Professional Documents
Culture Documents
XX - SKE
Second Part. The IAT. Tools: OllyDbg v 1,10, OllyScript v0.92 by Shag, Hex WorkShop, Reconstructive Import 1,6, Excel, OllyDump v2.20.108, Plugin Asprotec 1,22 for Reconstructive Import. Good once completed the stage to obtain the Init Table we come to repair to the Import table Address and the jumps to the same one. We will use a mixture of methods, good we begin or rather we follow.
We loaded Olly, we removed all the Hw Bp if it is that it was left some, all the destildadas exceptions, we executed script of exceptions and we are in the OEP. Let us watch the memory
If luckily, we selected in 401218 the additional information and followed that direction in dump.
Good we will use a variation of the method of our friend OtupAtpaxa discoverer who is based on a injertito that fixes all the calls correctly. There where we are in the Olly we take ImpRec
We completed the data of the RVA = 5681B8 - 400000 = 1681B8 Size = 5689D0 - 5681B8 = 818 we give him a little but 820
OEP = The one that this there by defect. We touched Invalid Show., we selected to an entrance anyone and we selected in Plugin Tracers/Asprotect 1.22
Well
Let us mark a few entrances to see that it writes and a BP Memory on Write.
It is a curl, we jumped it as always, Bp under the conditional jump. We cleared the Bp of memory, F9, we removed the Bp, and we return to put the Bp on write in the bytes that we are investigating. For here.
Traceamos up to here.
The registries.
Good, good we watch ESI and we watch EDI. If ESI is worth 0000000A EDI it has the value of ASCII that puts the correct value in the table. Let us continue traceando a little and watching in that direction always it spends that way every time through all the values of the table, bony has something to see. Good we put a Hw Bp on Execution in this one direction.
Let us be watching the registries If ESI is worth 00000008B it also puts values correct.
Or with this we know that to do, if ESI is worth 0A or 8B not to do anything, but to cause that it is worth 8B.(it reaches this conclusion because if is worth 0A instead of 8B it does not work).
The CRC of Asprotect I detect to us and stops the execution of the program. But worked? Let us see.
If ! In perfect state.
But we have left a detallecito well. They remember the ImpRec at the beginning discovered 2 entrances of the IAT that was of GetProcAddress we review them. 15620c + 400000 = 56820c
We see that this badly it aims at another API we fix it, we obtain the direction with the command bar of Olly
Well all ready one, we selected all the table and we give Binary him Copy.
And with Hex WorkShop/Paste Special/we kept it as the gold ingot I number 2.
Good we are to half of way now. It lacks to repair us the jumps to the IAT.
We will use the method of ZettK, the truth that its method is brilliant, as between lines them comment that before reading the methods of ZettK and OtupAtpaxa towards by hand. Thanks to share its discoveries friends. Good we go to the OEP
Good what we needed it is the directions but of bony inverted form 00401228 = 28124000 We used the functions extracts and to concatenate. We extract from position 1, two letters in column B
We moved copying the function to all the cells until the end.
We extract from position 3, two letters in column C and copied the function to the end.
Ends from position 5, two letters in column D and we copied the function to the end.
And finally the same with the column and in the position 7 two letters.
We entered with F7 and we continued traceando with F8 until the following CALL.
We entered with F7 we continued traceando slowly watching the registries with F8 and arrived here.
It is as it perfectly describes to ZettK the direction of which had to jump originally in the IAT instead of making the CALL 0F40000. Good we put a Hw Bp on Execution in 0CB5C91.
We needed to form script of ZettK to repair the jumps. We reinitiated Olly, we left the Hw Bp that we had put and arrive at the OEP Let us look for a free zone; in 566B80 there is a zone and another one in 567000. We copied the directions that we had kept in the leaf of Excel and we stuck them in 566B80, finishes in 566D14.
The final table will be in 567000 and call bad begins in 566B80. We go in dump where this the IAT,
We opened the IAT that we had kept with Hex WorkShop and we stuck it in the correct place.
Now if already we can execute the Script. We remove the Bp of memory and we executed script.
Indeed I keep the direction where the jump must go alongside and the entrance of the correct IAT where it must jump. Good we copied (binary Copy) and we kept with HexWorkShop/Paste Special.
We reinitiated Olly, we removed all the Bp if it is that there is, and we return to the OEP. Now we must beat, in the correct places INIT TABLE(55F4C4 - 55F9C8) the IAT(5681b8 - 5689d4) the new jumps (from 567000 in ahead we finished them keeping)
Init Table.
IAT.
We are going to an empty zone to write the graft to repair the jumps. We looked for in 567357 is nothing we go and escibimos there.
The data are in 567359 - > the direction here where they are the new jumps. 567361 - > beginning of the IAT 5689D4 - > final of the IAT We go to 567359 and we give a New him Origin Here, we put bp in 567393 so that it stops once finished. To remember remove the BP from memory.
If perfect! All the applause to ZettK. Good already we are ready Dumpear and to repair the Table. Before we must remove the Bp and remove the graft (Undo selecion)
Now we change to the true OEP if they remember underneath INIT TABLE.
Good we will finish the unpacked one in the final part, stolen code. We already passed the worse thing.
Rain.