I nedd tut that teach me how to use import recontruction(imprec 1.4...)
rebild some packed crypted prox.

I's not working for me every time when i rebuild with it.

Well, i have 100 tuts 30 or 35 cases with rebuild table, the only thing are in spanish jeje, but, the case is Import Reconstructor is and aid tool if you use well you reconstruct the table if not, you have bad results.
Import reconstructor has any automatic features (IAT AUTOSEARCH, PLUGINS), in the new packers, they fool this automatic features, for this the manual search of OEP, IAT START, IAT LENGHT, and putting corrects values is a delicate question if you have no experience, in some packers and if you put bad values bye bye baby.
For other point of view, many packers detour to self routines, the values of entries on IAT, complicating the work, any packers has magic jumps (armadillo for example, telock, pelock too, you can found this magic jump and the table is 100 % ready for IMPREC, but in other cases (asprotect for example), there are a magic call you can NOP and 90 per cent of the entries are repared, but no resolve all entries, 6 to 10 entries are sustituted for own routines, IMPREC have a plugin for asprotect for fix this bad entries, but is for 1.2 version of aspr, for 1.3, using the plugin, 1 or 2 entries you may fix manually (there are a plugin for 1.3 in a page but is not compilated and if work of not work i don't know )

Sorry for my bad english
Ricardo

Hmm,after reading your esay for a while ,use ollydump to find OEP and fill in OEP in imprec ,i got some working prog,i'm please and enjoy with it,but still have some ploblem about didodumper ,i fallow didodumper tut on dump arm crypted prog , rebuild with imprec fill OEP and select autosearch IAT ,get import, delete all trunk and other..things finally select fix dump select didodumper 's dumped .When i run dumped_ program that say about error in writing memory address and destroy ,and other prox (GR 5.1F) run show splash for a moment and die.I dunno how to going on in which way .I really new beginner in unpacking stuff .Spanish tut ,he he i can't read at all ,Ricardo if possible please tranlate into eng (or thai ,i think it's usefull for many user that same ploblem as me.

if your using dillodumper, do NOT use the IAT AutoSearch option - it'll give you the wrong import table! You must use the exact values that dillodumper gives you.

iat autosearch not guarantee correct values, in new packers, for other side dillodumper not repair nanomites, for this, you must repair nanomites manually.
My tuts of armadillo in ollydbg are in english, and teach you how dump, how repair the iat and how repair nanomites all manually, if you dump with dillo dumper you can use my tute of iat and nanomites only and not of dump.

Ricardo

Hmm,i got working now(crypted arm),after try in and try out for a while,but some prog do not have import list name at all ,it' s just as invalid name.I change ipt size to 20000 ,it take for a while to get list ,but still invalid .i am confuse now,many question come to me,i want to know that all prog use 400000 as image base,or else how to find image base if not 400000,and pick section in imprec ,what 's that ?I really need tut!!!!

well if is armadillo, you first know, in the two versions are a magic jump, you can find, in my tuts, and in the crusader tuts always for resolve the IAT of arma you can found the magic jump first, nop this conditional jump. and the program run perfectly, with the difference the entries of the IAT are reredirected to the original APIS, with this, you can use the IMPREC perfectly and this tool reconstruct this table well if not you cannot reconstruct the table well, what is the problem for the magic jump, in armadillo with no cpoymem2 is easy to find, and nop, but in armadillos with copymem2 is a litle dificult, for the reason of the two procesess with the same name (copymem2), and one debugging to other (father-son process), well if you can work with this, in the son process is the correct conditional jump to rebuild the table perfectly, i have tuts in english for the two cases for ollydbg.

If you look in the IAT entries, the values you found for example
(in my machine)

XXXXXXX 34 7f 17 01

well this is 01177f34

and what api is pointed with that

go to view-memory in olly when the program is stoped in OEP and look in the blocks if in this position there are a DLL (if are a valid entrie the value 1177f34 maybe point to a dll) but nothing is in the block, exist but is blank.
If you go to this position you found a routine created by arma, and when you dump the executable, this routine, not is dumped, and when you run the dumped there are an exception when try to reach this point.

The 2 ways to repair this is trace this entrie in 1177f34 in the original and wiew finallly what is the real api is reached, and in import reconstructor put in the entrie the name of this api, and make the same work for the other bad entries one by one (is not recommendable my doctor say is bad for my health), jeje.

The other way, is to find the point when armadillo in unpacking the target,when put the value 1177f34 in this entrie, and when you reach that point there is a conditional jump in this zone, (magic jump), if you try, nop, and the table is filled with api direct values (77xxxxxx in my machine), when you obtain this, you can repair the dumped and import reconstructor said YES (correct) all the entries, and press FIX DUMP and correct the dump and this work perfectly.
Sorry for the long explication but i not see in what point you are working, if you have bad entries, or you have all entries well, and the error is in the values of start or size of the table.

Ricardo Narvaja

Best way to find IAT is to provide the unpacked program with a fake one so it'll run, and then when it crashes, analyse crash address in Ollydbg and you'll most likely find that it's smack in the middle of the IAT, just search backwards for start of real IAT, and then load imprec and resolve