Hello,

I have successfully unpacked a svkp protected application, including working imports etc. I used ImpRec 1.6 Final to do the import job.

Now, when I select to add the import infos to a new section, the unpacked target runs fine.

On the other hand, when I select to add the import infos to the existing .idata section of my unpacked target file (I made sure that idata is big enough (physical+virtual) to hold the data, the file cannot be started in windows (0xc00000005).

I also made sure that characteristics of .idata is set to e0000020.

Any suggestions what I am doing wrong here?

Appreciate your help.

Even though you told ImpREC to add the data into an already existing section, did you check to make sure it changes the Import Table RVA in the header to the right value?

Also, a good way to check things out is to use LordPE or PEditor (my preference) to look at the import table. Does it look ok? Or are there screwy characters - which would mean some offsets got messed up. Another thing, you DO NOT want to insert the import table where the FIRST THUNKS are going to be, because it will get all hosed up by trying to overwrite itself. In short, it's very risky to insert the table ImpREC builds for you into the orginal .idata section because you might not be sure where the first thunks are. These are the DWORDS that get overwritten by the windows loader with addresses. If you accidentally insert the IAT table in the same area, you'll corrupt your own table. You would have look at it more deeply, to make sure where the first thunks begin and end, so you can insert the new IAT somewhere where it won't screw them up. Not sure if this is what's happening to you, but it's an idea to check for.

A good thing to do is to open it up in LordPE or PEditor like I said, or even Visual C++'s Dependency Walker, to make sure the table works statically (that other programs see it as valid)

-niko