The Reverse Code Engineering Community

Scientific Board for Software Protection, Binary Auditing & Reverse Code Engineering

Skip to content

Problems unpacking Neolite 2.0 - Corrupt IAT Table

New to unpacking as Reverse Code Engineering methodology? Ask your questions here, do the first steps here.

Moderator: Maximus

Post a reply

Problems unpacking Neolite 2.0 - Corrupt IAT Table

Postby Andrew » 07-02-2009 07:59 AM

I'm attempting to extract a Neolite 2.0 executable, I've successfully used this tutorial to unpack the EXE, which products an unpacked exe that crashes on startup with error 0x0000005. I've also used GUnPacker to produce the same result. This tutorial from Tuts4You doesn't go into invalid IATs, and appeared to be the closest tutorial on Tuts4You to what I'm trying to accomplish.

When looking at ImpREC there are 17 invalid IAT Fthunks (73 unresolved pointers). When I dump the tree, here's the first few lines of the Fthunks
OEP: 00081240 IATRVA: 00000000 IATSize: 00001000

FThunk: 00000000 NbFunc: 00000005
0 00000000 ? 0000 00905A4D
0 00000004 ? 0000 00000003
0 00000008 ? 0000 00000004
0 0000000C ? 0000 0000FFFF
0 00000010 ? 0000 000000B8

FThunk: 00000018 NbFunc: 00000001
0 00000018 ? 0000 00000040

FThunk: 0000003C NbFunc: 00000010
0 0000003C ? 0000 00000100
0 00000040 ? 0000 0EBA1F0E
0 00000044 ? 0000 CD09B400
0 00000048 ? 0000 4C01B821
0 0000004C ? 0000 685421CD
0 00000050 ? 0000 70207369
0 00000054 ? 0000 72676F72
0 00000058 ? 0000 63206D61
0 0000005C ? 0000 6F6E6E61
0 00000060 ? 0000 65622074
0 00000064 ? 0000 6E757220
0 00000068 ? 0000 206E6920
0 0000006C ? 0000 20534F44
0 00000070 ? 0000 65646F6D
0 00000074 ? 0000 0A0D0D2E
0 00000078 ? 0000 00000024


From what I've come to understand, having an RVA of 0 means that the IAT starts at 0, and is of 0 length. The examples in this tutorial show that the last string on each line is the process name in ASCI, however in this dump its all hex.

I'm really lost on what to do next, I've read numerous tutorials on this, but I can't find anything that I can follow. Could someone review where I'm at and tell me whether this unpacking attempt is better off abandoned?
Andrew
Junior Member
 
Posts: 1
Joined: 06-29-2009 04:43 AM
Top

Re: Problems unpacking Neolite 2.0 - Corrupt IAT Table

Postby kao » 07-02-2009 12:18 PM

BiW tutorial wrote:open ImpRec and select IAT autosearch and the Get imports.

You obviously forgot to press "IAT autosearch" or it failed to find anything meaningful at that OEP (check the Log window).
In any case - learn how to use ImpRec and your problem should go away automatically.. :)
-- I'm not here anymore. See you on other forums. --
User avatar
kao
Senior Member
 
Posts: 723
Joined: 12-02-2003 11:39 PM
Location: Away
Top

Re: Problems unpacking Neolite 2.0 - Corrupt IAT Table

Postby H_T_P » 01-29-2010 06:51 PM

Can I see the packed executable you are talking about? I am sure the solution is pretty easy since Neolite is easy to unpack.
H_T_P
Junior Member
 
Posts: 2
Joined: 01-29-2010 06:47 PM
Top

Re: Problems unpacking Neolite 2.0 - Corrupt IAT Table

Postby Zero » 02-08-2010 01:37 PM

no upload or link of any target here at this board please!
The dark side of the force is the pathway to many abilities, some considered to be unnatural
Is it possible to learn this power?
Not from a Jedi...
User avatar
Zero
Admin
 
Posts: 4207
Joined: 02-28-2002 05:25 PM
Location: The Matrix
Top
Post a reply

Return to Basic Unpacking

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group