View Full Version : using imprec problem
mila
January 10th, 2006, 12:34
hi!
is it possible to Rebuild IMPORTs without adding a new section with imprec?
i saw this button can be unchecked but it always produce a bad exe and it takes lot of time to do it by hand.
BR
Admiral
January 10th, 2006, 16:33
Of course. As long as you can find a clean spot in the image to put the new import table your dump should be as good as new.
ImpREC tells you the size of the IT it's going to write (next to that checkbox) so everything should work fine as long as you can find the RVA to a data cave that's big enough (and obviously doesn't contain any data that is needed by the application). Ideally, you would use the original address of the IT (prior to packing).
If the table produced by ImpREC is smaller than the one your packer uses, you can just plant your new IT on top of the existing one (belonging to the packer). Otherwise you'll need to think a bit harder. If you really can't find a good spot, use a decent PE editor to add a sufficiently large block onto the end of the data section of your disk (and virtual) image and put it there.
Regards
Admiral
mila
January 10th, 2006, 20:36
@Admiral
ah thank u ,i solved the problem by cleaning (filling with 0x00's) the import section of the dumped_image before using imprec,the problem was not the size,adding a section to an exe will create a big problem with PE EDITORs such as PE EXPLORER from heaventool ,ResHAcker ..etc,when u modify something, in my case translating the ressource section and u save the traget ,it'll not work.
Pe Explorer gives a warning message (Warning! Import section follows the Resource section )with exeZ with a new import section,but now my problem is solved,so thank u again Mr Admiral
Another question,does this button(IAT autosearch)really works?
Admiral
January 10th, 2006, 23:28
In many applications 'IAT Autosearch' is useful and effective, but it's quite easy to contrive your code so that it won't work.
As long as you provide the correct OEP (or in the entry point of any of a variety of major functions), this button will make a gallant effort in finding the address of the IAT. The algorithm is fairly simple:
From your supplied OEP, ImpREC searches for the bytes 'FF 15'. This corresponds to a 'JMP DWORD PTR'. The following dword will be a pointer to some function that is called absolutely. The vast majority of the time this will point to an API function from kernel32.dll (often something like GetStartupInfoA, GetVersionExA or GetCommandLineA) and the pointer will reside in the IAT. If a match is found, ImpREC will proceed to check the dwords (both forwards and backwards) from this one to see if they all lie within a convincing range for a set of DLLs, and will determine what it believes to be the start & end of the table. Depending on its confidence, ImpREC will either continue confidently or report that it wasn't too sure. Often it's wrong (over-confident or under-confident) but it's usually worth a try.
Either way. The process that goes on is very basic and can be performed much more accurately by the human eye. If you're happy with your target (and you have the OEP at hand), by all means use this feature. Otherwise, it doesn't take a second to locate the IAT yourself.
Regards
Admiral
mila
January 11th, 2006, 12:56
thank very much for this useful infos.
BR
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.