1

I am learning some reverse engineering and stumbled upon a problem. I have followed the tutorial that is included inside the unpackMe package but I sense that there is a problem because of me running windows 10.

The problem is that the API's found by ImpRec is being marked as invalid, even though they are infact listed inside the memory block when looking with ollyDbg.

A screenshot:

Screenshot

It might also have something do with the AcLayers in between the Kernel32 dll.

What to do?

Peter Hall
  • 53,120
  • 14
  • 139
  • 204
Jozo
  • 15
  • 3

1 Answers1

0

Assuming you know which are the correct APIs that should be imported, as this seems to be the case

Using ImpRec you can manually fix those two invalid import records by right clicking on them and using one of the many more advanced import lookup functionalities. Experiment to figure out which ones are working best for a set of packers.

If that fails, you can always save the tree to dist, edit it manually with the correct information and then load it back.

NirIzr
  • 3,131
  • 2
  • 30
  • 49
  • Interesting answer, I know I can manually point to the correct DLL and function, but there are just too many to be bothered. What do you mean by right clicking? When I do so, nothing shows up. – Jozo Apr 28 '17 at 19:08
  • Sorry, it's been a while since I last used ImpRec and I'm doing this out of memory. IIRC it has the ability to select tracing options and fine-tune the import resolution process. Perhaps the Auto Trace or Options buttons? Additionally, I can suggest you try the Scylla import reconstructor. Its more advanced (and I may be thinking of it instead of ImpRec) – NirIzr Apr 28 '17 at 19:13
  • 1
    Nvm, ImpRec was acting up. Great answer, there are 3 auto-trace methods when right clicking. Solved my problems in a heart beat, thank you. – Jozo Apr 28 '17 at 19:16