Magicmida icon indicating copy to clipboard operation
Magicmida copied to clipboard
verified publisher icon Hendi48

OriginalFirstThunk not created

Open leecher1337 opened this issue 8 months ago • 3 comments

MagicMida doesn't generate an OriginalFirstThunk entry when reconstructing the IAT. This leads to a problem when starting some dumped executables. Even though it is valid to leave it NULL, as soon as the loader tries to resolve an already resolved function in the IAT, it crashes with a message that the original procedure entry point cannot be found and points to a weird name, as it interprets the IMAGE_THUNK_DATA as if it would be a pointer to AddressOfData whereas it is already resolved as Function leading to a misinterpretation of the thunk data. Therefore it is advisable to create such an entry that must not point to FirstThunk data but to a copy of the table.

As I wrote my last Pascal-Program over 25 years ago in Borland Turbo Pascal 7, I doubt that I would be able to do a pull request with a fix, sorry.

leecher1337 avatar May 12 '25 21:05 leecher1337