ImportREC 1.7汉化版
所属分类:其他
开发工具:WINDOWS
文件大小:827KB
下载次数:5
上传日期:2019-07-21 18:19:09
上 传 者:
perpear
说明: Import REConstructor可以从杂乱的IAT中重建一个新的Import表(例如加壳软件等),它可以重建Import表的描述符、IAT和所有的ASCII函数名。
用它配合手动脱壳,可以脱UPX、CDilla1、PECompact、PKLite32、Shrinker、ASPack, ASProtect等壳。
(Import REConstructor can rebuild a new Import table (such as shell software) from a cluttered IAT. It can rebuild the descriptor, IAT and all ASCII function names of the Import table.
With it, UPX, CDilla 1, PECompact, PKLite32, Shrinker, ASPack, ASProtect and other shells can be removed.)
文件列表:
ImportREC 1.7汉化版\Documentation\Loader.txt (3340, 2002-04-17)
ImportREC 1.7汉化版\Documentation\News.txt (914, 2003-07-25)
ImportREC 1.7汉化版\Documentation\Tips.txt (4237, 2002-04-25)
ImportREC 1.7汉化版\History.txt (16686, 2008-02-22)
ImportREC 1.7汉化版\ImportREC.exe (1311744, 2019-06-24)
ImportREC 1.7汉化版\ImpREC.ini (422, 2013-07-20)
ImportREC 1.7汉化版\Plugin\ACProtect #1.dll (3072, 2004-06-13)
ImportREC 1.7汉化版\Plugin\ACProtect #2.dll (14848, 2004-05-19)
ImportREC 1.7汉化版\Plugin\ACProtect #3.dll (1556, 2007-01-18)
ImportREC 1.7汉化版\Plugin\Alex Protector.dll (1556, 2007-01-18)
ImportREC 1.7汉化版\Plugin\Armadillo 2.6.dll (4096, 2002-11-08)
ImportREC 1.7汉化版\Plugin\ASProtect 1.22.dll (6144, 2002-09-17)
ImportREC 1.7汉化版\Plugin\ASProtect 1.23 rc4.dll (2560, 2003-11-21)
ImportREC 1.7汉化版\Plugin\ASProtect 1.2x Emul API #1.dll (6144, 2007-03-11)
ImportREC 1.7汉化版\Plugin\ASProtect 1.2x Emul API #2.dll (10240, 2007-03-11)
ImportREC 1.7汉化版\Plugin\ASProtect 1.2x.dll (18432, 2002-10-09)
ImportREC 1.7汉化版\Plugin\ASProtect 1.3.dll (7168, 2003-01-06)
ImportREC 1.7汉化版\Plugin\ASProtect 2.xx.dll (17920, 2003-08-23)
ImportREC 1.7汉化版\Plugin\CoolCrypt.dll (2560, 2006-03-28)
ImportREC 1.7汉化版\Plugin\Cryptocrack's PE Protector.dll (1556, 2007-01-18)
ImportREC 1.7汉化版\Plugin\Excalibur.dll (3106, 2007-04-06)
ImportREC 1.7汉化版\Plugin\ExeCryptor.dll (8192, 2006-01-01)
ImportREC 1.7汉化版\Plugin\EXEStealth275.dll (2560, 2006-02-13)
ImportREC 1.7汉化版\Plugin\Expressor 1.5.x.dll (2560, 2007-03-13)
ImportREC 1.7汉化版\Plugin\ExtOverlay.dll (10752, 2005-09-23)
ImportREC 1.7汉化版\Plugin\GoatsPEMutilator16.dll (2560, 1985-01-01)
ImportREC 1.7汉化版\Plugin\HowTo.txt (443, 2006-05-29)
ImportREC 1.7汉化版\Plugin\Krypton 0.4 - 0.5 #1.dll (28672, 2003-01-01)
ImportREC 1.7汉化版\Plugin\Krypton 0.4 - 0.5 #2.dll (10752, 2007-03-11)
ImportREC 1.7汉化版\Plugin\Krypton 0.5.dll (1556, 2004-05-03)
ImportREC 1.7汉化版\Plugin\Morphine.dll (2560, 2006-11-17)
ImportREC 1.7汉化版\Plugin\NTKrnl Protector 0.1.x.dll (3072, 2007-01-20)
ImportREC 1.7汉化版\Plugin\Null.dll (28672, 2002-04-22)
ImportREC 1.7汉化版\Plugin\Obsidium #1.dll (4096, 2007-03-11)
ImportREC 1.7汉化版\Plugin\Obsidium #2.dll (4096, 2003-06-06)
ImportREC 1.7汉化版\Plugin\Obsidium #3.dll (4096, 2007-03-11)
ImportREC 1.7汉化版\Plugin\Obsidium 1.3.dll (3584, 2006-07-25)
ImportREC 1.7汉化版\Plugin\Obsidium 1.3.dll.txt (551, 2007-04-15)
ImportREC 1.7汉化版\Plugin\PE123.dll (2084, 2007-01-18)
... ...
