Already about IAT... Iczelion say that in tut6 about PEHeader....

The DWORD IMAGE_THUNK_DATA is the RVA whose pointed on IMAGE_IMPORT_BY_NAME structure.
It is true only if fonctions are exported by Name.

But in the case which fonctions are exported by Ordinal, the DWORD IMAGE_THUNK_DATA aren't a RVA, it MSB is set to 1 (for notify by ORDINAL) and it low WORD is it n?ORDINAL (parameter Hint).

- First :
With W32Dasm I have:

Import Module 003: COMCTL32.dll
Addr:80000011 hint(0011) Name: InitCommonControls
Addr:80000006 hint(0006) Name: CreateStatusWindowA

But In reality, with a small code I have for the two functions :


What is important, the bit or the word ? Can I destroy the high bit of the word or it is essential ?

My objective is that I would like Map the Original IAT in an other Section (idata2) where I could append autres functions and even DLL names to do an interesting reverse tool.
So to know if I must put 0011 or 5011 is important.

- Second :

In the case of exportation by name, I can find the name... OK.
But By ORDINAL ? where can I find it?
Posted on 2002-01-20 18:32:15 by Morgatte
For import by ordinal, you could theoretically use bit16 to bit30 I guess.
But I wouldn't do that, it might break compatibility. I think you need
all of bit0-15 for the ordinal though. Best not to mess to much around,
and definitely never touch stuff marked as "reserved". This is especially
important wrt to reserved bits in IA32 control registers, but that's
a completely different story.

It sounds to me as if you're perhaps confusing the hint of a IMAGE_IMPORT_BY_NAME
with the ordinal value when BIT31 is set? The "hint" on I_B_N is just that -
a hint. If your linker sets it, it's set to the ordinal of the function on
*your* system. On systems with the same DLL version, it means the loader can
skip searching through the whole export table. But it's only a hint - the name
is still available so if the hint didn't match, you can search the whole export table.

As for ordinals... sometimes functions are only exported by ordinal, and
then you can't get a name. Sometimes normal functions (with a name available)
are *imported* by ordinal, and then it is possible to lookup the name (assuming
of course the ordinal number is the same on your DLL version as the version the
app was linked against). You do this by searching the export table of the DLL
until you find a function that has the ordinal you're looking for.
Posted on 2002-01-20 18:50:20 by f0dder

Just exercise a litle caution here, this forum will not tolerate and cracking or reversing based code or information.

My objective is that I would like Map the Original IAT in an other Section (idata2) where I could append autres functions and even DLL names to do an interesting reverse tool.

If this is the direction you are heading, please keep any posts of this type out of this forum as they will be removed if they appear.


Posted on 2002-01-20 22:40:06 by hutch--
Yes, I anderstand your point of view about Cracking, and even about Reverse (If one begin, others could do more.)

But, I don't considerate Reverse=Cracking.
Reverse is only to ameliorate some apps, like adding to them a new function like impression. (It's a game. One app per month for a challenge. In fact even after we don't use the app, we don't make a patch (really never), we only explain the behaviour beetween us. for Learning)

But, ok I andertand.
Posted on 2002-01-21 03:58:26 by Morgatte