Log in

View Full Version : IAT resolver beta test starts now


tsehp
January 3rd, 2001, 06:21
hi,
the first beta is finished, this programs actually allows you to fix the
IAT's of all asprotected and vboxed targets.
It works on win2000 and win98, I need some beta testers that already
knows how to unpack targets and have some knowledge on pe-section
to test this app on other packers or protection systems.
You can write a word to tsehp@yahoo.com, you need to register on
this messageboard (fraviamb.cjb.net) for me to send you the program.
later,

+Tsehp

disavowed
January 3rd, 2001, 18:14
hurry up with it.. we're waiting for you on level 3

tsehp
January 3rd, 2001, 18:53
sorry Alexey but you will have the release version when I'll be finished
to beta test, just give my tool a chance to last a while before release

Thanks for beta testers to register here, it's more easy for me to follow the reports and send private messages on this messageboard, and this makes me some advertisements too for sure.
Please, don't spread actually this tool, it's far to be complete and I'd like the end users to have a correct version. Thanks again for all the replies I got today. Later

Kayaker
January 4th, 2001, 19:29
Hi All,

Tsehp has requested a public discourse on the results of beta testing of his IAT Resolver, so here's my preliminary, albeit verbose, findings. The Good, the Bad and the Ugly.

The IAT Resolver, which sports the interesting filename of revirgin.exe, comes with several files, including an Asprotected 1.1 notepad, a raw Procdump dumped version with the sections realigned, 2 text files listing the imports detected after the 1st pass at resolving (i.e regular unencrypted addresses), and after the 2nd (attempt at resolving redirected addresses), and finally the Import Table and Import Allocation Table generated by the Resolver.


Part 1 - Win98SE

I first tried this on a Win98SE system. After loading the Asprotected notepad and using the IAT Start RVA and Length provided (IAT Start, 62e0; IAT Length, 238h) I did a first pass using the IAT Resolver. This very quickly showed the already resolved unencrypted imports for ADVAPI32.dll and GDI32.dll.

Then I chose 'Resolve Again' and within seconds the Imports for KERNEL32.dll and USER32.dll which had previously indicated 'redirected' were resolved. So far, so good ;-)

However, 2 dlls were never resolved, nor did they ever even indicate they were redirected, SHELL32.dll and COMDLG32.dll. If I tried to do a Trace, which is a further attempt to resolve unresolved imports as I understand it, on one of more of the problem imports, the blue progress bar would get to about 90% and then the program would lock up. I could CTRL-ALT-DEL and start again OK.

Doing a hex dump from the IAT in memory at 4062E0 showed that there was nothing "wrong" with the problem encrypted addresses, they just don't get resolved, aren't recognized as 'redirected', and can't be traced.

As an example, here is a portion of the resolved Import text file generated after the 2nd attempt at resolving showing the blank entries that *should* have been resolved for SHELL32.dll, as well as Tseph's results he included as one of the files:

My Results:

64 000063E8 BFF76DD7 01F1 KERNEL32.dll GlobalLock
65 000063F0 006A156C 0000 '?????? ??????' -dumb emoticons!
66 000063F4 006A1588 0000 '?????? ??????'
67 000063F8 006A15A4 0000 '?????? ??????'
68 000063FC 006A15C0 0000 '?????? ??????'
69 00006400 006A15DC 0000 '?????? ??????'
70 00006404 006A15F8 0000 '?????? ??????'
71 0000640C BFF55591 0285 USER32.dll wsprintfA

Tsehp's Results:

64 000063E8 BFF76DDB 01F1 KERNEL32.dll GlobalLock
65 000063F0 7FD47579 0142 SHELL32.dll ShellExecuteA
66 000063F4 7FD034A7 00CD SHELL32.dll DragAcceptFiles
67 000063F8 7FD124F4 0140 SHELL32.dll ShellAboutA
68 000063FC 7FCE6CA7 00AF SHELL32.dll
69 00006400 7FD012E6 00CF SHELL32.dll DragQueryFile
70 00006404 7FD44B5D 00CE SHELL32.dll DragFinish
71 0000640C BFF55585 0284 USER32.dll wsprintfA



So I Asprotected my own copy of Win98SE Notepad using Asprotect v1.01 (file date 10/14/00) and got the exact same results. I'm not 100% sure if that version is *actually* right, you know Alexey it's just what the version properties said.

Then I tried it with Asprotect v1.0 (file date 6/13/00) and again got the same problems with SHELL32.dll and COMDLG32.dll, but also with ADVAPI32.dll (never indicated 'redirected', locked up on Tracing).

