I practised using ReVirgin on notepad.....and that was no problem. Everything worked fine. But notepad is a too "everything-goes-fine" example program. It would be better if a little essay was written on how to unprotect Commview.
Anyway......here are some things that are not clear from TSehp's readme.txt:

-"IT.bin : the import table file generated after the trace, I choosed to put it at offset 0xe8d0 so this value was set on revirgin..."

This is not a really clear sentence. If I read this I wondered: Why did you choose offset E8D0 ? So I started to look in a PE-editor and E8D0 was the IT RVA. Great! So I succeed without too much trouble in unprotecting Notepad.

My next target....Commview v2.4. "Let's try this myself now", I thought.
Successfully found IAT RVA, Length, IT RVA. Now, the IT RVA is 12E12C as can be found in a PE-editor......but.....when looking at the dumped Commview, there is no such offset 12E12C. Okay, probably because it's a Relative Virtual Adress, right?
Now my question is.....what do I have to do to make this work? Add a new section with raw offset 12E12C and thus extend the dumped file with several bytes? Or should I search for another location in the dumped file that can be used. If so, how can I find such a location?

For these questions I've read the essay Kilby wrote....but that still didn't gave me any clarity on the case: He said that the IT RVA==761F8. Okay, then he writes:

"Starting at 741F8 highlight 1964 bytes (for that is the length of SSIT.BIN), and choose Replace with file, and choose SSIT.BIN.
Why not 761f8, well look at the section information, particularly at the Virtual & Raw Offset fields, on the .data and .rsrc sections."

Well, that's great Killby, but it appears to be that I do not own the game SuddenStrike, and that I just can't download a whole CD-ROM. It would be good if you explained why you choose 741f8 and not the most logical 761f8.

Then he writes:

"After saving this change, choose PE Editor in procdump and open ssdumped.exe and go into Directory and change the following fields:
Import Table Length
000761F8 000000CC"

Okay, now I'm totally lost.....if you just said you put the IT at 741f8 then why tell the PE the importtable is at 761f8 ??

There's also never mentioned (not in tsehp's readme or killby's essay) that other things, like raw-offset/virtual-offset should be aligned. Now, I know this, but I'm sure that many people who use ReVirgin for the first time, or just learn to unpack, know this.

Any two of you volunteer to write a detailed, easy-to-understand essay on CommView v2.4? I suppose not :P heheh, but some answers to my questions would be greatly appreciated. I bet they can help thousand other people too :P

greets

The Blackbird aka BlackB

Hi BlackB

Yes unpacking with Revirgin is great fun.. but also a little strange.
The approach is NOT to replace the existing IT but build a NEW one at the end of the unpacked target. So 1st thing to do is simply DUMP the target and use PEditor 1.7 to see the sections. With the Cv2.4 I dumped the last section was at
RAW/RVA 0x170000 (SAME VALUE - IMPORTANT for pasting IT) . Just 'right-click' and ADD a new section some 0x3000 bytes long call .BlackB edit it to have an Vurtuel (sic) Size and Raw size of 00003000 and your done. Your new section is at 0x171000

Then dump the IAT & IT with Revirgin (rebuild) at 171000
and paste them in IT @ 0x171000 and IAT @ 0x1201E0.

Of course Cv2.4 WILL not run as it's very well protected and some more work is done.

I should make a tut SOON.....

SplAj

my two cents,
I'll upload a more clarified readme concerning the it location, I know its a trap when you first get to use it, you must know where to put the it, download the new readme pretty soon, btw I corrected some few bugs.

I'm still waiting for a good soul to send me a working safedisc 2 target,
so I can adapt revirgin to it.
I'll ask kilby to verify his essay,
thanks a lot blackb

erm 'tippex' didnt supply u with a safedisc v2 patched to no-cd exe?

yes/no ?

if no, /me will pester him again until he does!

Firstly as I think I mentioned in the essay the topic of rebuilding is pretty new to me.

Therefore I may not have chosen the normal/proper way of doing something.

The original text of the essay was misplaced, and was rewritten from notes and SIce dumps.

This file was checked by a couple of people before sending for any obvious errors.

I think the problem comes from 2 omissions on my part;

1:
Not realigning the file sections

2:
Losing a sentance regarding the difference between Physical & Virtual addresses for the IT

Issue 1:

As the file was originally done for personal interest, I didn't align the virtual with the physical addresses.


Issue 2:

From Memory;
Regarding IT RVA==761F8 & 741F8, the 0x2000 byte discrepency.

I had originally I had placed the IT at the physical offset 761F8 and it didn't work.

When I looked at the sections with procdump, I noticed that the Physical and Virtual RVA where different.

There was an extra 0x2000 bytes in the Virtual section.

Therefore I subtracted 0x2000 from the physical offset, which gives 741F8, and this was where I pasted the IT there.

I then set the IT address with PEdit to the virtual address 761F8, (where the IT will be after loading.)

Hence the discrepency in memory addresses

With hindsight;

I should have realigned the sections
Deleted the .icd sections
Created a new section for this data

I have avoided adding and removing sections with Procdump as my machine gets seriously upset (usually requires a reboot), and wasn't strictly nessicary to make the file work.

I will go through the notes and dumps again.

If nessicary I will rewrite, or at least include the business about the physical & virtual addresses.

If I can get procdump to create sections without locking up my machine then I will expand the essay to include this, it is useful.

I may take a leaf out of ArthaXerXes book and do a .pdf version as a picture is worth a thousand words.


Apologies for any confusion caused,

Kilby...