View previous topic :: View next topic |
Author |
Message |
H4x0rBattie Advanced Cheater Reputation: 0
Joined: 10 Nov 2016 Posts: 58
|
Posted: Sun Nov 27, 2016 5:40 am Post subject: Does anyone have a working C++ or C# code that can read IAT? |
|
|
Hi. As the subject says. I do have need to get IAT and it's size. It would save my time if anyone can provide a source otherwise I must code it myself.
I am working on a big project so excuse me if you think I am lazy _________________
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
|
Back to top |
|
|
H4x0rBattie Advanced Cheater Reputation: 0
Joined: 10 Nov 2016 Posts: 58
|
Posted: Sun Nov 27, 2016 10:29 pm Post subject: |
|
|
IAT autosearch does not seem to produce correct results in Scylla so the code must be outdated.
Well I will figure it out on my own. Thanks anyway. _________________
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Mon Nov 28, 2016 12:43 am Post subject: |
|
|
Autosearch is not 100% guaranteed to work on a target. If the target is packed or protected in some manner it will more than likely fail. Scylla and ImpRECT are both well-known tools in the RE community for rebuilding IAT's of dumped files. It's definitely not broken or outdated. _________________
- Retired. |
|
Back to top |
|
|
Kavvman Master Cheater Reputation: 2
Joined: 17 Apr 2004 Posts: 316
|
Posted: Mon Nov 28, 2016 6:27 am Post subject: |
|
|
Yeah, you need to input the correct address for it to find the import. But it is not that simple with every protector, some even wrap/scramble the API calls so they aren't that simple to recreate. You need to do that manually or use ollyscripts to automate.
Its funny you blame the tool _________________
... |
|
Back to top |
|
|
H4x0rBattie Advanced Cheater Reputation: 0
Joined: 10 Nov 2016 Posts: 58
|
Posted: Sat Jan 14, 2017 11:36 am Post subject: |
|
|
atom0s wrote: | Autosearch is not 100% guaranteed to work on a target. If the target is packed or protected in some manner it will more than likely fail. Scylla and ImpRECT are both well-known tools in the RE community for rebuilding IAT's of dumped files. It's definitely not broken or outdated. |
Thanks for the info. It's source helped me to understand IAT and actually develope an autosearch feature that works even with protected games.
My code is not yet fully finished but after studying IAT for several days, I figured a way to find the correct IAT. At least for Frostbite games.
atom0s wrote: | Autosearch is not 100% guaranteed to work on a target. If the target is packed or protected in some manner it will more than likely fail. Scylla and ImpRECT are both well-known tools in the RE community for rebuilding IAT's of dumped files. It's definitely not broken or outdated. |
It's a tricky job to write a such a tool but I have one by now. I only use Scylla to fix the dump.
There is nothing wrong with it's import rebuild feature. If your tool cannot detect the correct IAT due to protection, import rebuild feature is as good as useless. Imagine someone using it who had no idea, like I. Now I do have an idea.
You need to remember that when someone use scylla first time. They probably had no idea like I neither had any idea. After I studied the codes for several days I figured out what going on there.
C++ is not my primary coding language. That's why it takes a long time for me to figure things out ...
ViZZion wrote: | Yeah, you need to input the correct address for it to find the import. But it is not that simple with every protector, some even wrap/scramble the API calls so they aren't that simple to recreate. You need to do that manually or use ollyscripts to automate.
Its funny you blame the tool |
What's funny in that? I just let you know that it did failed to detect the correct IAT. Is not your virus-scanner also out of date if it does not detect the latest trojan or similar?
I don't consider it as "blaming". Just told you the fact that it failed for game I work with.
Anyway I have a tool by now that detects a protected IAT. It's my own work. Thanks to Scylla source code and other sources I found from the internet.
From what I looked at Scylla sources. Author of Scylla actually tried to resolve the tricks they do with IAT obfuscation.
I think he just missed the most obvious way to do it Which I figured out after studying IAT.
I may release my tool when it's ready to released. Game devs. should figure out that the tricks they do with IAT only fools regular users.
Anyone determined can figure out their tricks. A bit of manual work is not a big deal. _________________
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
|
Back to top |
|
|
|