I am trying to unpack wwpack32'ed program named OptiPerl v3.0 (http://www.xarka.com/optiperl) I have unpacked it with trw2k.Program runs but import table is corrupted.When I dissamble no import function is represented.(I have changed the charecterictic to code for w32dasm) I have run Revirgin and it said import table is corrupted so I tried Revirgin 1.01 and found that iat starts at 1A3208 and ends at 1A3BC0.So I changed IAT start RVA to 1A3208 and length to 9B8.I have hit IAT resolver button.Then I put 1A3208 to IAT RVA box and hit iat generator.I used IT Section includer by SV and made new exe with dumped exe and it.bin.Exe runs again but when I hit import unctions in w32dasm only name of dll is shown no name is seen.
Any help will be appreciated.

Hi
To have right functions names in W32dasm, you need to have only one .idata section (included one).
Perhaps have you another one ?

Regards SV

I have one idata which is from original exe but if i delete it exe crashes I guess I should change charaecteristics of other section below this.Could you look at this program ?

Hi,

I've been playing with this proggy myself for the past few days. I had just done an Icedump /PEDUMP on it, it ran OK and the Imports names were fine in PEditor. I didn't really notice the fact that W32Dasm couldn't resolve the Imports until your post. So I started comparing dumping methods a bit.

If you do a RAW dump with Icedumps /DUMP, or use the TRW Pedump the program runs fine, but the IMAGE_THUNK_DATA array that the 1st Thunks point to contain the direct API addresses (i.e. BFF76DA8 ), instead of RVA's which are pointers to the ASCII names of the Imports (i.e. GetProcAddress). So you don't see the Imports listed even in PEditor, just the addresses. Not a big deal until you start looking at the disassembly.

If you use Icedumps /PEDUMP it rebuilds and appends an .idata section, but as SV mentions, there's now 2 copies of .idata. If you rename (not delete) the original .idata then W32Dasm picks up the Import module (dll) names, but not the correct individual API names. Instead of the API functions, something is pointing W32Dasm to some other area of the file and what it picks up is garbage. You can search and find where this garbage is coming from in the file, but I can't figure out why it's pointing to where it is. The PE Header pointer to the IT is correct. The "garbage" is actually coming from within the .text section.

You must be getting the same kind of thing with a Revirgin paste on top of your TRW dump. This is really curious. I've tried playing with the BSS, Reloc and TLS sections a bit (couldn't think of what else to do) but can't figure why W32Dasm is screwing up this way. Usually if the PE Header IT pointer and the IAT is correct, it can usually resolve the Imports.

In any case, back to basics. The best way I found to dump and rebuild it completely is with a RAW Icedump '/DUMP ImageBase ImageSize Filename', use PEditors Dumpfixer option to realign the file, fix the OEP, and paste a fresh Revirgin IT on the end of it. With this method W32Dasm recognizes all the Imports.

Kayaker

he he, I think I've seen the error :
you told about "Then I put 1A3208 to IAT RVA box "
what is this iat rva box ? I only made IT Rva box, and this it rva box must usually correspond to the beginning of your future (.idata) section, just look again at the wordpad examples, you'll see the added section into the fixed wordpad.
regards,

+Tsehp