Results 1 to 10 of 10

Thread: how does ImpRec work?

  1. #1

    how does ImpRec work?

    how does ImpRec finds the IAT section?

    if i enter an OEP, does ImpRec searchs for "call ds:[407030]" like calls (0xFF15) and assumes, that the IAT section could be 7XXX ?

    and if, how does this search work? does ImpRec follows jumps and calls to find more searchable code ?

  2. #2
    A first question. Have you searched for and read anything about how Imprec works, either here or on the net, before asking your question?

    Are you aware that the source code of ImpRec is available for your review?

    It seems a little searching is in order and certainly some reading of the FAQ in the BIG RED LETTERS.

    Regards,
    JMI

  3. #3
    i'm sorry

  4. #4
    And maybe I was a wee bit to hasty about the source code being available. There are certainly several places which "say" the source code is available, but that seems to be for some of the plug-in. Not sure now if the source for ImpRec, itself, was ever available, but further searching should find the answer. However, there is a great deal about ImpRec on the net and on these forums you should review and if you also review threads here on manual import rebuilding and stury the PE header, you will come to find out where the IAT is supposed to be located.

    Regards,
    JMI

  5. #5
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by JMI
    And maybe I was a wee bit to hasty about the source code being available... further searching should find the answer.
    JMI, please read the FAQ in BIG RED LETTERS and try SEARCHING before posting on this message board!

  6. #6
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5

  7. #7
    Oh what a cruel world.

    In fact, it was because I was actually searching for the "source" which was alleged to be there, that I discovered the representation did not seem to be completely correct.

    I am not a programmer and I took their word that "the source" was included. Then, to make sure, I looked inside several versions of ImpRec I have on my HD and discovered the "sourced" seemed to be to pulgins only. I then searched and after several fruitless paths, concluded that the claims I had read appeared to simply be an overstatement. Haveing made that discovery, by further searching, I duely reported the results to the waiting world, knowing full well the abuse which would be heaped on this poor hapless sole, who was only trying, with his last ounce of strength, to do one last good deed before he perished from exhaustion.

    Oh cruel fate. Oh the shame of it all. I guess I'll have to go kill myself now. No wait, there are plenty of people waiting in line for the priviledge of killing me. Well at least I won't have to use the energy to kill myself.

    Good bye.

    Regards,
    JMI

  8. #8
    Ahhhhhhhhhhhhh.....

    'tis is not nice to see the preacher not practice what he hath preached.


    No excuses accepted

    Ta Ta, Woodmann

  9. #9
    no, you're right

    the ImpRec light dll source is freely available
    and it seems, that it does contain enough interesting stuff

    http://wave.prohosting.com/mackt/projects/imprec/ImpREC_lite_v11.zip

  10. #10
    Well that at least clarifies somewhat the issue of the "full source" code. One can be easily mislead by entries in google, such as:

    Protools - Utilities
    ... Import REConstructor 1.6 (289K). ... fixes section entries in header (size & offset)
    and is also able to rebuild the import table if ... Full source code included. ...

    which was one of the links I saw with the quick check, before my first post. I then got to thinking that I had downloaded a copy of v1.6 from there and did not recall seeing source code there. But I did recall reading, somewhere that source code was available for ImpRec and Orp has now cleared up that it was for the "lite" version. I feel so vindicated that, perhaps, i won't kill myself after all. And of course, now I'll have to resist any extrenious attempt to accomplish that task.

    Regards,
    JMI

Similar Threads

  1. Import Table: Working with IAT, ImpRec
    By Panemuckl in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: July 6th, 2004, 10:24
  2. ImpRec Question
    By jingjang in forum The Newbie Forum
    Replies: 3
    Last Post: May 29th, 2004, 11:08
  3. What to put in ImpRec?
    By crassy in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 11th, 2004, 08:09
  4. Dillodump / ImpRec
    By Magnetman in forum Malware Analysis and Unpacking Forum
    Replies: 33
    Last Post: May 13th, 2003, 13:33
  5. ImpRec/RV questions
    By triz- in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: January 11th, 2003, 15:28

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •