The loader allows you to rip any wrapped code, reinject it in your dump and do relocs/import_rebuilding for trying to get a working code. The reloc job is very hard to implement so do not expect a miracle from it but it will do its best. This feature will fit for packers/protectors which emulate API or remove the whole IAT and redirect all calls to this IAT. This is an irc log about the purpose of the Loader: (Greetings to LaBBa) ------------------------------------------------------------------------ (it was slightly modified to correct english faults :-)) do u have an answer about how to manage fake api of aspr? i mean that after the file was rebuilt by imprec the file still crashes because it calls an api that aspr owns try to use the loader. do you know the address of these apis? if yes, add them into your imports and switch the loader on them. Then fix the dump. imprec will try to rip the code and reinject it into your dump ... the loader is experimental, i can't ensure you it will work 100% how do i load them into the imports? (i need to dump another file?) no, imprec can do that automatically (it's a feature nobody uses except ZigD and me at the moment) you just have to know what addresses miss into your dump and add them into the tree (to add them : enter the RVA and a Size of 4 in the IAT editboxes infos and click on ) (it will be ADDED into your current imports (your current imports WILL NOT be removed)) ok let's explain in details how the loader works: when you <*Switch Loader*> on a slot, you will see the tag "*Loader*" near the whole module (the module can stay invalid, it's not a problem) so for your case, SUPPOSE the aspr api is a call at address 402000 (in VA) like this: call [402000] (where at 402000, you have a pointer 'Y' to the faked api) now we suppose you already have your imports which are complete and good moreover, you know in your dump, you will miss that api at 402000 then add it to your current imports : enter 2000 in the IAT and 4 for the size (we suppose the imagebase is 400000) (another way to get it, is to use the command (right click on the tree)) you should get an invalid module w/o name + a function with the invalid pointer 'Y' right click on that function and select <*Switch Loader*> now fix your dump (let that pointer invalid, it's IMPORTANT) when fixing the dump, imprec will see that invalid pointer and know it will be for the loader so it will rip the region(s) which contains the code at address , and inject it into your dump (you will see a dialogbox which will show you the ripped region(s) just after browsing your dump) it will also add a loader which will modify at entrypoint, the pointer to point to the ripped code cool! so when your proggy will call that aspr api, it will call the ripped code unfort, it does not work 100% yet because of problems on relocs (the current relocs analyzer is pure heuristics... and it will stay for a long moment :-)) it will be gr8 if in the next version u will add a full explainations about that (just copy all that u told me to a file...... ;) good idea :-)