This tool is designed to rebuild imports for protected/packed Win32 executables. It reconstructs a new Image Import Descriptor (IID), Import Array Table (IAT) and all ASCII module and function names. It can also inject into your output executable, a loader which is able to fill the IAT with real pointers to API or a ripped code from the protector/packer (very useful against emulated API in a thunk).
Sorry but this tool is not designed for newbies, you should be familiar a bit with manual unpacking first (some tutorials are easy to find on internet).
Features:
- Imports
- An original tree view
- 2 different methods to find original imports (by IAT and/or API calls)
- A *FULL* complete rebuilder (including a new fresh IAT)
- Loader
- An analyzer and ripper of redirected API code
- An injected loader code to support mix of imports + ripped code in a thunk
- A heuristic relocator
- Tracers
- 3 default tracers (disasm, hook & ring3) to find APIs in redirected code
- A plugin interface to develop your own tracers
- Misc
- Support ALL 32/64bits Windows (9x, ME, NT, 2k, XP and Vista32/64)
- An export renormalizer for Win9x/ME (ala Icedump)
- A built-in coloured disasm/hex-viewer to analyze the redirected code
- A built-in dumper
- Support almost all known antidump tricks |
|
