Manually Find the IAT and Rebuild It Using ImportREC

The sample program can be downloaded from this link:

Our commonly used ImportREC shelling is the IAT auto search that comes with the software, but if we want to manually find the address of IAT and dump, what should we do?

First use the ESP law, you can quickly jump to OEP: 00401110.


We right click and select `Find->call between all modules.


Shows the list of functions called, we double-click on one of the functions (note that the double-click here should be the function of the program instead of the system function)


We came to the function call


Right click on follow to enter the function


Then right click on the data window to follow -> memory address


Here, because the display is a hexadecimal value, it is not convenient to view, we can right-click in the data window and select long->address to display the function name.


Note that we have to scroll up to the beginning of the IAT table. We can see that the initial function address is kernel.AddAtomA of 004050D8. We find the last function down, which is the user32.MessageBoxA function. Look at the size of the entire IAT table. At the bottom of the OD there is a display of 'block size: 0x7C, so our entire IAT block size is0x7C`


Open ImportREC, select the program we are debugging, then enter OEP:1110, RVA:50D8, SIZE:7C, and then click Get Input Table.


Here in the input table window, right click and select "Advanced Command -> Select Code Block".


Then a pop-up window will appear, select the full dump, save as dump.exe file


After the dump is complete, select Dump to file, here choose to repair the dump.exe we just dumped, get a dump\_.exe. At this point, the whole shelling is completed.