=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
~ Import REConstructor v1.6 FINAL by MackT/uCF2000 in 2001-2003 ~
= =
~ - *for Windows 9x, ME, NT, 2K and XP* - ~
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
Disclaimer:
-----------
This program may crash, or in a worse case it may even reboot your computer, so please use
it with caution. (Do not run it 3 hours into an unsaved coding session for example)
I am *NOT* responsible for any damage caused by the use of it.
Purpose:
--------
This tool is designed to rebuild imports for protected/packed Win32 executables. It
reconstructs a new Image Import Descriptor (IID), Import Array Table (IAT) and all ASCII
module and function names. It can also inject into your output executable, a loader which
is able to fill the IAT with real pointers to API or a ripped code from the protector/packer
(very useful against emulated API in a thunk).
Sorry but this tool is not designed for newbies, you should be familiar a bit with manual
unpacking first (some tutorials are easy to find on internet).
Features:
---------
- Imports
- An original tree view
- 2 different methods to find original imports (by IAT and/or API calls)
- A *FULL* complete rebuilder (including a new fresh IAT)
- Loader
- An analyzer and ripper of redirected API code
- An injected loader code to support mix of imports + ripped code in a thunk
- A heuristic relocator
- Tracers
- 3 default tracers (disasm, hook & ring3) to find APIs in redirected code
- A plugin interface to develop your own tracers
- Misc
- Support ALL 32bits Windows (9x, ME, NT, 2k and XP)
- An export renormalizer for Win9x/ME (ala Icedump)
- A built-in coloured disasm/hex-viewer to analyze the redirected code
- A built-in dumper
- Support almost all known antidump tricks
What does it need?
------------------
- A full dump of the target (RAW and VIRTUAL infos of sections DO NOT NEED to be equal)
- A running process of your target
- You have to find the Original Entry Point (OEP) manually (or with /tracex command of
Icedump) for using the 'IAT AutoSearch' command
How does it work?
-----------------
1 - Select the target in the "Attach to an Active Process" combobox.
(Its Entry Point (EP) will be automatically put in the OEP editbox)
* If the target is a dll, choose the process which uses it and click on "Pick DLL"
to select it.
* IF AND ONLY IF you have suspended your target at OEP (with a "jmp eip" at OEP for
example), you can dump it with the "Full Dump" button on the dialogbox of the
"Select Code Section(s)" command (right click on the tree).
NOTE:
-----
The "Full Dump" button does not take care of the selected sections near it so you
do not need to select all sections.
2 - If you have the OEP:
- Enter it (IN Relative Virtual Address (RVA)) in the appropriate editbox and
press "IAT AutoSearch" button to get a possible rva address and size values
which can contain the original IAT
Else:
- Enter the RVA and size of IAT
3 - Press "Get Imports" button if the "IAT AutoSearch" has found something. For Borland
targets (for example), you will notice you will not have the complete IAT. It is
because these targets do not have a contigous IAT. For this case, enter the RVA and
Size of the whole section which contains that IAT (that information is ALWAYS written
in the messagebox and the Log window just after clicking on "Get Imports").
NOTE:
-----
The IAT could be completely (or partially) removed by the packer/protector so the
"IAT AutoSearch" will fail. In this case, use the "Get API Call" command (right click
on the tree). It will add to your imports, all pointers <XXX> of all <CALL [XXX]> and
<JMP [XXX]> directly in the code. Do not forget to precise all sections which contain
or are supposed to contain code (usually it is only the first section so you have
nothing to do because it is the default configuration). To precise these sections,
right click on the tree for a "Select Code Section(s)". This method is based on
heuristics so you might have to analyze and remove by hand all invalid slots.
4 - Use the "Show Invalid" button to see all unresolved slots. You will need to trace into
them to find the real API. Always try the Tracer Level1 first because it does not
execute any code of the target. The Tracer Level2 is to be used in the last resort
because it is the less stable one (it uses a global hook).
* If you need to retrace into an already traced slot, you have to invalidate it (right
click on it and use "Invalidate function(s)" command.
* Use "Cut thunk(s)" to remove individually each function
* Use "Delete thunk(s)" to remove individually each module
* Double click on a slot to edit it manually if you know the real API
5 - Use the "Show Suspect" button to check 'supposed' wrong traced slot. This is possible
because of the Tracer Level1 for example.
* A suspect slot is an alone valid function in a thunk or an API which already exists
in the same thunk (ie several same apis in the same module)
* A suspect slot is not necessary invalid. It only needs a quick analyze of your part.
6 - After playing with all tracers, if you still have some unresolved slots, you can
try to use the "Loader". This feature will allow you to rip the redirected code to
be used directly in your dump. To use the loader, select your invalid slots and right
click on the tree for a "*Switch Loader*". A tag "*LOADER*" will appear near the
module which contains your slots. If you want to disable it, just "*Switch Loader*"
again. You are allowed to have invalid functions in all modules which have a tag
"*LOADER*".
