Purpose: Stamp Import Table Manually.
Tools:
Softice: 3.00 or above
Procdump v 1.40
Softdump from Master Cracker Quine
Dumppe by Turvey
Hex editor of your choice.
Target: Sruler.exe size 51,712 (bytes)
http://www.woodmann.com/fravia/frarul1.htm

Packer: PEPACK v.099 size 14,848 (bytes)
http://www.suddendischarge.com (site down)

History: No History + A little knowledge about PE file structure is necessary.
+ It would not have been possible without "procdump" which did 95% of the work.
It's a great tool.
For learning purpose we will pack the target file "sruler.exe" with pepack.exe
So give the command. Make a backup of file sruler.exe just in case if we make
any error.
Pepack Sruler.exe
New sruler.exe file is 28,160 decimal bytes.
Now run Procdump. From Main menu selection click "Option".
Inside the option on bottom left click "Rebuild new import table" then
press OK!!
Click Unpack from the Main menu we have to select PEPACK Press OK.
Select the file "sruler.exe" then press open. Procdump will display a
message "Press OK when task is loaded (Check Task Bar)" you have to
press OK, few seconds later you will see a message
"Import Table Can't be Stamped (Not Found)" Press Ok.
Procdump will ask us to give the file name which it has unpacked successfully.
I gave "unpacked.exe" pressed OK the file is created on your hard disk.
Don't try to run it, it wont run. Remember the error "Import table can't be
stamped". So we have to manually stamp it how read below:
We will first use "Dumppe" to see more information about "unpacked.exe" so give
dumppe unpacked.exe > peinfo
I will highlight the most important for this purpose. Inside "peinfo" check
the below item	  
Directory Name      VirtAddr  VirtSize
------------------- --------  --------
Export              00000000  00000000
Import              000115F8  0000003C <<- Will change this later in procdump
Resource            0000C000  00001D40     Just keep a note of it in your brain	
06  .idata  Virtual Address         0000E000
            Virtual Size            00001000
            Raw Data Offset         0000B200  <-start of idata section in file
            Raw Data Size           00000B4C  <-this is the size of idata
            Relocation Offset       00000000
            Relocation Count        0000
            Line Number Offset      00000000
            Line Number Count       0000
            Characteristics         C0000040
                  Initialized Data
                  Readable
                  Writeable
So open the file "unpacked.exe" in your hex editor
Hex unpacked.exe
Go to the offset B200. Mark the position from B200 till BD4C i.e.
(B200 + B4C) & delete everything. What we have got is useless. We will have
to stamp this portion of file with the correct value so that the file can run. 
Open MSDOS prompt & run softdump. I used like this
sdump95 idata.bin B4C
We will get a mapping address: 0x826d8000 <-- This will be different for you.
Make a note of this on paper. Press "Alt tab" & Open another "MS-DOS prompt".
So we have 2 "MS-DOS Prompt".
It's Time to use Softice. Since this file is packed softice was not able to break
from the first instruction, so here is an old techinque. Open the file "sruler.exe"
in your hex editor go to offset 5E06 & replace the value "5D" with "CC" save & exit.
Now go in Softice "Ctrl D" give the command "i3here on" close softice & now
run "sruler.exe" you will break into softice
xxxx:00411000  PUSHAD
xxxx:00411001  CALL    00411006
xxxx:00411006  INT     3
xxxx:00411007  SUB     EBP,06          <---- You will be here
xxxx:0041100A  CMP     BYTE PTR [EBP+000004E0],01
xxxx:00411011  JZ      00411209
In softice say
r eip=411001
press "F8"
You will be at offset 00411006 we have put back the original value i.e.