...continued...

Kayaker
January 4th, 2001, 19:36
Part2 - Win95

I had an enjoyable lunchtime SoftIce session at work today on a Win95 system repeating the above procedure. To start with, the Asprotected Win98 notepad Tseph had provided wouldn't run on my system. It gave the error message "The procedure entry point SHGetSpecialFolderPathA could not be located in the dll shell32.dll" Huh? No idea what this means.

So then I Asprotected my own copy of notepad and found new values for the IAT Start RVA and Length. What I like to do to quickly reach the point where the IAT is unpacked is to display some section of the program memory in the Softice data window and break on VirtualAlloc until something shows (around 11x). Then I do 1 break on GetProcAddress and return into the IAT unpacking loop. At the POPAD the IAT start address will be in EDI and the table length is easily found . At least this is the way I read things, if I've goofed up please let me know.

:0068F43F AC LODSB
:0068F440 3A0584276900 CMP AL,[00692784]
:0068F446 74DD JZ 0068F425
:0068F448 4E DEC ESI
:0068F449 53 PUSH EBX
:0068F44A 56 PUSH ESI
:0068F44B 53 PUSH EBX
:0068F44C 8D5DF4 LEA EBX,[EBP-0C]
:0068F44F 53 PUSH EBX
:0068F450 3A0586276900 CMP AL,[00692786]
:0068F456 7407 JZ 0068F45F
:0068F458 0FB64E01 MOVZX ECX,BYTE PTR [ESI+01]
:0068F45C 41 INC ECX
:0068F45D EB05 JMP 0068F464
:0068F45F B904000000 MOV ECX,00000004
:0068F464 41 INC ECX
:0068F465 01CE ADD ESI,ECX
:0068F467 E8D4FBFFFF CALL 0068F040 ; Imports decrypted, GetProcAddress called
:0068F46C 5B POP EBX
:0068F46D EBD0 JMP 0068F43F
:0068F46F 61 POPAD ; IAT Start sits in EDI

...sigh, MB limitations, continued...

Kayaker
January 4th, 2001, 19:37
But I digress So anyway I got new values for Start RVA and Length for the Win95 notepad (7288 and 208h), plugged them into ReVirgin and got the same negative results on SHELL32.dll and COMDLG32.dll. There was also a second problem, though not as severe in that even after the 2nd attempt at resolving, none of the KERNEL32.dll imports were fully resolved, the addresses were but not the name of the dll or the import names, i.e.:

20 000072D8 BFF31C11 0199 GDI32.dll SetViewportExtEx
21 000072E0 BFF74904 0000 ?????? to_Resolve

I'm trying to remember now, but I don't think Tracer worked on the unresolved imports, BUT, I could use Exescope (on Kernel32.dll) to match up the addresses and the names and edit them in nicely. (Picky suggestion Tsehp - being able to use the Tab key to step along the edit boxes would be nice


Anyway, that's the extent of what I've been able to do so far. I had a quicky look at a shareware Asproteced proggy and there were some unresolved imports, but I didn't spend enough time on it to give a useful report.

I have a couple of questions for Tsehp, which could wait until I try to rebuild a dumped file myself. One is exactly how you realigned the Procdump dump without losing the Icon? My Procdump (or Icedump) dump was 100K while yours was 120K. (OEP of E001 MOVed at 68F84C, dump at 68F87B, just before the Asprotect shareware MessageBox). My Raw Offset for the 1st section was 600, so realigning the PE Header value of it to 1000 would do no good without physically shifting everything 400 bytes and adding padding. I was going to try doing a raw binary dump of the file (which would give the proper RVA aligned image) and then rebuild it as a PE file later.

Tsehp wanted to take a look at my Win98SE kernel32.dll to try to "resolve" these problems, so I'll up it as a zip file. Oops, MB doesn't let me post while logged in therefore can't up files, I'll email it to you.

Interested in reports from other beta testers...

Regards,

Kayaker

tsehp
January 4th, 2001, 20:20
first, thanks kayaker for this first report. I will drop at this time the win95 problems and focus on win98 se (that I don't have !)
The tracer is very dependent of the win version, but with the kernel32.dll you sent me, this should be fixed fast.
realigning ? I don't know, I just make a first dump with procdump, then
I check all the boxes, but not the one with optimize pe-section, then procdump realigns and keep the icon, meaning that the .rsc section is still correctly set inside the pe. I'll repeat on my win98 to see if I can replicate the problem you had, then report here.
Advice : try to continue the tests on win98 first version, that's where I made this prog and did all the preliminary tests, best regards.