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
~ Import REConstructor v1.6 FINAL by MackT/uCF2000 in 2001-2003 ~
= =
~ - *for Windows 9x, ME, NT, 2K and XP* - ~
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
Disclaimer:
-----------
This program may crash, or in a worse case it may even reboot your computer, so please use
it with caution. (Do not run it 3 hours into an unsaved coding session for example)
I am *NOT* responsible for any damage caused by the use of it.
Purpose:
--------
This tool is designed to rebuild imports for protected/packed Win32 executables. It
reconstructs a new Image Import Descriptor (IID), Import Array Table (IAT) and all ASCII
module and function names. It can also inject into your output executable, a loader which
is able to fill the IAT with real pointers to API or a ripped code from the protector/packer
(very useful against emulated API in a thunk).
Sorry but this tool is not designed for newbies, you should be familiar a bit with manual
unpacking first (some tutorials are easy to find on internet).
Features:
---------
- Imports
- An original tree view
- 2 different methods to find original imports (by IAT and/or API calls)
- A *FULL* complete rebuilder (including a new fresh IAT)
- Loader
- An analyzer and ripper of redirected API code
- An injected loader code to support mix of imports + ripped code in a thunk
- A heuristic relocator
- Tracers
- 3 default tracers (disasm, hook & ring3) to find APIs in redirected code
- A plugin interface to develop your own tracers
- Misc
- Support ALL 32bits Windows (9x, ME, NT, 2k and XP)
- An export renormalizer for Win9x/ME (ala Icedump)
- A built-in coloured disasm/hex-viewer to analyze the redirected code
- A built-in dumper
- Support almost all known antidump tricks
What does it need?
------------------
- A full dump of the target (RAW and VIRTUAL infos of sections DO NOT NEED to be equal)
- A running process of your target
- You have to find the Original Entry Point (OEP) manually (or with /tracex command of
Icedump) for using the 'IAT AutoSearch' command
How does it work?
-----------------
1 - Select the target in the "Attach to an Active Process" combobox.
(Its Entry Point (EP) will be automatically put in the OEP editbox)
* If the target is a dll, choose the process which uses it and click on "Pick DLL"
to select it.
* IF AND ONLY IF you have suspended your target at OEP (with a "jmp eip" at OEP for
example), you can dump it with the "Full Dump" button on the dialogbox of the
"Select Code Section(s)" command (right click on the tree).
NOTE:
-----
The "Full Dump" button does not take care of the selected sections near it so you
do not need to select all sections.
2 - If you have the OEP:
- Enter it (IN Relative Virtual Address (RVA)) in the appropriate editbox and
press "IAT AutoSearch" button to get a possible rva address and size values
which can contain the original IAT
Else:
- Enter the RVA and size of IAT
3 - Press "Get Imports" button if the "IAT AutoSearch" has found something. For Borland
targets (for example), you will notice you will not have the complete IAT. It is
because these targets do not have a contigous IAT. For this case, enter the RVA and
Size of the whole section which contains that IAT (that information is ALWAYS written
in the messagebox and the Log window just after clicking on "Get Imports").
NOTE:
-----
The IAT could be completely (or partially) removed by the packer/protector so the
"IAT AutoSearch" will fail. In this case, use the "Get API Call" command (right click
on the tree). It will add to your imports, all pointers of all and
directly in the code. Do not forget to precise all sections which contain
or are supposed to contain code (usually it is only the first section so you have
nothing to do because it is the default configuration). To precise these sections,
right click on the tree for a "Select Code Section(s)". This method is based on
heuristics so you might have to analyze and remove by hand all invalid slots.
4 - Use the "Show Invalid" button to see all unresolved slots. You will need to trace into
them to find the real API. Always try the Tracer Level1 first because it does not
execute any code of the target. The Tracer Level2 is to be used in the last resort
because it is the less stable one (it uses a global hook).
* If you need to retrace into an already traced slot, you have to invalidate it (right
click on it and use "Invalidate function(s)" command.
* Use "Cut thunk(s)" to remove individually each function
* Use "Delete thunk(s)" to remove individually each module
* Double click on a slot to edit it manually if you know the real API
5 - Use the "Show Suspect" button to check 'supposed' wrong traced slot. This is possible
because of the Tracer Level1 for example.
