|
|
|
|
#1
06-29-2011, 21:03
|
|||
|
|||
|
WOW
 amazing info, I really wanted to know this...few questions although 1) what the tracers (level1,2,3) in ImpREC exactly do? 2) how to find redirected api if tracers could not trace them 3) how to find the emulated APIs? thanks for the information, I never knew I would get such wonderful information in first answer. 
|
|
#2
06-29-2011, 22:59
|
|||
|
|||
|
1.) As far as I remember, lvl1 tries to find the correct API by disassmbling the code and looking for some jump to the original API. lvl2 and lvl3 single step the protector's trash code until they end up somewhere in a loaded DLLs code section, which will most likely be the correct imported function.
2.) Write some tool by hand which finds the correct APIs or prevent the protector from redirecting the imports at all (must be done somewhere deep in the protector's code, while it is still decrypting and unpacking the code). 3.) Since there are very few possible emulated APIs, they are the ones left when all other imports where rebuild. You have to manually look at them in a debugger or disassembler and guess what they do. For example, if you're running Windows 7 build 7600, the return value of GetVersion will be "0x1DB00106" (version 6, subversion 1, build 0x1DB0 (7600 decimal)). So if you see some code which does only "MOV EAX, 0x1DB00106; RET" (maybe inside of some trash code), it is likely that you've found the emulated "GetVersion" call. Last edited by Kerlingen; 06-29-2011 at 23:07.
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| One Time API Redirection Library in Delphi (x86) | chessgod101 | Source Code | 0 | 11-23-2020 00:56 |
| Dealing with IAT redirection | thomasantony | General Discussion | 4 | 03-11-2005 10:08 |
Hybrid Mode
