Sorry for replying so late, but my user status allows me only to post one message a day. And thank you to everybody who replied to me.
But I'm afarid either I explained my problem wrong or you didn't understand what I wanted to know. I try to say it more clear this time.
I am aware how manual and automatic import rebuilding works in normal cases. As you say, in packed or encrypted programs the IAT is not filled by the operating system, but by the loader. Normally you have 3 ways of calling an API:
Code:
;
; 1. way
;
Call DWORD PTR [IATEntry]
;
;
;
; 2. way
;
Call __imp__IATEntry
;
__imp__IATEntry:
Jmp DWORD PTR [IATEntry]
;
;
;
; 3. way
;
Mov Reg32, [IATEntry]
Call Reg32
;
At this point is my problem: There
is no IAT. It's not that I wouldn't be able to find it, it's just not present. All APIs are called by
relative calls and jumps. Even the "3. way" is present in the code, but Reg32 is not loaded from a memory address, its just "Mov Reg32, Value". It's all hardcoded into the packed code, not replaced by the loader at execution time. I already passed by most of the protection, so that the destination of the relative jumps and calls is a jump to the API. My Problem now is that I don't know where or how I should build an import table. Using Imprec is simply not possible since there is no IAT present.
@tr1stan:
Your idea sounds logical. I will try it as soon as I am back at my PC. Thanks.