Merging Imports with Exports?

[5Alive]

Thanks for the replies guys. I did notice the check box for adding a new section but wasn't clear on how to use it. My dumped DLL works with the .mackt section in place. I'd just like to try and have imports and exports in the one section. I had a look at ReVirgin but I didn't care for the user interface.

The unpacked DLL I found has the import table at RVA 64564,size B4 and the export Table at 65BC0, size 4E. Whereas the file I dumped and fixed has the export table at 65ADO and the Import Table at 153D0.

I also see that Vsize of the original .radta section has been increased from FB1E to 10000, which borderss the start RVA of the .data section at 66000.
Presumably this increase is to allocate the needed space for IAT and EAT tables?

What I don't yet understand is why these particular export and import tables RVAs were chosen? Is it common practice copy and paste these tables and then adjust the RVAs accordingly? I thought this process would have been more "automated" if you see what I mean.

I'm probably thinking this is much more difficult than it actually is, and I'm maybe overlooking something simple.

Oh and what do you to find a suitable "cave" for the IAT? I tried dumping the .rdata section (Vsize was increased to 10000) and opened it in Hex Workshop expecting to see sufficient free space towards the end of the file(there wasn't room).

Many thanks,
5aLIVE.

The reason for the bigger size of the dump is simple. If the file is on your HDD, a section can have a physical size of 0x4A00 and a virtual size of 0x9000.

When the section is loaded into memory, the dumper only knows the virtual size and dumps the full 0x9000 bytes. The dumper doesn't know if the 0x4A00 bytes contained compressed data or not, so it cannot use the physical size for dumping.

Of course you can set the physical size to 0x4A00 again after you have verified that only 0x4A00 bytes are really used and the other 0x4600 bytes are unused.