Merging Imports with Exports?

[5Alive]

I have a DLL file I wish to unpack, I have a working unpacked file "found in the wild" which I am using for comparison.

I dumped a DLL at OEP using LordPE and correctly restored the imports with ImpREC. I then wiped the packers section header to leave the the usual sections:

.text, .rdata, .data, .reloc, .rsrc.

Of course the restored imports are in the section .mackt, what I'd like to know is how do I merge/join the .mackt section with the .rdata section?

I haven't seen any mention of this in any of the RCE forums or tutorials.

Thanks,
5aLIVe.

You can't really "join" the .rdata and the .mackt section, since there are other sections between them. It also doesn't have any disadvantage in functionality if you have a .mackt section.

The easiest solution would be to find some free space in the .rdata section, disable "add new section" in ImpREC and recover the imports again, but this time with the address of the free space you found in .rdata.

Or you need to manually move the data from .mackt to the location you want it and adjust all offsets.

[Jay]

iirc with revirgin you can specify the iat address if you don't select auto fix, decide where you want to put it, save it then paste it into your dump.

with imprec he can do the same, untick add new section for iat and then specify addres

[5Alive]

Thanks for the replies guys. I did notice the check box for adding a new section but wasn't clear on how to use it. My dumped DLL works with the .mackt section in place. I'd just like to try and have imports and exports in the one section. I had a look at ReVirgin but I didn't care for the user interface.

The unpacked DLL I found has the import table at RVA 64564,size B4 and the export Table at 65BC0, size 4E. Whereas the file I dumped and fixed has the export table at 65ADO and the Import Table at 153D0.

I also see that Vsize of the original .radta section has been increased from FB1E to 10000, which borderss the start RVA of the .data section at 66000.
Presumably this increase is to allocate the needed space for IAT and EAT tables?

What I don't yet understand is why these particular export and import tables RVAs were chosen? Is it common practice copy and paste these tables and then adjust the RVAs accordingly? I thought this process would have been more "automated" if you see what I mean.

I'm probably thinking this is much more difficult than it actually is, and I'm maybe overlooking something simple.

Oh and what do you to find a suitable "cave" for the IAT? I tried dumping the .rdata section (Vsize was increased to 10000) and opened it in Hex Workshop expecting to see sufficient free space towards the end of the file(there wasn't room).

Many thanks,
5aLIVE.

The reason for the bigger size of the dump is simple. If the file is on your HDD, a section can have a physical size of 0x4A00 and a virtual size of 0x9000.

When the section is loaded into memory, the dumper only knows the virtual size and dumps the full 0x9000 bytes. The dumper doesn't know if the 0x4A00 bytes contained compressed data or not, so it cannot use the physical size for dumping.

Of course you can set the physical size to 0x4A00 again after you have verified that only 0x4A00 bytes are really used and the other 0x4600 bytes are unused.

well to it does someone knows any pe editor or optimizer that can optimize file size, after dump analyze every section, detect empty space filled with zeroes and strip it and just leave raw size as it should be and virtualsize to whole size before, because when we have for example .data? section its size can be 16mb but in compiled exe its 0 due its all allocated but in dump we have 16mb, because no dumper optimizes that

[5Alive]

Thankyou for your replies gents. I've feel I learned something here, although its become clear that I need to read more on the portable executable specification and experiment with the tools to further my understanding if I am to become a better reverser.

5aLIVE