The Owl
January 26th, 2001, 05:30
Quote:
I've manually unpacked a program packed with aspack,
when i run it under win 98 it works fine but when i run it in win2k i'm getting this error "the applocation failed to initialize properly (0xc0000005).click on ok to terminate the application.
|
the problem that plagues pretty much all imports rebuilders i've seen so far is that
certain system DLLs in both 9x and NT have exported APIs that have the same
RVA/VA. the problem with this is that *after* the IAT slots have been filled in by
the OS PE image loader (or PE wrapper, whoever happens to resolve the imports),
the one-to-one mapping between the imported API names (as found in the original
PE image) and the IAT slot contents is *gone* for good. any attempt to restore
API names from IAT slots will necessarily fail, what most schemes do is that they
simply resolve a given IAT slot value to the first API name (that resolves to the
given address) they find in a given DLL's export table - obviously it won't be the
correct guess all the time.
there are two ways to do this properly.
1. rebuild imports *before* this one-to-one mapping is destroyed, ie. before the
OS loader or the PE wrapper has performed the imports resolution. this requires
reverse engineering (of the various wrappers) and is not a generic method.
2. 'cure' the problem right at its root: make the colliding API addresses distinct by
changing the export tables of the DLLs in question and then use the existing tools
to reconstruct the imports from the IAT slots (this is the method icedump
implements since 6.021, although it does not work 100% yet - some win95
versions and also the tracer doesn't like it for some reason, the 6.022 release
will hopefully solve this problem).
