Hi All,
Tsehp has requested a public discourse on the results of beta testing of his IAT Resolver, so here's my preliminary, albeit verbose, findings. The Good, the Bad and the Ugly.
The IAT Resolver, which sports the interesting filename of revirgin.exe, comes with several files, including an Asprotected 1.1 notepad, a raw Procdump dumped version with the sections realigned, 2 text files listing the imports detected after the 1st pass at resolving (i.e regular unencrypted addresses), and after the 2nd (attempt at resolving redirected addresses), and finally the Import Table and Import Allocation Table generated by the Resolver.
Part 1 - Win98SE
I first tried this on a Win98SE system. After loading the Asprotected notepad and using the IAT Start RVA and Length provided (IAT Start, 62e0; IAT Length, 238h) I did a first pass using the IAT Resolver. This very quickly showed the already resolved unencrypted imports for ADVAPI32.dll and GDI32.dll.
Then I chose 'Resolve Again' and within seconds the Imports for KERNEL32.dll and USER32.dll which had previously indicated 'redirected' were resolved. So far, so good ;-)
However, 2 dlls were never resolved, nor did they ever even indicate they were redirected, SHELL32.dll and COMDLG32.dll. If I tried to do a Trace, which is a further attempt to resolve unresolved imports as I understand it, on one of more of the problem imports, the blue progress bar would get to about 90% and then the program would lock up. I could CTRL-ALT-DEL and start again OK.
Doing a hex dump from the IAT in memory at 4062E0 showed that there was nothing "wrong" with the problem encrypted addresses, they just don't get resolved, aren't recognized as 'redirected', and can't be traced.
As an example, here is a portion of the resolved Import text file generated after the 2nd attempt at resolving showing the blank entries that *should* have been resolved for SHELL32.dll, as well as Tseph's results he included as one of the files:
My Results:
64 000063E8 BFF76DD7 01F1 KERNEL32.dll GlobalLock
65 000063F0 006A156C 0000 '?????? ??????' -dumb emoticons!
66 000063F4 006A1588 0000 '?????? ??????'
67 000063F8 006A15A4 0000 '?????? ??????'
68 000063FC 006A15C0 0000 '?????? ??????'
69 00006400 006A15DC 0000 '?????? ??????'
70 00006404 006A15F8 0000 '?????? ??????'
71 0000640C BFF55591 0285 USER32.dll wsprintfA
Tsehp's Results:
64 000063E8 BFF76DDB 01F1 KERNEL32.dll GlobalLock
65 000063F0 7FD47579 0142 SHELL32.dll ShellExecuteA
66 000063F4 7FD034A7 00CD SHELL32.dll DragAcceptFiles
67 000063F8 7FD124F4 0140 SHELL32.dll ShellAboutA
68 000063FC 7FCE6CA7 00AF SHELL32.dll
69 00006400 7FD012E6 00CF SHELL32.dll DragQueryFile
70 00006404 7FD44B5D 00CE SHELL32.dll DragFinish
71 0000640C BFF55585 0284 USER32.dll wsprintfA
So I Asprotected my own copy of Win98SE Notepad using Asprotect v1.01 (file date 10/14/00) and got the exact same results. I'm not 100% sure if that version is *actually* right, you know Alexey

it's just what the version properties said.
Then I tried it with Asprotect v1.0 (file date 6/13/00) and again got the same problems with SHELL32.dll and COMDLG32.dll, but also with ADVAPI32.dll (never indicated 'redirected', locked up on Tracing).
...continued...