Quote:
|
Originally Posted by JMI
I think I read some threads on the issue on the Woodmann Forum, but don't have time at the moment to try to find them for you. I'll post something later, if I get the chance.
|
thanks JMI. i have already read some threads on Woodman of this issue, but didn't find something really helpful. maybe you saw other threads
Quote:
|
Originally Posted by volodya
Study more, my friend. The answer is easy - it is called OriginalFirstThunk.
|
There's a option in ImpRec... "Import Original FT".
does this solve the problem? i never tried it.
Quote:
|
Originally Posted by evaluator
first of all: better is not to use automated tools, but try clear manual unpacking;
|
i'm getting closer to it. but all i did for now was to write some functions which resolved imports for me, no ImpRec Disassembly or Tracer fix. so i got only valid imports in ImpRec. i'm at some "semi-manual" unpacker level.
Quote:
|
Originally Posted by evaluator
unpack on both W9x & Nt systems, then compare RESOLVED imports;
when you see difference, now you need in debugger confirm exact import name;
|
do you think this is a good method? it seems a bit time-consuming to do this for every packer...