=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
~ Import REConstructor v1.6 FINAL by MackT/uCF2000 in 2001-2003 ~
= =
~ - *for Windows 9x, ME, NT, 2K and XP* - ~
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
Disclaimer:
-----------
This program may crash, or in a worse case it may even reboot your computer, so please use
it with caution. (Do not run it 3 hours into an unsaved coding session for example)
I am *NOT* responsible for any damage caused by the use of it.
Purpose:
--------
This tool is designed to rebuild imports for protected/packed Win32 executables. It
reconstructs a new Image Import Descriptor (IID), Import Array Table (IAT) and all ASCII
module and function names. It can also inject into your output executable, a loader which
is able to fill the IAT with real pointers to API or a ripped code from the protector/packer
(very useful against emulated API in a thunk).
Sorry but this tool is not designed for newbies, you should be familiar a bit with manual
unpacking first (some tutorials are easy to find on internet).
Features:
---------
- Imports
- An original tree view
- 2 different methods to find original imports (by IAT and/or API calls)
- A *FULL* complete rebuilder (including a new fresh IAT)
- Loader
- An analyzer and ripper of redirected API code
- An injected loader code to support mix of imports + ripped code in a thunk
- A heuristic relocator
- Tracers
- 3 default tracers (disasm, hook & ring3) to find APIs in redirected code
- A plugin interface to develop your own tracers
- Misc
- Support ALL 32bits Windows (9x, ME, NT, 2k and XP)
- An export renormalizer for Win9x/ME (ala Icedump)
- A built-in coloured disasm/hex-viewer to analyze the redirected code
- A built-in dumper
- Support almost all known antidump tricks
What does it need?
------------------
- A full dump of the target (RAW and VIRTUAL infos of sections DO NOT NEED to be equal)
- A running process of your target
- You have to find the Original Entry Point (OEP) manually (or with /tracex command of
Icedump) for using the 'IAT AutoSearch' command
How does it work?
-----------------
1 - Select the target in the "Attach to an Active Process" combobox.
(Its Entry Point (EP) will be automatically put in the OEP editbox)
* If the target is a dll, choose the process which uses it and click on "Pick DLL"
to select it.
* IF AND ONLY IF you have suspended your target at OEP (with a "jmp eip" at OEP for
example), you can dump it with the "Full Dump" button on the dialogbox of the
"Select Code Section(s)" command (right click on the tree).
NOTE:
-----
The "Full Dump" button does not take care of the selected sections near it so you
do not need to select all sections.
2 - If you have the OEP:
- Enter it (IN Relative Virtual Address (RVA)) in the appropriate editbox and
press "IAT AutoSearch" button to get a possible rva address and size values
which can contain the original IAT
Else:
- Enter the RVA and size of IAT
3 - Press "Get Imports" button if the "IAT AutoSearch" has found something. For Borland
targets (for example), you will notice you will not have the complete IAT. It is
because these targets do not have a contigous IAT. For this case, enter the RVA and
Size of the whole section which contains that IAT (that information is ALWAYS written
in the messagebox and the Log window just after clicking on "Get Imports").
NOTE:
-----
The IAT could be completely (or partially) removed by the packer/protector so the
"IAT AutoSearch" will fail. In this case, use the "Get API Call" command (right click
on the tree). It will add to your imports, all pointers <XXX> of all <CALL [XXX]> and
<JMP [XXX]> directly in the code. Do not forget to precise all sections which contain
or are supposed to contain code (usually it is only the first section so you have
nothing to do because it is the default configuration). To precise these sections,
right click on the tree for a "Select Code Section(s)". This method is based on
heuristics so you might have to analyze and remove by hand all invalid slots.
4 - Use the "Show Invalid" button to see all unresolved slots. You will need to trace into
them to find the real API. Always try the Tracer Level1 first because it does not
execute any code of the target. The Tracer Level2 is to be used in the last resort
because it is the less stable one (it uses a global hook).
* If you need to retrace into an already traced slot, you have to invalidate it (right
click on it and use "Invalidate function(s)" command.
* Use "Cut thunk(s)" to remove individually each function
* Use "Delete thunk(s)" to remove individually each module
* Double click on a slot to edit it manually if you know the real API
5 - Use the "Show Suspect" button to check 'supposed' wrong traced slot. This is possible
because of the Tracer Level1 for example.
* A suspect slot is an alone valid function in a thunk or an API which already exists
in the same thunk (ie several same apis in the same module)
* A suspect slot is not necessary invalid. It only needs a quick analyze of your part.
6 - After playing with all tracers, if you still have some unresolved slots, you can
try to use the "Loader". This feature will allow you to rip the redirected code to
be used directly in your dump. To use the loader, select your invalid slots and right
click on the tree for a "*Switch Loader*". A tag "*LOADER*" will appear near the
module which contains your slots. If you want to disable it, just "*Switch Loader*"
again. You are allowed to have invalid functions in all modules which have a tag
"*LOADER*".
* The loader is to be used only for rebuilding executable (not dll)
* The loader analyzer is based on "Max Recursion" and "Buffer Size" options to find
all needed regions from the invalid slots
7 - If you do not want to add a new section and know where you can put the new rebuilt
import (in the last section for example), uncheck "Add new section" and enter the
wanted RVA. (the easiest way is to add a new section though (by default))
* If the "Loader" is enabled, a new section will be added necessary
8 - Press "Fix Dump" to fix your DUMPED file. You do not need to make a backup. If your
filename is "Dump.exe", it will create "Dump_.exe". Moreover the EP of your dump will
be fixed to the value you have entered if you turned "Fix EP to OEP" on, in Options.
* If you have some modules with a tag "*LOADER*" and some unresolved functions in
them, a dialogbox will appear and allow you to customize the rip processing.
You will see all regions which will be ripped of the target. You can add, remove
and modify them if needed (for advanced users only).
You will also have these options:
* "Auto reloc" : Normal mode for relocations. It will reloc only the ripped
region by tracing instruction per instruction (with the disasm
engine)
* "Hardcore reloc" : Hardcore mode for relocations. It will reloc the whole region
in addition to the "Auto reloc"
* "Rebuild Imports" : All imports in the regions will be rebuilt. It means ImportREC
will stick to the current imports, the imports needed by the
ripped code.
9 - Pheee
评论17
最新资源