Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 03-27-2005, 07:58 AM
CoDe_InSiDe CoDe_InSiDe is offline
Member
 
Join Date: Nov 2003
Posts: 28
Default

Hi DumbNewb,

When you've unpacked a program be sure to check if everything is correct in the PE Header (Like changing the Entry Point, and also check if the stuff at the Section Table is correct).
You most probably also need to fix the Import Table.

But firstly, do you know what Packer/Protector has been used? (You can use PEiD or similar tools).

Regards,

CoDe_InSiDe

EDIT:
I've downloaded the program myself and I saw it has been packed with UPX.
Then you certainly need to fix the Import Table (Use ImpREC or similar tools, or do it by hand but I won't suggest that to you now, hehe )
And like I said, fix the PE Header
Reply With Quote
  #2  
Old 03-27-2005, 09:48 AM
CoDe_InSiDe CoDe_InSiDe is offline
Member
 
Join Date: Nov 2003
Posts: 28
Default

Hi DumbNewb,

When a program has been packed and then has been runned, the Packer handles the Import Table and gets the base addresses of the API's and stores them in the IAT (Just like Windows would do if you run a file).
When you dump a program from memory, the required DLL's will be loaded (With LoadLibraryA for example) and then the base addresses of the API's will be retrieved (With GetProcAddress for example).
DLL's like KERNEL32.DLL, USER32.DLL are already loaded by Windows so they will stay in the same memory area, that's why the unpacked file with the pointer to MessageBoxA (From USER32.DLL) didn't cause any problem because USER32.DLL has already been loaded and so it stays on a fixed address.

I hope you understand what i'm trying to say here

In the Section Table it should be for each section:

Raw Size = Virtual Size
Raw Offset = Virtual Offset

Because you dumped the file from memory (Virtual).

I hope I helped you a little bit
Good luck with that game

Regards,

CoDe_InSiDe
Reply With Quote
  #3  
Old 03-28-2005, 06:52 AM
CoDe_InSiDe CoDe_InSiDe is offline
Member
 
Join Date: Nov 2003
Posts: 28
Default

Hi Guest,

Quote:
it's an MMORPG that provides a short-term 'free' account, and I don't intend on paying for an account
Hehe, I can only guess which game this is... (If it's the game I think then I can say that i've never seen it )

Quote:
All game executables and DLLs are heavily packed and mangled
Then I shall ask the obvious question: Do you know with what Protector is has been protected? (Use PEiD or similar tools)

Quote:
but apparantly the resulting (dumped) executable doesn't have a valid PE header
Well, check what's wrong with the PE Header (Maybe it has screwed up the NumberOfSections...)
You're saying that most PE Rebuilders fail, so then I suggest to look at it with a Hex-Editor (But then ofcourse you need to know what your looking at find some tutorials about the PE Header).
I think you need to try to unpack the game file itself, that should be the best option (But could be difficult).

Quote:
is if you knew of any good source code (C/C++) and/or tutorials I could learn from for programmatically doing what ImpRec does (rebuilding the IAT).
No sorry, I don't know any tutorials or sources which explain what ImpRec is doing (Well, there are tutorials which explain the Import Table, but that's not all you need...)
Maybe try analyzing ImpRec itself? (It's packed with UPX, so you know how to unpack it now, hehe )

Regards,

CoDe_InSiDe
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.