I found that haggar's tutorial on UPX unpacking is the easiest (same kind of target also, although mine is version 7.xx). The dump seems ok, but the getting Import table using ImpREC always produced last import with valid value NO.

http://img45.imageshack.us/img45/7234/0010oq.jpg

If I used Trace Level1 (diasm) on the no valid functions, it change into kernel32.dll. I don't have any idea what it is, but the dump file didn't work so I think it's not kernel32.dll.
Thank you for any suggestions.

Umm... Look at the IAT yourself and work out if that last 'thunk' is dodgy or not. It's pretty standard to enter 'safe' values into ImpRec that cover the IAT but possibly include nonsense entries. Unless you suspect something funny is going on, it's standard procedure to delete the final invalid thunk or two before fixing your dump (particularly if it's quite small, say three or four DWORDs).

Regards
Admiral

What I do with ImpRec is just right-click and select Get API Calls, then it'll find all the imports along with some invalid ones. I just delete the invalid thunks and proceed to restore the IAT.

That method should work on a simple packer such as UPX, since I've used it with success on a much more difficult Armadillo before.

Thanks a lot for the reply, look like it's bogus import at the end. The dump worked OK. Moving on the other DLL in the pack