Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Does anyone have a working C++ or C# code that can read IAT?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
H4x0rBattie
Advanced Cheater
Reputation: 0

Joined: 10 Nov 2016
Posts: 58

PostPosted: Sun Nov 27, 2016 5:40 am    Post subject: Does anyone have a working C++ or C# code that can read IAT? Reply with quote

Hi. As the subject says. I do have need to get IAT and it's size. It would save my time if anyone can provide a source otherwise I must code it myself.

I am working on a big project so excuse me if you think I am lazy Smile

_________________
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Sun Nov 27, 2016 1:42 pm    Post subject: Reply with quote

Take a look at Scylla, it is an import reconstruction tool that is open source:
https://forum.tuts4you.com/topic/27191-scylla-imports-reconstruction-source/

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Sun Nov 27, 2016 1:42 pm    Post subject: Reply with quote

Take a look at Scylla, it is an import reconstruction tool that is open source:
https://forum.tuts4you.com/topic/27191-scylla-imports-reconstruction-source/

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
H4x0rBattie
Advanced Cheater
Reputation: 0

Joined: 10 Nov 2016
Posts: 58

PostPosted: Sun Nov 27, 2016 10:29 pm    Post subject: Reply with quote

atom0s wrote:
Take a look at Scylla, it is an import reconstruction tool that is open source:
https://forum.tuts4you.com/topic/27191-scylla-imports-reconstruction-source/


IAT autosearch does not seem to produce correct results in Scylla so the code must be outdated.

Well I will figure it out on my own. Thanks anyway.

_________________
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Mon Nov 28, 2016 12:43 am    Post subject: Reply with quote

Autosearch is not 100% guaranteed to work on a target. If the target is packed or protected in some manner it will more than likely fail. Scylla and ImpRECT are both well-known tools in the RE community for rebuilding IAT's of dumped files. It's definitely not broken or outdated.
_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Kavvman
Master Cheater
Reputation: 2

Joined: 17 Apr 2004
Posts: 316

PostPosted: Mon Nov 28, 2016 6:27 am    Post subject: Reply with quote

Yeah, you need to input the correct address for it to find the import. But it is not that simple with every protector, some even wrap/scramble the API calls so they aren't that simple to recreate. You need to do that manually or use ollyscripts to automate.

Its funny you blame the tool

_________________
...
Back to top
View user's profile Send private message
H4x0rBattie
Advanced Cheater
Reputation: 0

Joined: 10 Nov 2016
Posts: 58

PostPosted: Sat Jan 14, 2017 11:36 am    Post subject: Reply with quote

atom0s wrote:
Autosearch is not 100% guaranteed to work on a target. If the target is packed or protected in some manner it will more than likely fail. Scylla and ImpRECT are both well-known tools in the RE community for rebuilding IAT's of dumped files. It's definitely not broken or outdated.


Thanks for the info. It's source helped me to understand IAT and actually develope an autosearch feature that works even with protected games.

My code is not yet fully finished but after studying IAT for several days, I figured a way to find the correct IAT. At least for Frostbite games.

atom0s wrote:
Autosearch is not 100% guaranteed to work on a target. If the target is packed or protected in some manner it will more than likely fail. Scylla and ImpRECT are both well-known tools in the RE community for rebuilding IAT's of dumped files. It's definitely not broken or outdated.


It's a tricky job to write a such a tool but I have one by now. I only use Scylla to fix the dump.

There is nothing wrong with it's import rebuild feature. If your tool cannot detect the correct IAT due to protection, import rebuild feature is as good as useless. Imagine someone using it who had no idea, like I. Now I do have an idea.

You need to remember that when someone use scylla first time. They probably had no idea like I neither had any idea. After I studied the codes for several days I figured out what going on there.

C++ is not my primary coding language. That's why it takes a long time for me to figure things out ...

ViZZion wrote:
Yeah, you need to input the correct address for it to find the import. But it is not that simple with every protector, some even wrap/scramble the API calls so they aren't that simple to recreate. You need to do that manually or use ollyscripts to automate.

Its funny you blame the tool


What's funny in that? I just let you know that it did failed to detect the correct IAT. Is not your virus-scanner also out of date if it does not detect the latest trojan or similar?

I don't consider it as "blaming". Just told you the fact that it failed for game I work with.

Anyway I have a tool by now that detects a protected IAT. It's my own work. Thanks to Scylla source code and other sources I found from the internet.

From what I looked at Scylla sources. Author of Scylla actually tried to resolve the tricks they do with IAT obfuscation.

I think he just missed the most obvious way to do it Wink Which I figured out after studying IAT.

I may release my tool when it's ready to released. Game devs. should figure out that the tricks they do with IAT only fools regular users.

Anyone determined can figure out their tricks. A bit of manual work is not a big deal.

_________________
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Sat Jan 14, 2017 2:32 pm    Post subject: Reply with quote

H4x0rBattie wrote:
From what I looked at Scylla sources. Author of Scylla actually tried to resolve the tricks they do with IAT obfuscation.

I think he just missed the most obvious way to do it Wink Which I figured out after studying IAT.

I may release my tool when it's ready to released. Game devs. should figure out that the tricks they do with IAT only fools regular users.

Anyone determined can figure out their tricks. A bit of manual work is not a big deal.


Most tools do not, or at least try not, to hard-code fixes for specific protections as often times it can cause more harm than good. They usually leave this open to plugin developers to work on and fix externally from the main source code. There are a lot of different packers / protectors in the world, most of which do something to the IAT, coding fixes for every single one would be a complete pain in the ass for a project like Scylla to do internally.

Glad to see you kept with it and got things working like you needed instead of just giving up! Very Happy Good luck with the rest of your tool.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites