Talking about sections, one issue necessary to fix in the rebuilded program is deleting the useless sections, because the AM protection increases the number of these, and consecuently, the size of the file.
If you unpack and fix all the things that the AM protection touchs, when you have rebuilt the file, it seems to be too big. Ok, just think there are several sections working for the protection, and thus useless to the rebuilded unprotected program.
So, the task is trying to choose the parts of these sections that are working only for the original program.
At least, the first section remains as is, because it has the code of the executable. The parameters, such as size and offset, could remain the same. So this section could receive the .text name.
The section that has to be converted to .rdata is the one that holds the import table.
As I said in another post, this has been rebuilt in order to get active all the correct api's. So, one way of rebuilding this is putting the IAT just behind the First Thunk of the import table, as you can find normally. I say this because a lot of times, AM protection reallocates the IAT in other area of the file.
Ok, then section .rdata must be the one that holds the rebuilt import table.
In the dumped you know some ways of getting the offset of the import table. ImpRec uses the OEP to find it.
You normally find another two sections in an executable: .idata and .rsrc.
Recovering both sections is the task where I am at the moment.
If anybody could add some in this sense i would be great!
Cheers
Nacho_dj