Problem With Revirgin ! [Archive] - RCE Messageboard's Regroupment

View Full Version : Problem With Revirgin !

DigitalBlade

February 21st, 2001, 02:49

Hi !

I've problem with revirgin, after dumping a vboxed apps (vbox 4.3) after selecting it on left box (task box) of revirgin, it say that the IAT is damaged and that i can try to recalculate it. After this i try to use IT RVA from procdump (because IAT RVA is 0 ) but with no fortune

( so, can anyone HELP ME PLEASE

TIA And sorry for my poor english

+SplAj

February 21st, 2001, 04:51

AAAAAAHHHHHHH !!!!!!!!

Ok, ive got that out. Now Revirgin is a reversers tool

to use a tool you have to understand why a certain tool is used over another and also how to use such a tool
In this case you are attempting to use Revirgin BEFORE your main tool .... your BRAIN

Use this tool to locate the target RVA of the IAT by LoadLibraryA or some other appropriate API call. Revirgin cannot FIND for you this ....... YET ?

When found place this value on the 'IAT Start RVA' box with an estimated IAT length. Have a play.

So snippet :-

Brain:
If found target IAT RVA
then Proc Revirgin
Else Proc Duh
End
Revirgin:
Enter IATaddress in box 1
Enter IAT Length in box 2
Press 'IAT Resolver' button
If All API's found Proc 'Save'
Else press 'Resolve Again'
Proc Generator
Proc Rebuild
Blah Blah.......
Run dumped program
EndProc
End

Save:
Press button 'Save resolved'
EndProc

Generator:
Enter RVA of new section
Press button 'IAT generator'
EndProc

Rebuild:
Paste new IAT.bin & IT.bin
change OEip & IT values
EndProc

Duh:
Have a G&T, relax and watch TV instead
EndProc

"I can't get off this carousel.......... spaceman, I always wanted you to go, into space man"

SplAj

tsehp

February 23rd, 2001, 15:46

some help to find iat start and length :

launch the app and do :
-1 bpx getmenu or showwindow
f12 until you're back, check up where the call comes to.
you can have
call [51a4b8]
or call 51a4b8

check on those locations; you can have some jum tables like this :
jmp [51a487]
add eax, eax
jmp [51a489]
51a487 belongs to iat, it's always the last address pointer before the api.
you can also have some big holes between iat groups (softlock) don't worry, just take the very first iat you find in mem and calculate the global length of the table, considering the very last you find, revirgin
will take care of what is not an iat between.