? Yes, Sir, it works! But I hope there's an easier and less error prone way to do this? So, on to the next section-killing adventure, and thank again for guiding me through this stuff  Regards Wurstgote 
|
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| one newbie question | SubzEro | General Discussion | 7 | 03-12-2015 06:05 |
| ASPR, ARMA question | sgdt | General Discussion | 3 | 04-09-2006 03:38 |
| ASPR 1.2 question | gabri3l | General Discussion | 42 | 05-01-2004 15:09 |
| a newbie question about CRC32 | abccc | General Discussion | 13 | 04-23-2004 03:13 |
| "newbie" question for crackers ;) | newbie007 | General Discussion | 4 | 10-07-2003 04:46 |
Threaded Mode