天草 论坛 逆向工程常用工具

=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= ~ Import REConstructor v1.6 FINAL by MackT/uCF2000 in 2001-2003 ~ = = ~ - *for Windows 9x, ME, NT, 2K and XP* - ~ =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= Disclaimer: ----------- This program may crash, or in a worse case it may even reboot your computer, so please use it with caution. (Do not run it 3 hours into an unsaved coding session for example) I am *NOT* responsible for any damage caused by the use of it. Purpose: -------- This tool is designed to rebuild imports for protected/packed Win32 executables. It reconstructs a new Image Import Descriptor (IID), Import Array Table (IAT) and all ASCII module and function names. It can also inject into your output executable, a loader which is able to fill the IAT with real pointers to API or a ripped code from the protector/packer (very useful against emulated API in a thunk). Sorry but this tool is not designed for newbies, you should be familiar a bit with manual unpacking first (some tutorials are easy to find on internet). Features: --------- - Imports - An original tree view - 2 different methods to find original imports (by IAT and/or API calls) - A *FULL* complete rebuilder (including a new fresh IAT) - Loader - An analyzer and ripper of redirected API code - An injected loader code to support mix of imports + ripped code in a thunk - A heuristic relocator - Tracers - 3 default tracers (disasm, hook & ring3) to find APIs in redirected code - A plugin interface to develop your own tracers - Misc - Support ALL 32bits Windows (9x, ME, NT, 2k and XP) - An export renormalizer for Win9x/ME (ala Icedump) - A built-in coloured disasm/hex-viewer to analyze the redirected code - A built-in dumper - Support almost all known antidump tricks What does it need? ------------------ - A full dump of the target (RAW and VIRTUAL infos of sections DO NOT NEED to be equal) - A running process of your target - You have to find the Original Entry Point (OEP) manually (or with /tracex command of Icedump) for using the 'IAT AutoSearch' command How does it work? ----------------- 1 - Select the target in the "Attach to an Active Process" combobox. (Its Entry Point (EP) will be automatically put in the OEP editbox) * If the target is a dll, choose the process which uses it and click on "Pick DLL" to select it. * IF AND ONLY IF you have suspended your target at OEP (with a "jmp eip" at OEP for example), you can dump it with the "Full Dump" button on the dialogbox of the "Select Code Section(s)" command (right click on the tree). NOTE: ----- The "Full Dump" button does not take care of the selected sections near it so you do not need to select all sections. 2 - If you have the OEP: - Enter it (IN Relative Virtual Address (RVA)) in the appropriate editbox and press "IAT AutoSearch" button to get a possible rva address and size values which can contain the original IAT Else: - Enter the RVA and size of IAT 3 - Press "Get Imports" button if the "IAT AutoSearch" has found something. For Borland targets (for example), you will notice you will not have the complete IAT. It is because these targets do not have a contigous IAT. For this case, enter the RVA and Size of the whole section which contains that IAT (that information is ALWAYS written in the messagebox and the Log window just after clicking on "Get Imports"). NOTE: ----- The IAT could be completely (or partially) removed by the packer/protector so the "IAT AutoSearch" will fail. In this case, use the "Get API Call" command (right click on the tree). It will add to your imports, all pointers <XXX> of all <CALL [XXX]> and <JMP [XXX]> directly in the code. Do not forget to precise all sections which contain or are supposed to contain code (usually it is only the first section so you have nothing to do because it is the default configuration). To precise these sections, right click on the tree for a "Select Code Section(s)". This method is based on heuristics so you might have to analyze and remove by hand all invalid slots. 4 - Use the "Show Invalid" button to see all unresolved slots. You will need to trace into them to find the real API. Always try the Tracer Level1 first because it does not execute any code of the target. The Tracer Level2 is to be used in the last resort because it is the less stable one (it uses a global hook). * If you need to retrace into an already traced slot, you have to invalidate it (right click on it and use "Invalidate function(s)" command. * Use "Cut thunk(s)" to remove individually each function * Use "Delete thunk(s)" to remove individually each module * Double click on a slot to edit it manually if you know the real API 5 - Use the "Show Suspect" button to check 'supposed' wrong traced slot. This is possible because of the Tracer Level1 for example. * A suspect slot is an alone valid function in a thunk or an API which already exists in the same thunk (ie several same apis in the same module) * A suspect slot is not necessary invalid. It only needs a quick analyze of your part. 6 - After playing with all tracers, if you still have some unresolved slots, you can try to use the "Loader". This feature will allow you to rip the redirected code to be used directly in your dump. To use the loader, select your invalid slots and right click on the tree for a "*Switch Loader*". A tag "*LOADER*" will appear near the module which contains your slots. If you want to disable it, just "*Switch Loader*" again. You are allowed to have invalid functions in all modules which have a tag "*LOADER*". * The loader is to be used only for rebuilding executable (not dll) * The loader analyzer is based on "Max Recursion" and "Buffer Size" options to find all needed regions from the invalid slots 7 - If you do not want to add a new section and know where you can put the new rebuilt import (in the last section for example), uncheck "Add new section" and enter the wanted RVA. (the easiest way is to add a new section though (by default)) * If the "Loader" is enabled, a new section will be added necessary 8 - Press "Fix Dump" to fix your DUMPED file. You do not need to make a backup. If your filename is "Dump.exe", it will create "Dump_.exe". Moreover the EP of your dump will be fixed to the value you have entered if you turned "Fix EP to OEP" on, in Options. * If you have some modules with a tag "*LOADER*" and some unresolved functions in them, a dialogbox will appear and allow you to customize the rip processing. You will see all regions which will be ripped of the target. You can add, remove and modify them if needed (for advanced users only). You will also have these options: * "Auto reloc" : Normal mode for relocations. It will reloc only the ripped region by tracing instruction per instruction (with the disasm engine) * "Hardcore reloc" : Hardcore mode for relocations. It will reloc the whole region in addition to the "Auto reloc" * "Rebuild Imports" : All imports in the regions will be rebuilt. It means ImportREC will stick to the current imports, the imports needed by the ripped code. 9 - Pheee