Thread: ImpREC.dll & reversing
View Single Post
  #1  
Old 02-17-2004, 22:41
FEUERRADER FEUERRADER is offline
Friend
  
Join Date: Aug 2003
Location: Russian Federation
Posts: 52
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
FEUERRADER Reputation: 0
ImpREC.dll & reversing
I want use ImpREC.dll in my unpacker, but it works only on winNT-systems HOWEVER, GUW32 use THIS ImpREC.dll and successfully rebuild import on win9x! It's a paradox!!!
In my unpacker ImpREC.dll on win9x import looks like:
=============================
KERNEL32.dll 1FlushInstructionCache 1FlushInstructionCache 1FlushInstructionCache KERNEL32.dll 1FlushInstructionCache 1FlushInstructionCache 1FlushInstructionCache 1FlushInstructionCache 1FlushInstructionCache 1FlushInstructionCache 1FlushInstructionCache 1FlushInstructionCache 1FlushInstructionCache 1FlushInstructionCache 1FlushInstructionCache 1FlushInstructionCache 1FlushInstructionCache 1FlushInstructionCache 1FlushInstructionCache 1FlushInstructionCache
=============================
On WinXP my unpacker works fine, but on win9x import filled FlushInstructionCache functions.

Rebuild function looks like:
BOOL RebuildImport(DWORD pid, DWORD oep_rva, DWORD iat_rva, DWORD nb_recursion, LPTSTR dump_filename);

Syntax of my call on MSVC++ 6.0:
RebuildImport(pi.dwProcessId, 0x401000, 0, 5, m_Dumpname);

What is nb_recursion??? I reversed PEiD Generic Unpacker by Snaker and there found this number. There was 5.
What number must be there??

p.s. sorry for my ugly english
Reply With Quote