+Tsehp

ps: alexey's protected app named ADR is cracked on win2k and win98 in 5 minutes with the beta

tsehp
January 4th, 2001, 20:43
still about win98se problem,
I've attached the file you get just after you do a trace all, without doing a resolve again, the tracer works ok, but on win98 first version.
If I don't find nothing special inside the kernel32.dll, I'll have to download an old copy of win98se, maybe you have a link for this
regards,

+Tsehp

tsehp
January 5th, 2001, 15:12
hey ! did any of other beta testers had some good results on the
two platforms I used to build this tool ? win2k and win98 ?
I just don't want to be the only one that succeeds using it
thanks to report, even if everything is ok.

Kayaker
January 5th, 2001, 16:30
Quote:
+Tsehp (01-05-2001 04:12):
hey ! did any of other beta testers had some good results on the
two platforms I used to build this tool ? win2k and win98 ?
I just don't want to be the only one that succeeds using it
thanks to report, even if everything is ok.


And I just don't want to be the only one that DOESN'T succeed using it

tsehp
January 5th, 2001, 18:23
don't worry, I'm actualy downloading win98se, will re-compile on this platform pretty soon, how did work the version I sent you today ?

eL.CaRaCoL
January 5th, 2001, 20:18
Hi +Tsehp !
Don't worry! we are testing your Super Tool in several mode.
It works! yes, it works fine...

tsehp
January 6th, 2001, 03:07
thanks ! I'll sent you a personal reply to your e-mail el caracol with a detailed description of how it works.

Note to other beta testers :
seems like kayaker said, we have a small problem on win98se, I still can't find a link to download this platform , I'll ask kayaker if he can
do a very nice action to help a poor programmer like me to validate
this tool on this intermediate version of windows.

A new beta version is available as your request :
win me support
improved the manual edit iat's (can use tab)
auto select of app when you use load target on win 9x

Remember that the beta tests if provided also to improve the tool's ergonomy, the next version will take into consideration all what you said on you e-mail el-caracol.
regards.

+SplAj
January 7th, 2001, 06:21
Hi Fellow Beta testers.

I was initally disappointed at my Revirgin not working with WinNT4.... and I also had problems with my notebook running 98 SE.
The Tracer crashed everytime

I had great fun unpacking all those notepad.exe's with ASpack21, UPX101, PElock,Pepack,Shrinker3.4,
Petite2.2,PEcompact1.33, Asprotect1.1, Softlocx5,Crunch etc etc.

It worked with them all (but same problem with the 'missing' api's sometimes ala Kayaker!) BUT NP is an easy target so I tested it on Ao97pr.exe (MS Office passwords 97) from Elcomsoft. Great!
Then with the latest Ao2000pr...... ???? what no API's

So Revirgin (or I) failed to get at Ao2000pr.exe
Any clues on this target ?

I also tried it with TMG KeyGens (Fusion2 keygen)
it failed. But I think the tracer might work with this
target.

Awaiting Beta RC 2

+SplAj
'patch+play'

Yado
January 7th, 2001, 13:22
Hi , i'm testing you rebuilder a lot , i've tryed it with some krypter
and it seem to work with a lot of them , i've found a new version of aspack that make it crash (maybe in my machine).i'll send you a report of all my tests soon !

byez. Yado.

tsehp
January 7th, 2001, 13:59
Quote:
+SplAj (01-06-2001 19:21):
So Revirgin (or I) failed to get at Ao2000pr.exe
Any clues on this target ?

I also tried it with TMG KeyGens (Fusion2 keygen)
it failed. But I think the tracer might work with this
target.

Awaiting Beta RC 2

+SplAj
'patch+play'


no,no,no it works !
just launch it, try iat start : 198d38 length 3b4
then resolve and resolve again, all the api appears.
I didn't dumped it, to go to the working dumped file but it should normally work fine.
Maybe you didn't set a correct iat start, I mistake myself a lot, setting it to a jump table, but you have to set the iat start to the first pointer located inside the first line in the jump table.
you will find attached the text file of what was resolved.

