After finding the program OEP, we need to dump the program and rebuild the
IAT full name is
Import Address Table, the entry points to the actual address of the function.
For example, as follows, we found OEP and reached the real entry point of the program. We need to dump the program. Right click, select
"Use OllyDump to unpack the debugging process" (but you can also useLoadPE`) Dump out):
A window pops up to see if the address is correct. The main thing is to check if the 'entry point address' has been selected. Then uncheck the 'Rebuild Input Table'.
Name the dump file, I am named
dump.exe here. Let's try to run
dump.exe, we can find that the program can't run normally. For some simple shells, you dump it and it doesn't work. If you do find the correct OEP and use 'IDA
to decompile and see the results well, then your first thought should be that the program 'IAT has a problem. You need to rebuild
We need to use
ImportREC to help fix the input table.
ImportREC, select a running process
original .exe (
original.exe is the process I am debugging in OD,
EIP in OD is in
OEP position, using
OllydumpDo not close this process afterwards.).
ImportREC repair input table entry point needs to know
OEP, that is, input in the
OEP input box in the middle of the right side of the window.
As we know, in Ollydbg we know that the current entry point of the program is
0049C25C, and the mirror base address is
So we need to fill in
OEP here is
We modify the
0009C25C and then click on 'AutoSearch`. A pop-up prompt box is displayed, "The discovery may be the original IAT address".
We can click
`Get Imports' button to rebuild
IAT. The left side will display the address of each imported function in
IAT and whether it is valid. Obviously in the figure you can see
ImportREC found in memory
IAT Position and detect that each function is valid.
We click on
Fix Dump and open the file that was previously dumped using the
OllyDump plugin, which is the
ImportREC will help restore the import table and generate the
dump_.exe will run normally.