376408384 Posted October 7, 2012 Posted October 7, 2012 Hi, SupperCRacker There is some thing wrong when fixing the dumped file, I set the IAT address RVA manually.("Add new section unchecked") I press the "fix dump" button and choose the dumped file IF can not create the fixed file and not show the messagebox
yangkaiyin Posted October 8, 2012 Posted October 8, 2012 no wrong,i use the IF dump file is nothing wring,but i use it Fix the input table has some wrong,that is:the IF can;t get the GetModuleHandleA..................i wish you update the IF and fix the bug-----------------------------------------themida脱壳,不含winlincense、暗桩及自校验出现错误的解释:不是脚本就是LordPE-Deluxe或者ImportREC的设置问题(1.一般用脚本呢找到的iat或手动找iat,实在找不到或在脚本记录查找不到记录才用ImportREC自动获取api功能,themida 1.8.2.0就是例子,ImportREC获取的api少了kernel32下的GetModuleHandleA函数,修复就错误了,解决办法:因为kernel32(包括kernel32.GetModuleHandleA)是条用windows安装目录下的,所以用ImportREC修复的时候可以直接将kernel32的部分或全部函数剪掉或在ollydbg路找到api。(所有程序运行调用的函数都首先(第一时间)要调用系统安装目录下的api,所以一旦发现了某个api函数抓取不到或修复错误、失败的时候可以直接将其删除(对应的函数),但是这是需要时间来测试以及遇到的很多问题,这个kernel32.GetModuleHandleA可以说是ImportREC目前2010版本都没解决的自动查找iat的bug,但是手动还是能解决的)附录:造成ImportREC抓取不到的原因:还可能是系统核心dllkernel32.dll被病毒感染,由于替换它很难,也没去测试简之,解决办法:1;删除kernel32的部分或全部api2.手动添加api的rva及大小
Dragon Palace Posted October 16, 2012 Posted October 16, 2012 yangkaiyin, This is not Chinese forum, please reply with English.
Liquor Posted January 21, 2013 Posted January 21, 2013 yangkaiyin, This is not Chinese forum, please reply with English. Your Reverse engineering is very famous in China?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now