@hinte:
In the current state I have not yet an IAT, so there is no way to use ImportREC. I am aware of the emulating problem, so far I have found 18 emulated functions and still need to find out what many of them do.

@OrionOnion:
I'm not trying to unpack Starforce, but the protection uses very similar methods like you described. There is no external DLL, but the base address of the emulation code is in the protector's PE section. From there the code leads to some manually allocated memory handling all the emulation and the API calls. Currently it looks like only KERNEL32 is emulated, but I haven't identified all calls yet.

@omidgl:
I don't want to seem unthankful or agressive to you, but I already wrote two times that there is no IAT (=it does not exist anywhere) and I'm writing it now again. I already removed all of the protection's code from the import handling, so there is no need to use API spying since I know all APIs expect some emulated APIs (which can't be found by spying, since they never execute any kernel code), my problem is only how to build the IAT out of nothing with only relative calls and jumps in the code.