Is there a way to tell exactly where the import address table begins and what size it is or exactly where it ends?

Thanks for any help!

Yes looking with the eyes hehe, this is the better method and never fail.

Ricardo

ImportREC could help

import rec is old, and the new packers fool easily.

Ricardo

Import Rec sometimes needs a little help, that's why I posted a question about how to isolate it in olly.

lokk the jmps or call to apis

JMP [xxxxx]

generally anre indirect jumps

XXXXXX will be oart of the iat

look this adress in the dump

and up to the start (continue while you look iat adresses or redirections to packer section)

when there are no more is the start the same with the final

if you have doubts put the first section in the listing and in a entry of the iat in the dump right click FIND REFERENCES and is you have a reference to an api is a part of iat, if not is not part of iat or junk value.

Thanks Ricardo. I resolved it this way with the help of hosiminh.

In code window (after OEP is found) search FF 25, select the result, right click -> follow in dump -> memory address. Then right click in dump window -> Long -> Address. Now it's clear in the dump window where it starts and where it ends.

there are many methods, all are better than use automatic IMP REC feature.

Ricardo

all are better than use automatic IMP REC feature.
I agree with that! Generally speaking tools are nice but they come at the cost of in depth knowledge.