i did some search and found some Thread about imprec. but those didn't answer my cuestion...

which settings are the best to recover/rebuilt a dumped program/IAT ?

which settings makes/Rebuild IAT for Will ALL

these cuestions came due i couldn't make a program work in both OS .. rebuilded IAT with Imprec from winXP but then dosen't run in Win9x

i see some Unpackers like Aspr. Stripper rebuild good IAT and runs on WinALL

i have to do this manually or still i can do it modifing some settings on Imprec.? how to do this??

Excuse my lame cuestions! i think i'm hungry for knowledge

Regards

a common thing is that when you dump under winxp imprec will resolve Kernel32!SetErrorMode as Kernel32!RestoreLastError which is an alias under winxp. Switch RestoreLastError to SetErrorMode and check if it will work.

Are you sure you don't mean SetLastError(). That's what gets switched..

Hi nt20

Yes you are right there, also sometimes some of the advapi32.dll references are different

/hobferret

no answers? i see some other API like Oleaut , and other ... might be different and comes the problems for one OS or another with IAT.

what to do?

there have been for about 3 cuestions i have asked on this board ..and none of them have been answered .... people on these days don't like to share knowledge ? . i can't believe noone knows about this.. so i should say it like that

I've never noticed any Oleaut problems myself..

How I use ImpREC:

"Rebuild All" is a tricky thing to try doing, it's almost never successful. Sometimes if you suspect an API you should trace the IAT entry manually (step thru it with debugger) to see where it really goes. You should always insert the IAT using "Add new section".

The "OEP" entry in ImpREC stinks. If you don't put a valid entry in this field, then you paste on the new IAT table, ImpREC will overwrite the OEP of the file with the junk one you entered. So before you paste in the new IAT section, make sure you have the OEP entered and correct ! The OEP value you need to enter is only the offset, not the whole VA. In other words, if the ImageBase is 0x00400000 (typical) and OEP is 0x00401000, you only need to enter 1000 in the OEP box. If you don't it will be screwed when you paste on the new IAT.


-nt20

and OEP is 0x00401000, you only need to enter 1000 in the OEP box.

this has been discussed long time ago.... do a search in the forum....

esther i now you're insame from long time ago but that was not my cuestion ..please read up...

nikolatesla are these options OK ?? check the screenshot

i'm using win9x/XP with all Updates

sometimes i get errors like

Error Starting Program....

the XXXX.exe files is linked to missing export xxxx.dll : .......

that's what i mean...

reinstall imprec again coz the default set iz the right set .

yes, I agree, I never use any of those advanced options, I just use the default settings.

-nt20

Hi cRK !
I was have same problem. After some test, I find the way to workaround. Do not check "Import All by Ordinal". The export ordinals in system DLLs of all OS (Win9x, WinNT...) not same. For example: Export function with ordinal 112 in Kernel32.dll in 9x is difference with export function 112 in Win2K. Uncheck it to import by name.
TQN

thanks for all replies . since now i'll try it with default settings.

Best Regards