pkedpker Posted March 23, 2020 Posted March 23, 2020 (edited) I've tried all Import Reconstructors UIF (this one finds alot of imports but not helpful). Scylla ImpRec Imports Fixer 1.6 CHImpREC none of them can get me user32.dll from my target.. I rely on the IAT AutoSearch and even if it finds it, it comes out as a invalid thrunk. ImpRec 1.7f is the closest for me gets almost all imports just important ones I need are invalid.. Scylla x86 v0.9.8 gets crazy size for Imports when doing IAT AutoSearch.. like 0x68206c.. i let it run for 2 hours and its missing Autotrace so it doesn't fix the invalid ones. Can someone help me and teach me how to get imports correctly just user32.dll will be okay, without unpacking just memory dump or loaded binary with correct imports for research. Can someone help here is my target https://www.mediafire.com/file/7ecu5f3cxsqu7j9/test.zip/file To run the target it's a MMORPG Game I use Locale Emulator on Korean setting which causes the application to pause when fully loaded. https://github.com/xupefei/Locale-Emulator/releases Edited March 23, 2020 by pkedpker
pkedpker Posted March 23, 2020 Author Posted March 23, 2020 I've tried all Import Reconstructors UIF (this one finds alot of imports but not helpful). Scylla ImpRec Imports Fixer 1.6 CHImpREC none of them can get me user32.dll from my target.. I rely on the IAT AutoSearch and even if it finds it, it comes out as a invalid thrunk. ImpRec 1.7f is the closest for me gets almost all imports just important ones I need are invalid.. Scylla x86 v0.9.8 gets crazy size for Imports when doing IAT AutoSearch.. like 0x68206c.. i let it run for 2 hours and its missing Autotrace so it doesn't fix the invalid ones. Can someone help me and teach me how to get imports correctly just user32.dll will be okay, without unpacking just memory dump or loaded binary with correct imports for research. Can someone help here is my target https://www.mediafire.com/file/7ecu5f3cxsqu7j9/test.zip/file To run the target it's a MMORPG Game I use Locale Emulator on Korean setting which causes the application to pause when fully loaded. https://github.com/xupefei/Locale-Emulator/releases
Nacho_dj Posted March 24, 2020 Posted March 24, 2020 (edited) Did you try this one instead? Just curious about results... Best regards Nacho_dj Edited March 24, 2020 by Nacho_dj
pkedpker Posted March 25, 2020 Author Posted March 25, 2020 Hey Nacho_dj No luck it's same as all other ImpRec.. it gets user32.dll import but only 3 exports not all of them also gets some imports incorrectly.. like CreateDirectory is BitBit I made a video.
Nacho_dj Posted March 25, 2020 Posted March 25, 2020 Ok, understood. Maybe another test could do the job, who knows: If you want the tool to show ALL existing imports, you should go to options and uncheck "Referenced by code", since this option when checked only search imports when some call, jmp, push... and so on are referencing such imports. When unchecked the tool will choose all valid imports found, independent of code... Thanks for testing! Nacho_dj
pkedpker Posted March 25, 2020 Author Posted March 25, 2020 (edited) Hey Nacho Thanks for helping.. I unchecked Referenced by Code, the dump got 7 KB bigger 307,526 KB instead of 307,519 KB by default with Referenced by Code unchecked I get IAT RVA: 00009AAC OEP: 1000 also tried OEP: 401000 (both do nothing) IAT Size: 12C25290 this puts imports in code section when I fix the dump so its probably bad, and still the user32.dll imports are not complete. I tired fixing it by changing OEP to 1000 or 40100 (both do nothing) manually it still puts in code section video: ~~~~~~~~~~~~~~~~~~~ With Referenced by Code checked it got IAT RVA: 35EC080 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ when I change the IAT RVA back to 35EC080 the final size is 307,523 KB. ~~~~~~~~~~~~~~~~~ I tried custom changing IAT RVA to 039EC000 it changes it by self when Search IAT to IAT RVA: 03C6DF44 and it only gets like 10-15 imports instead of like 100 the ones above get. This generates a 307,503 KB file (3 KB only) Edited March 26, 2020 by pkedpker
Nacho_dj Posted March 27, 2020 Posted March 27, 2020 Ok, thanks for your tests, if you feel there is any feature in the tool that could be improved, just let me know... Kind regards Nacho_dj
pkedpker Posted March 27, 2020 Author Posted March 27, 2020 Lol Nacho it didn't work any better then my first test.. i still don't know how to get the import completely.
deepzero Posted March 27, 2020 Posted March 27, 2020 Not sure what your goal is. The file is Themida protected, it seems. If you have problems unpacking it, post in the respective sub and detail what you did + provide your dump. 1
pkedpker Posted March 27, 2020 Author Posted March 27, 2020 I don't really need to unpack it to get it running just for research.. I already posted in a different section they moved it back here.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now