Actually a problem will occur, but this will be fixed in the future :
you resolve on win9x, the target works on win9x, same for win 2k,
there are duplicate names inside win api exports that points to the same address, The Owl found actually a partial solution to this, I'll try to find mine, and the development is on this precise problem.
best regards,

+Tsehp


+Tsehp

tsehp
January 7th, 2001, 14:00
Quote:
Yado (01-07-2001 02:22):
Hi , i'm testing you rebuilder a lot , i've tryed it with some krypter
and it seem to work with a lot of them , i've found a new version of aspack that make it crash (maybe in my machine).i'll send you a report of all my tests soon !

byez. Yado.

thanks !
don't forget to report the error code, with your win version and link to the program in question,
regards,

tsehp
January 7th, 2001, 19:48
now revirgin works on win98se 4.10 2222A,
two programs were tested : AZPR and asprotected notepad provided
on the pack.
regards

Kayaker
January 7th, 2001, 21:52
Perfect! I haven't had a chance to rebuild anything yet, but I ran the new build of revirgin on 3 asprotected apps - notepad, asprotect 1.1 and Eldos AnyCalc and the Tracer worked flawlessly. After the 2nd pass any unresolved entries could be traced with 'Trace All', giving addresses and 'Resolve Again' filled in the Name and Ordinal.

There was 1 unresolved entry left with Asprotect 1.1 (C1C220) and 1 with AnyCalc (actually 2 duplicates of C6C220), but as Tsehp mentions these could be a bogus return and can be edited to a harmless GetVersion or something.

Nice work Tsehp, VERY impressive and thanks for getting it to work on Win98SE ;-)

Regards,

Kayaker

tsehp
January 8th, 2001, 02:48
thank you very much kayaker, I'm half done with the version that will allow you to resolve dll's
the addresses you mention resolves to a single ret, so my tracer bounces on them, I actually don't know what to do with this, if someone have a suggestion or can eventually analyse the use with ida on several target's that would be nice and save me some work.
regards,

+Tsehp

+SplAj
January 8th, 2001, 05:21
+Tsehp

Thanks for the e-mails. I DL the latest 0.99.....WOW!!! that tracer worked like a charm. Found the IT in StatMans keygens (Greetz 2U man, ace protection system) and Ao2000pr.exe
-starting at 10000 moving up 1000 bytes at a time until I hit an API

I traced everything, even those ' i'll come back to that later ' targets, like a kid playing on one of those 'magnadoodle' things .

Thanks Tsehp, CONGRATULATIONS !!!

Just one target left for my trials:- Softlocx5. The 1st beta found minimal stuff. So I waited for the functioning tracer version for 98SE. However The 0.99 new one CRASHES my PC while trying to resolve. I used the racer exetensively on other targets and it worked fine. I'll send you a SLcx5 protected NotePad (Bloc-Notes for you) target via e-mail. I'm sure it's just a bit of fine tuning required.


Ergonomics
=========
Some personal requests to make using Revirgin easier

1) Can you make the API box 'moveable', width-wise with the window so that I can see the API names in full.

2) Can you 'minimise' the target and return auto to Revirgin after loading target ?

3) Can you make the 'load target' file selector keep it's target directory ? it seems to be fixed on My Documents every time.

Again, congratulations, what a tool for 2001

+SplAj
'patch+play'

+SplAj
January 8th, 2001, 05:54
+Tsehp.

I did some more testing with Softlocx5 target NotePad....

I found the problem. It's not Revirgin but the 'mutant'
that is Softlocx5 protection. He didn't like being opened by
Revirgin and refused to be traced, crashing my W98 PC. Solution. Launch SLcx NP FIRST. Get the 'register' screen. Then launch Revirgin. Then continue with target launch - on Win2k OK. BUT W98SE cannot then TRACE the target as it did not LOAD it

So maybe Revirgin need some Int19 & Int20 etc stealth code in the future !

+SplAj

SpeKKeL!
January 8th, 2001, 07:50
Sorry misposted my post:look at "another target....?" >general board. greetz SpeKKeL!......

tsehp
January 8th, 2001, 12:52
Quote:
+SplAj (01-07-2001 18:54):
+Tsehp.

I did some more testing with Softlocx5 target NotePad....

I found the problem. It's not Revirgin but the 'mutant'
that is Softlocx5 protection. He didn't like being opened by
Revirgin and refused to be traced, crashing my W98 PC. Solution. Launch SLcx NP FIRST. Get the 'register' screen. Then launch Revirgin. Then continue with target launch - on Win2k OK. BUT W98SE cannot then TRACE the target as it did not LOAD it

So maybe Revirgin need some Int19 & Int20 etc stealth code in the future !

