Jump to content
Tuts 4 You

EP not set

deepzero

By deepzero
in Scylla Imports Reconstruction

Recommended Posts

deepzero

deepzero

Posted
Posted

hi,

a minor issue: when scylla is used to iat-fix a file, it will not set the OEP of the file to the value given in the "OEP:" textbox.

d. :)

ala_borbe

ala_borbe

Posted
Posted (edited)

i complained before and i got answer that it works if you dump file with scylla.. you can change oep with any pe tool manually sad.png .my guess is that you need to change the characteristics in sections before rebuilding but i have never tried it...

post #4 an on
/>http://forum.tuts4you.com/topic/27579-prove-other-import-tools-dont-work-correctly-with-win-7/

Edited by donny
Aguila

Aguila

Posted
Posted

I still think that OEP correction and iat rebuilding are two separate workflows. They don't fit together. A dump tool should fix the OEP! Probably people are used to imprec, but it is the wrong way. Why should it be required to enter an OEP to fix an IAT? It doesnt make sense.

deepzero

deepzero

Posted
  • Author
Posted

why would the dump tool fix it? as far as the pe header is concerned (both on disk and in memory) the EP is the EP of the stub, not the OEP.

The dump tool cant know the OEP. Thus, there are 3 basic steps to unpacking a packer: 1) dump 2) fix iat 3) fix OEP.

Traditionally 2) and 3) are done by the IAT fixing tool, saving people the time of adjusting the RP themselves; as usually the OEP was given to the IAT fixing tool anyways.

And even if iat address & size were entered manually, people are used to this behavior from ImpRec/chimprec/.... and i see nothing wrong with that. :)

maybe we can have an option for that?

But hey, thankfully it`s opensource, so people can enhance i themselves. :)

Aguila

Aguila

Posted
Posted (edited)

Thus, there are 3 basic steps to unpacking a packer: 1) dump 2) fix iat 3) fix OEP.

That is funny. I thought this are the steps:

1) use debugger, go to OEP

2) dump at OEP, your debugger must point to the OEP

3) fix iat, your debugger doesn't need to be at the OEP

But I will add an option to the options dialog thumbs.gif

Edited by Aguila
deepzero

deepzero

Posted
  • Author
Posted
cupidarrow.gif
ala_borbe

ala_borbe

Posted
Posted

so this was not a BUG it was a FEATURE! doh.gif great update BIG THX clap.gifclap2.gifclap.gif

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...