"5D" so type
a
pop ebp
Now go on ahead in tracing pressing "F10" till you reach here
xxxx:0041107E  CALL    004114BE
xxxx:00411083  OR      EAX,EAX
xxxx:00411085  JZ      0041126B
xxxx:0041108B  MOV     [EBP+00000505],EAX
xxxx:00411091  MOV     ESI,[EBP+000004FD]
xxxx:00411097  ADD     ESI,EBP
xxxx:00411099  LODSD                 <<- Load in EAX virtual address 
xxxx:0041109A  OR      EAX,EAX
xxxx:0041109C  JZ      004110CD
xxxx:0041109E  MOV     EDI,EAX
xxxx:004110A0  ADD     EDI,[EBP+0000052D]
xxxx:004110A6  LODSD                <<- Size of packed data to read
xxxx:004110A7  MOV     ECX,EAX
xxxx:004110A9  LODSD                <<- Check if More to process
xxxx:004110AA  OR      EAX,EAX
xxxx:004110AC  JZ      00411099
xxxx:004110AE  PUSH    ESI
xxxx:004110AF  PUSH    EDI
xxxx:004110B0  MOV     ESI,EDI
xxxx:004110B2  MOV     EDI,[EBP+00000505]
xxxx:004110B8  REPZ MOVSB          <<- Move the data util CX=0
xxxx:004110BA  POP     EDI
xxxx:004110BB  PUSH    EDI
xxxx:004110BC  PUSH    DWORD PTR [EBP+00000505]
xxxx:004110C2  CALL    004112F0   <<- This is the main routine which we will
                                      trace when EAX at offset 411099 is
                                      equal to 0000E000 i.e. EAX=0000E000
xxxx:004110C7  ADD     ESP,08
xxxx:004110CA  POP     ESI
xxxx:004110CB  JMP     00411099   <<- Jump again to unpack remaining sections
I hope everthing is very clear till here. Go on Pressing "F10" in the loop
until we encounter EAX=0000E000 at offset 411099. It is at this moment we will trace
inside the call routine 004112F0.
Call 004112F0 brings us here.
xxxx:004112F0  PUSH    EBP
xxxx:004112F1  MOV     EBP,ESP
xxxx:004112F3  PUSHAD
xxxx:004112F4  PUSH    EBP
xxxx:004112F5  MOV     ESI,[EBP+08]
xxxx:004112F8  MOV     EDI,[EBP+0C]
xxxx:004112FB  CLD
" "  " " " " " "
" "  " " " " " "
xxxx:00411407  MOV     EBP,EAX
xxxx:00411409  PUSH    ESI
xxxx:0041140A  MOV     ESI,EDI
xxxx:0041140C  SUB     ESI,EAX
xxxx:0041140E  REPZ MOVSB
xxxx:00411410  POP     ESI
xxxx:00411411  JMP     00411304
xxxx:00411416  POP     EBP      <<- Press "F6" Place the cursor here Press "F7"
It's difficult for me to understand but was able to pick what i was
searching for. So to reduce your time of pressing "F10" just say
"U 00411416" then press "F6" position your cursor at offset
xxxx:00411416 & press "F7" .
Now just say
m ds:0040e000 lB4C 826d8000
                   ^^^^^^^^^ Memory Mapped address that we got from softdump
Press "g" in softice let it run properly.
Now start quiting everything. Close the "sruler.exe" Press "Alt Tab" will
go in MS-DOS. Press enter "sdump95.exe" will be closed with "idata.bin"
created.
Now copy the data from "idata.bin" into our "unpacked.exe" from
offset "B200", save it and exit. Wait it still won't run. Last final touchup
is still kept pending. Start Procdump again select Pe-Editor & load the
file "unpacked.exe" then select "directory" we have to change the
import directory
Directory Name      VirtAddr  VirtSize
------------------- --------  --------
Import              000115F8  0000003C <<- It's now time to change this.
Import              0000E000  00000B4C <<- Change it as shown.
Exit procdump & run the "unpacked.exe".
Thanks to All Cracker with their powerful tutorial who taught me 99% of what
I know. Well... I've also learned something by myself I must say.
That's it.
ZenLoren 
zenloren@hotmail.com
P.S.: NOTE:
I have also encountered some situation in which procdump is not able to
unpack some files which are packed with "PEPACK" packer. So in that case
you can try to set the flag of OPTL4 in "script.ini" file from 2 to 3 see below
& it does the unpacking properly.
[PEPack]
L1=LOOK 61,FF,E0
L2=BP
L3=STEP
OPTL1=00000000
OPTL2=01000001
OPTL3=01010001
OPTL4=00020000   <<<<--  Try changing this to 00003000 
OPTL5=00000000