Thanks TechLord.
At look at the disassembly of your unpacked Ramsaver I could see that I was totally wrong in saying that there is no IAT redirection
I have now been able to trace to point where the decision is made whether to write an API in the IAT table or not. At that location whenever ESI=0xDC or 0x74 the IAT was written and with ESI=0xE6 it was skipped. So I was able to inject this code
Code:
009E0000 8A43 3B MOV AL,BYTE PTR DS:[EBX+0x3B]
009E0003 81FE E6000000 CMP ESI,0xE6
009E0009 75 05 JNZ SHORT 009E0010
009E000B BE 74000000 MOV ESI,0x74
009E0010 ^ E9 A161FEFF JMP 009C61B6
to resolve the IAT.
Now I am trying to figure out how to fix those redirected calls to 01B00000 which are actually calls to the APIs that are redirected to the VM.
I am still reading some tutorials and hoping I can make a break through soon.
However any suggestion to the procedure for resolving this redirected calls will be very much appreciated.
Thanks,
TempoMat