I am little bit confues about IAT.I am working on one program whichs kernel32.dll import is crypted.However I see kernel32.dll its name and stuff in IAT but there is no kernel32.dll entry on import table even invalid one.I know how to decrypt them decryptin is not problem but I want to learn that if I can fix this import table without attaching mine.I want to learn whether IAT is destructed or not.Thanks.

Hi LaptoniC,

Yes the Import Table only consists of the User32.dll Entry.

BUT... the Import Table starts at 00007548 (Virtual/Raw Offset doesn't matter in this case ) look a little further down at Offset 00007574.
You'll see there these 4 Dwords:

7B8AFFFF = NOT this value and you'll get the RVA to the ILT for Kernel32.
FF8FFFFF = NOT this value and you'll get the RVA to the IAT for Kernel32.
04790000 = RVA to the name "Kernel32.dll"
FFFFFFFF = NOT this value and you'll get 00000000 hehe

See?
Now you can easily rebuild the Import Table, but i don't know if it's everytime with the same amount of Bytes behind the Import Table...?
Hmmm, ah well.... just Decrypt the API Names and make a new "Kernel32.dll" Entry behind the "User32.dll" Entry with these 4 Dwords (actually 3 Dwords since the last one is 00000000 )

Hope this helps a bit.

Cya...

CoDe_InSiDe

Hi thanks for your response I know how to decrypt the name of functions here is decrypt function

decryptimport proc near ; CODE XREF: sub_40D488+Bp
CODE:00402A70 imul edx, ds:Key, 8088405h
CODE:00402A7A inc edx
CODE:00402A7B mov ds:Key, edx
CODE:00402A81 mul edx
CODE:00402A83 mov eax, edx
CODE:00402A85 retn
CODE:00402A85 decryptimport endp

at first Key is the RVA of Kernel32.dll name.What I want to learn is i it possible to make valid import by taking NOT of dwords you said.Is kernel32.dll importslie in Import table or should I made new one ? I am little bit confused about and I saw today that I unpack without understanding some basic things

Hi LaptoniC,

Ofcourse it's possible to make a valid Import for Kernel32 because you got the 3 important NOT Dwords.

The ILT (Import Lookup Table)
The IAT (Import Address Table)
And the RVA to the name, that's all you need

The IAT and ILT are also present so you don't have to create those.
The only thing you need to do is to Decrypt those API Names and make a new Kernel32.dll Entry behind the existing User32.dll Entry.
So the Kernel32.dll Entry looks like this:

84750000 00000000 00000000 04790000 00700000

Place it behind the User32.dll Entry and Decrypt the API names then it should work

Cya...

CoDe_InSiDe

P.S. i like to know if those NOT Dwords are at the same place behind the Import Table in other Protected and/or dumped files?

In the zip file I pasted the apinames could you show me how it can be possible.

I guess it is same for all protected exes.I am dealing with again CD-Cops .I did generic unpacker which works upto and including v2.04.However sometimes CD-Cops crypts kernel32.dll imports and patch exe in runtime to fill realimport names via decrypting the name of the function and then GetProcAddress.So after decryption decrypted exe doesnt work because of missing Kernel32.dll imports.

Hi LaptoniC,

I rebuilded the Kernel API names according to the Text file you included in the .zip
But i miss one API dunno which one it is
But also no RVA in the ILT/IAT points to that 'missing" API, so uhm who cares...
I've attached the Rebuilded File and the file works, but i get an Message Box:

"Info"
"Could not find parent"

But i don't run a Window with a name like "Akademedia" hehe
So check the file on how i did it.
Hope this helps.

Cya...

CoDe_InSiDe

Thanks for your help.This file will really help me