+SplAj

yes, and that's a problem considering what I want to do with the tool in the future.
splaj, can you save me some time and email me this program, just to see if I can fix those int's problems. Do you mean that when I start myself the process, those int's are temporary handled by my tool and this is detected by the target ?
It it's the case, this should not be very complicated to fix, this sounds like a countermeasure against a process patcher no ?
regards,

+Tsehp

tsehp
January 8th, 2001, 12:56
Quote:
SpeKKeL! (01-07-2001 20:50):
Sorry misposted my post:look at "another target....?" >general board. greetz SpeKKeL!......


I'll finish this evening the dll resolve support for revirgin, then try a resolve on the other thread concerning vslick (vboxed dll)
then you target is next !
thanks for reporting this, I'll tell you just on this thread.
regards,

+Tsehp

tsehp
January 8th, 2001, 13:14
hi,
just a small word for actual revirgin beta testers :
I have actually three targets to fix, if you have some others, thanks to wait until wednesday before sending them to me
I'll report here when I'm finished with all of them.
Thanks for your time & work,

btw I just updated the beta with support for dll's

regards,

+Tsehp

tsehp
January 9th, 2001, 06:00
first see the vboxed dll topic on the mb.

Follow this steps to create your dumped dll :
load icedump
start vs.exe
at the nag, put a bpx getmodulehandleA ,then at popup do a p-ret (f12)
you're inside vbox code, then :
/tracex <high rva> <low rva>
you land in dll's OEP at 1013513A ,
then /PEDUMP 10000000 1013513a <file>

Don't use hydra if you want to test with revirgin (note to the owl, I tried latest hydra but it crashed my win98 first version

revirgin step :
load revirgin, then load target, select the vsapi.dll and enter :
iat start rva 1a17c8 length 6e4
first resolve, then you can either do a trace all or trace manually
after it's finished, do a resolve again, then put 1b6814 at it start , remember to paste the it.bin at this location inside vsapi.dll you dumped, paste also the iat.bin at 1a17c8 raw offset.
the target works and vbox is removed, this validates the dll resolve test. I included the revirgin list of imports resolved.

tsehp
January 9th, 2001, 07:07
Quote:
+SplAj (01-07-2001 18:54):
+Tsehp.

I did some more testing with Softlocx5 target NotePad....

I found the problem. It's not Revirgin but the 'mutant'
that is Softlocx5 protection. He didn't like being opened by
Revirgin and refused to be traced, crashing my W98 PC. Solution. Launch SLcx NP FIRST. Get the 'register' screen. Then launch Revirgin. Then continue with target launch - on Win2k OK. BUT W98SE cannot then TRACE the target as it did not LOAD it

So maybe Revirgin need some Int19 & Int20 etc stealth code in the future !

+SplAj

as I wrote you, this wasn't some anti debugger features but a process/modules actualisation problem inside revirgin, maybe I mistake but all iat entries were resolved without using the tracer, but I could mistake.

Finally, I almost finished with all targets with the problems that were reported, please send some more as soon as you find them, just avoid :
-asprotect
-vbox
-softlock
because revirgin seems to be ok for those schemes,wayward sent me a laserlocked one, if someone have a working target without the cd but with encrypted iat's , thanks to send them, it's maybe possible to half crack it, just to allow me to resolve the iat's.
regards,

+Tsehp

G-RoM
January 9th, 2001, 10:06
Tsehp :

So far we tested successfully on vslick.. Please refer to the thread about unvboxed dll. U need to tweak some option AND after that fix relocation pointer manually.

Anyway... anything linked to Phoenix/hydra is my fault/ my problem... so leave my fellow Owl on this . Please post what u did exactly (option etc...) and download really latest icedump (NOW).

Regards,
G-RoM

tsehp
January 9th, 2001, 17:20
hi g-rom,
I've already posted the most infos I could to owl this morning, he already told that everything worked fine for icedump/hydra but I wanted him to have the most info possible, he will forward you.
I used the latest build I could find at http://ghiribizzo.virtualave.net/icedump/icedump.html
maybe I have a wrong address to have the pre 6.022 ?
regards,
+Tsehp

tsehp
January 12th, 2001, 14:54
some news for revirgin development:
I'm actually working on safedisc v1, had some win98 problems , the load target could not work for this target because it creates another process and could trace into it on win98.
This is resolved and the win98 compatibility will be maintained, I'll upload a new version when my first safedisc app will be resolved by revirgin, be patient.
regards,

+Tsehp

tsehp
January 13th, 2001, 09:10
hi, for beta testers, a new build has been uploaded :
-no need to load target anymore, useful for targets that creates some other processes to resolve.
-you can edit it length.
please re-test the tracer on your usual targets, next release will be normally able to resolve safedisc 1
regards,

+Tsehp