* The loader is to be used only for rebuilding executable (not dll)
* The loader analyzer is based on "Max Recursion" and "Buffer Size" options to find
all needed regions from the invalid slots
7 - If you do not want to add a new section and know where you can put the new rebuilt
import (in the last section for example), uncheck "Add new section" and enter the
wanted RVA. (the easiest way is to add a new section though (by default))
* If the "Loader" is enabled, a new section will be added necessary
8 - Press "Fix Dump" to fix your DUMPED file. You do not need to make a backup. If your
filename is "Dump.exe", it will create "Dump_.exe". Moreover the EP of your dump will
be fixed to the value you have entered if you turned "Fix EP to OEP" on, in Options.
* If you have some modules with a tag "*LOADER*" and some unresolved functions in
them, a dialogbox will appear and allow you to customize the rip processing.
You will see all regions which will be ripped of the target. You can add, remove
and modify them if needed (for advanced users only).
You will also have these options:
* "Auto reloc" : Normal mode for relocations. It will reloc only the ripped
region by tracing instruction per instruction (with the disasm
engine)
* "Hardcore reloc" : Hardcore mode for relocations. It will reloc the whole region
in addition to the "Auto reloc"
* "Rebuild Imports" : All imports in the regions will be rebuilt. It means ImportREC
will stick to the current imports, the imports needed by the
ripped code.
9 - Pheee
没有合适的资源?快使用搜索试试~ 我知道了~
天草 论坛 逆向工程常用工具
共426个文件
dll:84个
txt:49个
dat:45个
5星 · 超过95%的资源 需积分: 12 96 下载量 169 浏览量
2009-08-05
07:57:45
上传
评论 3
收藏 11.28MB RAR 举报
温馨提示
逆向工程常用工具 搞逆向的朋友,这可是必备的哦~
资源推荐
资源详情
资源评论
收起资源包目录
天草 论坛 逆向工程常用工具 (426个子文件)
UseProcs1.ASM 5KB
MsgHook.ASM 4KB
tELock.asm 4KB
EXC.asm 4KB
tELock.asm 4KB
morphine.Asm 2KB
RLP07.Asm 2KB
Perplex101.Asm 2KB
Yoda102.Asm 2KB
LDS.bas 7KB
16EditDll.bas 4KB
LDS_LoadDump.bat 7KB
BUILD.BAT 390B
MAKE.BAT 325B
BuildDLL.bat 233B
BuildDLL.bat 217B
BuildDLL.bat 197B
RunLDS.BAT 28B
EXP1Out.BAT 26B
Plugin.c 5KB
IntelliDump.c 5KB
pex_plugin_c.c 4KB
USEPROCS.C 1KB
PluginExp1.c 960B
WinHex shi.xiaowen.cfg 13KB
WinHex Administrator.cfg 13KB
pexplorer.chm 594KB
procs.chm 7KB
winhex-d.cnt 2KB
winhex.cnt 2KB
LordPlug.cpp 14KB
tELock.cpp 4KB
PESpinPlugin.cpp 4KB
tELock.cpp 3KB
StdAfx.cpp 299B
LDS.cs 12KB
16Edit.cs 5KB
Form1.cs 5KB
AssemblyInfo.cs 2KB
LDSChat.csproj 5KB
language.dat 232KB
dialogs.dat 121KB
kernel32.dll.dat 56KB
user32.dll.dat 44KB
advapi32.dll.dat 31KB
gdi32.dll.dat 23KB
wininet.dll.dat 18KB
opengl32.dll.dat 16KB
ole32.dll.dat 15KB
oleaut32.dll.dat 13KB
winmm.dll.dat 12KB
winspool.drv.dat 12KB
Recently Opened.dat 9KB
unins000.dat 7KB
penwin32.dll.dat 7KB
urlmon.dll.dat 6KB
comctl32.dll.dat 6KB
aclapi.dll.dat 6KB
imagehlp.dll.dat 6KB
imm32.dll.dat 5KB
timezone.dat 5KB
mpr.dll.dat 5KB
shell32.dll.dat 4KB
rasapi32.dll.dat 4KB
glu32.dll.dat 4KB
wsock32.dll.dat 4KB
gds32.dll.dat 2KB
avifil32.dll.dat 2KB
d3drm.dll.dat 1KB
version.dll.dat 1KB
comdlg32.dll.dat 1KB
olepro32.dll.dat 1KB
dsetup.dll.dat 979B
oledlg.dll.dat 805B
dsound.dll.dat 744B
dplayx.dll.dat 719B
lz32.dll.dat 696B
msimg32.dll.dat 589B
EBCDIC.dat 512B
ddraw.dll.dat 508B
avicap32.dll.dat 405B
wintrust.dll.dat 339B
quartz.dll.dat 275B
dinput.dll.dat 245B
netapi32.dll.dat 144B
IntelliDump.DEF 124B
LordPlug.def 116B
16Edit.def 105B
tELock.def 31B
tELock.def 31B
EXC.def 28B
PluginExp1.def 25B
Yoda102.Def 22B
morphine.Def 22B
Perplex101.Def 22B
RLP07.Def 22B
File_id.diz 430B
pexdll.dll 129KB
dasm_plgin.dll 127KB
pexdll2.dll 91KB
共 426 条
- 1
- 2
- 3
- 4
- 5
AINOP
- 粉丝: 0
- 资源: 2
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
- 1
- 2
前往页