--------------------------------------------------------------------------------

I have a DLL file I wish to unpack, I have a working unpacked file "found in the wild" which I am using for comparison.

I dumped a DLL at OEP using LordPE and correctly restored the imports with ImpREC. I then wiped the packers section header to leave the the usual sections:

.text, .rdata, .data, .reloc, .rsrc.

Of course the restored imports are in the section .mackt, what I'd like to know is how do I merge/join the .mackt section with the .rdata section?

I haven't seen any mention of this in any of the RCE forums or tutorials.

Thanks,
5aLIVe.

You'll need to move the IT, INT and all associated structures into the .rdata section (expanding it if necessary) and adjust the PE header accordingly. Provided the table was in the .rdata section prior to packing; your unpacking process hasn't rebuilt the PE; no new imports have been added and imports by ordinal have stayed that way, then there should be enough free space in .rdata to avoid a messy situation.
Otherwise, you'll need to resize the .rdata section and modify all the following sections to cope with the new offset. This is generally a pain, so you'll want to get a PE editor to do it for you.

IIRC, LordPE Deluxe is capable of rebuilding a PE and consolidating imports/exports. If I'm wrong, there should be some tool out there that can help you.

Regards
Admiral

Expanding the .rdata section for this purpose is generally not a good idea as that would require fixing (or even creating in case of most exes) all relocations for references to any data following the resized section.
This approach would give you an even less deterministic and close-to-the-original result (which isn't quite what you are looking for, i sense).

So if the (then obsolete) original import structures plus zero padding at the end of .rdata don't provide enough space for your fully regenerated import data, appending it to the last section (and adjusting the pe/section header accordingly!) would be a better choice if adding a new section is not an option.

Btw, if you're aiming to rebuild your target as close to the original exe/dll (before it has been packed/protected/infected/whatever...) instead of resolving single IAT entries purely by their virtual address (like ImpRec does) decrypting/intercepting the appropriate internal structures of the infector and finding a way to relate their data to the original import structures might be a good idea.



regards

Thankyou for your replies gents. I've feel I learned something here, although its become clear that I need to read more on the portable executable specification and experiment with the tools to further my understanding if I am to become a better reverser.

Yippee! My 100th post, not much substance though, at least there is appreciative content

5aLIVE

Hum. Something about this post has a very familiar ring to it. Maybe you posted the same thing "somewhere else." But, nevertheless, congrats on reaching the 100 post milestone.

Regards,