Hello everyone!

I'm a bit stuck unpacking this AsProtected dll... The OEP I get is A67E30 and it really looks like the real OEP. However the dll gives me the following data in LordPE:

SizeOfCode: 0x00177000
SizeOfInitializedData: 0x00142400
SizeOfUninitializedData: 0x00000000
AddressOfEntryPoint: 0x00397001
BaseOfCode: 0x00001000
BaseOfData: 0x00178000
ImageBase: 0x00400000
SectionAlignment: 0x00001000
FileAlignment: 0x00000200
SizeOfImage: 0x003AC000
SizeOfHeaders: 0x00000400

So I really dont know how to convert the OEP I've got to fit into ImpRec... In what format does it want the OEP?

By the way, how does ImpRec find the import table given the OEP??

Hope my question is not too stupid... Excuse me if it is!

I think on library (DLL) you should forget the image base stored in header as its only preferred value not realized. The library is just loaded at address where fere space enuf. The real image base for your library should be gotten from debugger or another process viewer in runtime. Your OEP value for imprec is then yout real OEP VA minus your real library base.

how imprec finds that table? it scans certain chunk of code starting at this OEP address looking for indirect jumps or callz. addressess referred by 'em are potentian IT entries. but it's my assumption only.

Hi all

Try using revirgin, that usually gives you the data right off

You could then transfer that to imprec

/hobferret