* A suspect slot is an alone valid function in a thunk or an API which already exists
in the same thunk (ie several same apis in the same module)
* A suspect slot is not necessary invalid. It only needs a quick analyze of your part.
6 - After playing with all tracers, if you still have some unresolved slots, you can
try to use the "Loader". This feature will allow you to rip the redirected code to
be used directly in your dump. To use the loader, select your invalid slots and right
click on the tree for a "*Switch Loader*". A tag "*LOADER*" will appear near the
module which contains your slots. If you want to disable it, just "*Switch Loader*"
again. You are allowed to have invalid functions in all modules which have a tag
"*LOADER*".
* The loader is to be used only for rebuilding executable (not dll)
* The loader analyzer is based on "Max Recursion" and "Buffer Size" options to find
all needed regions from the invalid slots
7 - If you do not want to add a new section and know where you can put the new rebuilt
import (in the last section for example), uncheck "Add new section" and enter the
wanted RVA. (the easiest way is to add a new section though (by default))
* If the "Loader" is enabled, a new section will be added necessary
8 - Press "Fix Dump" to fix your DUMPED file. You do not need to make a backup. If your
filename is "Dump.exe", it will create "Dump_.exe". Moreover the EP of your dump will
be fixed to the value you have entered if you turned "Fix EP to OEP" on, in Options.
* If you have some modules with a tag "*LOADER*" and some unresolved functions in
them, a dialogbox will appear and allow you to customize the rip processing.
You will see all regions which will be ripped of the target. You can add, remove
and modify them if needed (for advanced users only).
You will also have these options:
* "Auto reloc" : Normal mode for relocations. It will reloc only the ripped
region by tracing instruction per instruction (with the disasm
engine)
* "Hardcore reloc" : Hardcore mode for relocations. It will reloc the whole region
in addition to the "Auto reloc"
* "Rebuild Imports" : All imports in the regions will be rebuilt. It means ImportREC
will stick to the current imports, the imports needed by the
ripped code.
9 - Pheeeww, your fixed dump should work...
Options:
--------
- "Import all by ordinal" : It needs less size than the usual import (by name and ordinal)
but it will not be portable. Use it ** IF AND ONLY IF ** you want to rebuild the exe
ONLY for your system and want a smaller file.
- The "Max Recursion" is the number of conditionnal jumps or calls it's allowed to follow
when the tracer level1 is in action. More this number is big and more you have to wait,
use it CAREFULLY. (But you can stop its progression by pressing "CONTROL+F12")
- The "Buffer Size" is the size of the allocated memory block for tracing for EACH
recursion. (still for the tracer level1)
- "Fix EP to OEP" : Turn on this option if you want to set the EP of your dump file to
the OEP you have given in ImportREC.
- "Time Out" : Time out for stopping tracers level2 and 3 in their progression. The value
is in 50 milliseconds and in decimal.
- "Enable Debug Privilege (NT/2K/XP)" : Enable this if your target is not listed in the
process combobox selector. You will need to restart ImportREC to activate it.
- "Fix Damaged PDB (Win9X/ME Only)" : Enable this if the target has hacked its PDB (ugly)
against process opening. You will need to restart ImportREC to activate it.
- "Use PE Header From Disk" : Use the PE Header of the disk rather than the dump.
- "Renormalize Exports (W9X/ME)" : Use this to get a better portable executable. You must
run ImportREC at least once before running your target with this option enabled. You will
need to restart ImportREC to activate it.
- "Exact Call" : Enable this option to rebuild schemes that use a unique pointer for
several (or all) API redirections.
* Q: What is an "Exact Call"?
A: An "Exact Call" is a reference in the code of a call to an API. Usually a call to an
API is done throuh the IAT but some packers/protectors can modify directly the code
to redirect to a unique pointer (this is also called "mangled scheme"). To fix an
"Exact Call", ImportREC will need to fix the code to redirect it back to the IAT.
- "Skip Main Slot" : Enable this if you want to trace only on all "Exact Call"s letting
the main slot remained.
- "TL3 Dumb Mode" : It has the behaviour of the Tracer Level1 but it will execute each
instruction. Almost done for wrapped api which copies the start of
the API and jump "later".
- "TL3 Log" : Enable this to log all EIP traced by the Tracer Level3. The max
logged EIP can be set in the editbox near the checkbox. This will
help you to debug where the tracer failed/stopped.
- "Rebuild
Original FT" : Enable this to also rebuild the original first thunks.
This could help your disassembler to recognize imports, better.
- "Create New IAT" : Enable this to create a new IAT.
* This feature is needed when an "Exact Call" has no entry in the current IAT. You will
be notified anyway if you did not enable it and try to fix your dump.
