I'm unpacking a DLL protected by Crypkey packer and what I did is the following:

1) Dumped the entire DLL, with a .text section full of int 3 (CC).
2) Find the nano table in ck*.tmp process and create an OK .text section
3) Merge this OK section on dumped file.
4) Import this .text section on current running process to restore IAT
4) Used IMPREC to restore the import table.

But here comes my problem. The import table is not redirecting to the real function address entry, for example



The EBX value is: 00058A68
The real GetProcessHeap Address is: 7C80AC61 in kernel32.dll

Actually, in the import table, its writen 00058A68 for this function, when I try to manually write the real address on dll, I get an invalid dll file.

Anybody know how can I solve this?

Thanks in advance

That looks normal. 00058A68 is the GetProcessHeap entry address in the IAT. 7C80AC61 is the address pointed to by the DWORD at 00058A68.

But it calls:
CALL EBX=CALL 00058A68
I get an error on this.

Something is missing to link the 00058A68 to 7C80AC61.

Here is the imprec result. the thunk RVA and thunk offset must not be the same.

http://i49.tinypic.com/2rh0175.png

See on attatched file:
LMS.DLL - original file
teste.dll - dumped file with reconstructed .text section
teste.dll_ - dumped file w/ import table reconstructed.

I attatched to this post the detailed following steps that I performed.

Help me to solve this issue.

Thx

With a plethora of tools to generate valid CrypKey licenses why bother with unpacking anything - unless you are educating yourself - just running the protected proggie and usually the keys are plainly displayed out in the open, it does take a little cognition on your part but you'll "get it".

SiGiNT

Yes, but this is not the point.
I already generated valid site code for the app, but as you said, I want to unpack this app.

The DLL perform getprocaddress to all functions and restore IAT, maybe I must implement this code on dll entry point.