how does ImpRec finds the IAT section?

if i enter an OEP, does ImpRec searchs for "call ds:[407030]" like calls (0xFF15) and assumes, that the IAT section could be 7XXX ?

and if, how does this search work? does ImpRec follows jumps and calls to find more searchable code ?

A first question. Have you searched for and read anything about how Imprec works, either here or on the net, before asking your question?

Are you aware that the source code of ImpRec is available for your review?

It seems a little searching is in order and certainly some reading of the FAQ in the BIG RED LETTERS.

Regards,

i'm sorry

And maybe I was a wee bit to hasty about the source code being available. There are certainly several places which "say" the source code is available, but that seems to be for some of the plug-in. Not sure now if the source for ImpRec, itself, was ever available, but further searching should find the answer. However, there is a great deal about ImpRec on the net and on these forums you should review and if you also review threads here on manual import rebuilding and stury the PE header, you will come to find out where the IAT is supposed to be located.

Regards,

JMI, please read the FAQ in BIG RED LETTERS and try SEARCHING before posting on this message board!

Oh what a cruel world.

In fact, it was because I was actually searching for the "source" which was alleged to be there, that I discovered the representation did not seem to be completely correct.

I am not a programmer and I took their word that "the source" was included. Then, to make sure, I looked inside several versions of ImpRec I have on my HD and discovered the "sourced" seemed to be to pulgins only. I then searched and after several fruitless paths, concluded that the claims I had read appeared to simply be an overstatement. Haveing made that discovery, by further searching, I duely reported the results to the waiting world, knowing full well the abuse which would be heaped on this poor hapless sole, who was only trying, with his last ounce of strength, to do one last good deed before he perished from exhaustion.

Oh cruel fate. Oh the shame of it all. I guess I'll have to go kill myself now. No wait, there are plenty of people waiting in line for the priviledge of killing me. Well at least I won't have to use the energy to kill myself.

Good bye.

Regards,

Ahhhhhhhhhhhhh.....

'tis is not nice to see the preacher not practice what he hath preached.


No excuses accepted

Ta Ta, Woodmann

no, you're right

the ImpRec light dll source is freely available
and it seems, that it does contain enough interesting stuff

http://wave.prohosting.com/mackt/projects/imprec/ImpREC_lite_v11.zip

Well that at least clarifies somewhat the issue of the "full source" code. One can be easily mislead by entries in google, such as:

Protools - Utilities
... Import REConstructor 1.6 (289K). ... fixes section entries in header (size & offset)
and is also able to rebuild the import table if ... Full source code included. ...

which was one of the links I saw with the quick check, before my first post. I then got to thinking that I had downloaded a copy of v1.6 from there and did not recall seeing source code there. But I did recall reading, somewhere that source code was available for ImpRec and Orp has now cleared up that it was for the "lite" version. I feel so vindicated that, perhaps, i won't kill myself after all. And of course, now I'll have to resist any extrenious attempt to accomplish that task.

Regards,