hi all

today i Pack the notepad.exe use aspack,then unpack it by manual.
after find the OEIP and dump out the full process ,i can run it success and donot need
repair the import table.but after use wdasm32 to dasm the dumped file i cant see any API function why?


mITRIx

Hi mitrix

the missing imports are there ! However only as a memory index in the jmp table. This means it will ONLY run on your PC due to the various dll's being loaded/relocated to different memory locations on ppl's pcs

For example in SI type 'exp GetModuleHandleA'

for my Windows 2000 SP3 it says '1B:77E83F26' for you it will be different...................

You need to use an iat convertor tool like LordPE. If you look at the IAT with such a tool you will see the memory location instead of API.

So, Rebuild PE with ' Rebuild Import Table ' option selected and your IAT is converted back to named API calls.......You could also use more advanced IAT tracers like RV/Imprec. I think later aspack2.11/2.12 hide the IAT a little

hope that helps.

Spl/\j