=~=~=~=~=~=~=~=~=~ ~ NOTES AND TIPS = =~=~=~=~=~=~=~=~=~ - "Control+F12" WILL STOP ANY TRACERS AT ANY TIME (except plugin tracer if it was not managed). - Maintain CONTROL or SHIFT for selecting several nodes in the tree. (like you select several files in Windows...) - When you use the tracer level1 (Disasm), you can press and maintain "Shift" key for seeing all API calls in the redirected function. Just release it for getting the one which is currently shown in the MessageBox. - Always try the tracer level1 before the other ones because it is "just" a disassembler. But it does not emulate instruction so do not expect to get a "jmp [eax*0x123456+0x654]" which will jump to GetModuleHandleA for example. - Try the tracer level2 in the last resort and please try to close all your other running applications (like your favorite mp3 player for example...) - 'AutoTrace' is just there to show how to rebuild . Always prefer manual trace - If you are under Win9X/ME, do not forget to renormalize exports (only once in a windows session is enough) BEFORE launching your target. - Do not forget you can "stick" several IAT intervals in your current imports. It means each time you click on with different IAT infos, your current imports will not be removed. - For invalid slots left which can't be resolved, try to use the loader (by applying *Switch Loader* on all invalid entries) - You do not need to turn on all sections when using the 'Full Dump' button (Sorry, i admit this button is not well placed... but 'Full Dump' means dump *ALL*) =~=~=~=~=~=~=~=~=~=~=~ ~ HOW TO REBUILD XXX = =~=~=~=~=~=~=~=~=~=~=~ Safecast/Safedisc 2: -------------------- Enable "Exact Call" in Options and use the Tracer Level3. If the tracer failed on a slot, you will notice your target will be freezed. Unfortunately it's not possible to recover it. Maintain CONTROL+F12 to stop the tracer and return to ImportREC. Remember the last resolved function by the tracer and save your tree (all resolved 'Exact Calls' will be saved so you will be able to continue where you were, later). Kill the process of your target. Relaunch it, select it again in ImportREC and reload your tree and continue to trace from the last resolved function (Invalidate it and retrace or turn on 'Skip Main Slot' in Options to trace only on its Exact Calls). ASProtect: ---------- The best way to rebuild it, is to trace with the Tracer Level1 all invalid entries. Select all imports of Kernel32.dll, invalidate them and trace with the Plugin Tracer for ASProtect. Finally for all invalid entries left, retrace with the Tracer Level1. (If there are still some invalid entries, right click on them, do *Switch Loader* and let all parameters to default when fixing your dump) tELock: ------- The Tracer Level3 will work. You will have to do "Show Invalid" and "Cut Thunk(s)" to remove all false entries which are in fact the NULL DWORD of the IAT structure (it is the separator between each different module which is easy to locate by looking at the module names of the previous and next slots). VBOX: ----- The Tracer Level3 should work. If the tracer returns a code of 313 (which means TimeOut), you will have to increase the TimeOut in Options because it is slow (11 seconds about for the slowest api slot on my 1700 XP). Under Win9x, you could get a GPF of the module when tracing. To avoid it, 'block' your target (with a 'jmp eip' at the OEP for example) before tracing into it (Thanks to ZigD for this 'trick'). Anyway that GPF does not happen if you are under NT, 2k and XP. PeX: ---- Increase the (to 10h for example) in Options and use the Tracer Level1. You will have to do "Show Invalid" and "Cut Thunk(s)" to remove all faked entries left (They are only stuck at the begining and/or the end of the real IAT and have almost the same pointer).