Look reprinted from the Ice Forum [Title: The Import REConstructor v1.2 beta2 input table --- repair of HiClock Pro v2.2 and S-Spline 2.04] Author: BestFont ------------ -------------------------------------------------- ------------------ [Download Office] 1) Import Reconstructor V1.2 Beta2 http://www.digitalRice.com/kaparo/files/utilities/imprec.zip ( Adding from Protoools) Sedge with Asprotect1.2, the shell 2) Hased 2) Hiclock Pro Version 2.2 Build 126 - ReleaseD on April 9, 2001 http://www.downme.com/download/6815 HiClockPro.zip http: //www.kgsoft.com/ (Official Website) 3) S-SPLINE 2.04 http://202.108.252.24/stcsr/rj/txtx/s-spline 2.04.zip (recreation) http://www.shortcut .nl / s-spline / shortcut_s-splinedemo.zip (official download) ---------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------- [Preface] this article Just briefly describe the repair of the input table, did not involve the crack of the software. The protagonist is IMPREC1.2 Beta2, the target software is HiClockPro V2.2 and SPLINE 2.04. Among them, HiClockPro 2.2 can be completed in one time, and S-SPLINE 2.04 also needs manual repair / fill. This article is done under Win98SE, of course, it is also suitable for reference [Tools] 1) ImpRec1.2beta2 (must be beta2 or its latest version) 2) Softice4.05build334, iCedump6.022 ("= necessary!) 3) PE -EDITOR1.7 4) BW2000 V0.2 (for Win9x Only) Tools: IMPREC's instruction file indicates that it is best to load iCEDUMP in the system when using IMPREC. This created input table is relatively small cross-platform. Before running iCedump, it is of course first to load Softice. Softice iCEDUMP: Use iCEDUMP / tracex command to find the address that may be OEIP. PE-Editor's Dumpfixer can make DUMP's RS = VS, RO = VO BW2000 V0.2 is the OEIP (IMPREC needs this value) if you already know the software OEIP, can be omitted if the software's OEIP is known. -------------------------------------------------- ------------------------------ [Preparation] Load Softice and iCedump. Track the target program (using the / tracex command), get OEIP, and / dump out a shell version.
Use PE-Editor's Dumpfixer to correct the shelling file. == "Note 1: HiClockPro 2.2 must take special steps to take a special step, otherwise the program cannot run. For details, please refer to the following two: 1) http://001.com.cn/forum/toye/14781.html Title: Brief description iCedump / tracex command in the HICLock shell (1 thousand words) Sender: Henryw 2) http://www.001.com.cn/forum/toye/14335.html Title: I don't want to write, I really know how but I don't know. The reasons why I changed. (690 words) Sender: HYING == "Note 2: S-SPLINE must be unregistered, otherwise the shell will not function properly. S-spline cracked can be refer to the following: http://001.com.cn/forum/toye/14799.html Title: V2.04 (9 thousand words) Sender: blowfish attached: This is an IMPRECT 1.2 Beta1 (not Beta2 !!) is used. http://001.com.cn/forum/toye/14358.html (this article refers to this article) Title: Try ... (1011 words) Sender: LJTT [Repair HiClockPro 2.2] --- ------------------ 0. Run HiClockPro 2.2 and IMPRECT 1. Select the HICLock.exe process in the ImpRect drop-down list; 2. Add BF260 in the lower left corner of OEP ( That is, the OEP of this program) 3. Press IAT AutoSearch to automatically detect the IAT position; the dialog box Found Something! = "" Found Address Which May BE in Original Iat.Try 'getimport' "This means that the OEP we entered Role. 4. Press GET IMPORT to analyze the IAT structure to get basic information; 5. Press the Show Invalids button. At the Imported Function Found column, click the right mouse button, select "Trace Level1 (Disasm)" and press the Show Invalis button. If successful, you can see all the DLLs are valid: yes words; 6. (very clear on step 5, this program's input table is fully repaired) 7. Now we have to fix the shell program HiClock. EXE. Select Add New Section to add a section to DUMP (although the file is relatively large, but avoiding many unnecessary trouble) 8. Press FIX DUMP and select the file from you DUMP; 9. IMPRect Generates a new file in the directory where the file is located: HiClock_.exe, this is the repaired file. Tips1: Right-click in the Imported Function Found box to select "Expand All Nodes" and "Collapse All Nodes" to open / close all nodes. Tips2: If you need to re-press the GetImport button because of the error on the operation, it is best to first press the Clearimports and Clear Logs buttons on the right.
Otherwise, the Imported Functions Found bar may appear strange. Before the repair -? Fthunk: 000c317c NBFUNC: 2E (Decimal: 46) Valid: no -rva: 000000 PTR: 00505A4D -RVA: 00000004 PT: 00000002 -RVA: 00000008 PTR: 000f0004 -................. Dll fthunk: 000c317c NBFUNC: 2E (DECIMAL: 46) Valid: yes <=== [see this yes] -rva: 000c317c mod: kernel32.dll ord: 015d name: getCurrentthReadid -rva: 000c3180 mod: kernel32.dll OID: 00d6 name: deletecriticalSECTION -RVA: 000c3184 mod: kernel32.dll ord: 0228 name: LeavecriticalSECTION -... [Fix S-SPLINE 2.04] ---------------------------------------------------------------------------------------------------------------------------------------------------- --- 0. Run S-SPLINE and IMPRECT 1. Select the S-SPLINE.exe process in the ImpRect drop-down list box; 2. Add 7E910 3. Press IAT AutoSearch to automatically detect the IAT location in the lower left corner. Dialog box foud Something! = "" Found Address Which May Be in the Original Iat.Try 'getimport' "This means that the OEP we entered works. 4. Press GET IMPORT to analyze the IAT structure to get basic information; 4.1. Found only one DLL Valid is No 5. Press the show invalids button. At the Imported Function Found column, click the right mouse button, select "Trace Level1 (Disasm)" and press the Show Invalis button. If you succeed, you can see all the DLLs are valid: yes words; 5.1. See a long bunch of function names, we know that there is at least one DLL unpaid. Therefore, right-click "Collapse All Nodes" and found that only one DLL is not completed. You can see an address repair failed from the log column. 6. Press the Show Invalids button to click on the right mouse button in the Imported Function Found box. "TRACE LEVEL2 (HOOK". Press the Show Invalids button. If successful, you can see all the DLLs are valid: yes words; if it is not successful, it can only be handled manually (TRACE Level3 "has not been developed). 6.1. From the log bar, you can see "Tracer Failed In 008927E4" fix failed. We found that the repair failed is RVA: 0009C2AC (here, the input table of this program has not been completed, we must handle these two addresses) 6.2. In the Imported Function Found, find RVA: 0009C2AC, and use the left mouse button Double click on it. Choose kernel32.dll in Module in function: 032c name: WINEXEC Press OK (as for this function name How to get? Take a look below) 6.3 Press the show invalids button, all the words of the Valid: Yes, and enter the table to complete. 7. Now we have to fix the shells of program S-SPLINE.exe.