* Do not forget to precise all sections which contains the code to be modified by this
function, by right clicking on the tree for a "Select Code Section(s)"
- "Mode Cloak" : Mainly for Anti-Imprec methods, it could be used to all technics
which tries to prevent ReadProcessMemory from another process.
This option will change the name of the window and the API
RPM will not be used anymore.
* The "Full Dump" button will benefit of this option.
* You can rename if the target tries to search ImportREC by process
listing.
Commands:
---------
- "IAT AutoSearch" : Give it an OEP and it will try to find the IAT RVA and its size
for you.
* Do not forget to read the text written on the MessageBox, erm...
- "Get Imports" : Build the IAT described by a RVA and a size into a tree.
- "Show Invalid" : Select all pointers in the IAT which are still invalid
(redirected)
- "Show Suspect" : Select all valid functions which need a manual check of your
part. It will select all same functions in the same thunk and
all thunk which has only one function.
- "Auto Trace" : An automatic tracer which will use the tracer level1 on all
invalid pointers. It will apply the tracer level3 on suspect
entries. Do not expect so much on it because it will never be
able to replace some manual actions of your part. It is here
for showing how to rebuild "Notepad_asp.exe".
- "Clear Imports" : Clear all current imports
- "Clear Log" : Clear the log window
- "Load Tree" : Load a tree. (You still can load old ".rec" files)
- "Save Tree" : Save your current tree in a file. (text format)
- "Fix Dump" : Add your current imports into a dumped file of your target
- "Invalidate function(s)": Invalidate a valid function. Use it if you know the current
API is not valid and want to retrace it.
- "Cut thunk(s)" : Remove all selected functions
- "Delete thunk(s)" : Remove the modules of all selected functions which they belond
to.
- "Get API Calls" : This feature will get all call[] and jmp[] from the target to
your imports. Its first purpose is to find internal calls to
the protector which does not belong to the IAT. After getting
them, switch them to the loader which will rip the code of the
protector to your dump file.
- "Load PE Header" : To force ImportREC to use a specific PE Header. It will be
useful in a particular case.
Note: This command WILL NOT PASTE the PE Header to your
dump.
- "Select Code Section(s)": To use for "Get API Calls", "Create New IAT" and "Exact Call".
It will precise to them which sections contains code (for
redirect all calls to the new IAT or to get all calls).
- "Show Exact Call Window": Show a window to see all the current "Exact Call"s found. You
can remove them if needed (right click on the window).
- "Switch *Loader*" : This command allows you to fix your dump even if you still have
some invalid functions (unresolved or different modulenames in
the same thunk). It will switch the modules of all selected
functions which they belond to, into the loader. It means the
IAT of these modules will be resolved by the loader of ImportREC
and not by Windows.
- "Get Imports Filter" : This command will set the range of the "valid" addresses to
take care about. All the rest will be removed.
- "Disassemble / HexView" : This new feature will allow you to directly disasm/hexview the
redirected code. Use right click to see possible functions
on the disassembled code (address, imports...)
Limitations
-----------
- The "IAT AutoSearch" will not work if the IAT is not contigous (ie: cutted in different
parts of the exe for each thunks) so you will have to put each RVA and SIZE manually or
use "Get API Calls" command
- The loader cannot actually reloc datas
- The loader does not manage 'Exact Calls' and relative (R) imports
- The loader code cannot be injected in dll (because the current code cannot be reloc'ed)
- Tracers are always to be improved but you can code yours!
Personal greetings:
-------------------
Ab4ds, Analyst, Athol, Band, Christoph/UG, Cluesurf, Cronos, Daemon, Duelist, EOD, EliCZ,
Eternal Bliss, Fodder, FLWright, Gamumba, GanJaMaN, G-RoM, Grugq, Hackwizz, Hasher,
Ivanopulo, __Ice, JB007, [k], Kahel, LaBBa, LightDruid, LordByte, LutinNoir, mac, MAK,
Minothaur, Muffin, Necrotoad, NchantA, NeoXQuick, Night, Nihil, NikDH, Nitrus, NoodleSpa,
Noos, Nukem, Ousir, Pain, Pal, Pedro, Predator, Quantico, R2-C2, Reeb, SAC, ScareByte,
Seifer, shandi, Snacker, Snaker, Spath, StatMan, Syntax, TaMaMBoLo, tE!, The Owl, tHeRaiN,
Thigo, Thrawn, +Tired, Titi, TomCraft, Toonie, ToyBomB, Unf4rgiv3n, Unknown One, VAG,
WarezPop, X-Lock, Yoda, Zack, ZigD and all i forgot!!!
近期下载者:
相关文件:
收藏者: