Hi:

Can somebody just point me some good tuts on how to manually locate the start and end of IAT entries? I do use RV regularly and everything is fine but just curious to know how to find IAT entries manually.

BTW, I've tried searching the board and couldn't find anything useful.

Would be grateful for some tips,

Signed,
-- FoxThree

rv does this :

find the first call to an api , if yes fetches the pointer , then look at the pointer's table. that's the iat entries.

Ther are many ways....

1. Run the real program and set a breakpoint on some API that you know it will break... F12 to locate the call and then follow the call the jump table...

2. Open the hex dump and search for some common API address n reversed order... you will find the IAT..

3. Open the search dump with Hex Work Shop, search for "FF 25" and when you see lots of founds that are 6 bytes apart.. that is the jump table...

4. disassemble the dump file with W32dasm and keep pressing PageDown until you see a straight column aligned to the left whizzing by your eyes... that is probably teh jump table :>>>

Hope that helps...

Hi binh81:

Thanks a lot for your post. I'm gonna archive this one ;-)

Signed,
-- FoxThree