Well, Pc Guard is pretty ASProtect alike, only better. I tried to unprotect the program Iris, which is a unbelievable powerful packet sniffer (a thousand times more powerful than commview btw). As the price (i think it was 1700$) is pretty high, a good protection is necessary

Well, this is all of no importance actually. I just wanted to succeed in unpacking it with help of revirgin. So I launched Iris (don't forget to load icedump to avoid sice detection), launched revirgin.
IAT adress: BA478
Length: 12C0

Other useful info:
OEiP: 446C9C-400000=46C9C
ImportTable RVA: 12E12C

Revirgin recognizes ALL api's from the usual .dll's (kernel, gdi, etc...). But, it doesn't recognize ANY of the MFC42.dll . Anyway, I let ReVirgin make the IT.BIN and IAT.BIN, did everything, but of course, when running the dumped file it says "Can't find needed .dll".
Note that I dumped IT.BIN at 12E12C. This will result in an increase of the filelength. I realigned the sections with PE-editor. I also tried to add a new section at the end of the file (I think at 12F000), but that didn't work either. Disassembling was possible and IDA didn't complain about anything. The disassembling however ended after 2 minutes, and that's a little bit too fast for a > 1MB file. When looking at it I also had the impression that big chunks of the .exe are still encrypted.

When looking in PE-editor 1.7, all the API's are there but they have no dll name.

For people still not tired of trying to unpack these heavily protected apps, here's the url to download Iris: http://www.eeye.com/html/Products/Iris/download.html
The PC-Guard hompage: http://www.pc-guard.co.yu

Heh, I think I just want to do too much at a time, and pick the most difficult targets to test revirgin However, I have learnt quite a lot already after three days

Feel free to post your findings on this protection

Greets

BlackB

Hi BlackB

Iris is also prewrapped with PEShiELD or somethin by AnAkin
then PCG32 is applied. The silly Laurentiou also failed to use the Licence system of PCG instead relying on his own feeble
serial algo.

Also check out offset ~62888 or so in the dumped exe, you should see an infamous name }>

Dont try and get the 'names' of those MFC's I informed Tsehp about my concerns in the early trials of Revirgin.
Just carry on regardless.It does not matter as these API's are 'nameless ones'

SplAj

Yes good work BlackB you are trying VERY hard, soon +BlackB

Hi

I have unpacked this one and if it can help you
i post a complete rebuild IAT (generated to be
inserted in new section at 12F000).

Regards SV

Hi

I have unpacked this one and if it can help you
i post a complete rebuild IAT (generated to be
inserted in new section at 12F000).

Regards SV

Hehehe, +Splaj, it will still be a long run before I can put that + before my nick
Btw, I noticed about that additional PE packing. I noticed it in hexworkshop when dumping it and iat

Anyway, thx a lot splaj/sv/tsehp who're helping me on this unpacking subject, I already owe ya a lot.
At the moment of writing I'm with my girlfriend, and tomorrow too, so I don't have the time to test certain things out. Relaxation in life is also important

well, gotta go......someone 's waiting, heh

greets

The Blackbird aka BlackB

Hiya BlackB,

Here's something to check if you're still having problems with MFC imports being resolved. I had this come up with earlier versions of Revirgin that I'd always meant to mention to Tsehp. But since I haven't tried it with the most recent version, I didn't want to complain *too* early in case he'd fixed it

There seemed to be a problem with some of the MFC Imports if the listing was interrupted by another dll Import. Even though the Import resolved OK and you could glean its ordinal value from the Save Resolved text file, once it was generated into the IAT the entry was 00000000.

Here's a section of the text file as resolved as it was going to get:

308 000494E0 6C2B5760 0A5C MFC42.DLL
309 000494E4 6C2B56EC 0685 MFC42.DLL
310 000494E8 00000000 001A RPCRT4.dll I_RpcBindingInqDynamicEndpointA
311 000494EC 6C303B14 035B MFC42.DLL
312 000494F0 6C31DE8E 0844 MFC42.DLL
313 000494F4 6C31DEB0 081E MFC42.DLL
314 000494F8 00000000 001A RPCRT4.dll I_RpcBindingInqDynamicEndpointA
315 000494FC 00000000 001A RPCRT4.dll I_RpcBindingInqDynamicEndpointA
316 00049500 6C30C3C7 187E MFC42.DLL

You can see that all the MFC4 imports are resolved, but in the corresponding IAT entry the MFC just preceding the RPCRT4 Import is now 0 instead of the ordinal value it should be.

000004E0 5C0A 0080 0000 0000 0000 0000 5B03 0080 \...........[...
000004F0 4408 0080 0000 0000 9433 0B00 0000 0000 D........3......
00000500 7E18 0080

I thought maybe this was because I_RpcBindingInqDynamicEndpointA wasn't resolved and I just had a weird app that actually used RPCRT4.dll. I fixed the pointers for both the missing MFC42 imports as well as the RPCRT4 ones in the IAT manually before pasting into the dumped file, but there was still a few things I had to check to get it to work right and the project kind of went by the wayside.

Anyway, check this out, it might still be an issue with Revirgin. In any case I'll give it another shot and let you know Tsehp.

Cheers,
Kayaker

I get it kayaker, for example just take this interruption :
494e4 : mfc import
494e8 : rpcrt4 import

I choosed the borland way of generating iat + it files, so the iat pointers *must* be interrupted by a dword 0 to interrupt the dll export list, in this case the interrupt should resilde in 494e8 and this entry should be 0, but in the target it's not, in the actual version of revirgin I just can't rebuild a rpcrt4 at this iat location, I'm oblidged to put a dword 0 and put this antry at 494ec, but this entry belongs to
mfc...do you see the problem, it's a windows problem.
maybe someone have an idea, maybe I can solve this giving up the borland way of creating iat files and switch back to m$ way, does someone have an idea on this ? if yes, I'll update in revirgin 1.01, soon available for 0$ except for alexey, 500$

Frustration regarding iris, hehehe :P

All right, there must be something I'm doing wrong. Maybe a little detail that you guys see as normal, but that I never heard of (?)
Well, here's EXACTLY what I do to unpack IRIS. If I don't mention something then I also didn't do it:

-Run Iris.exe WITH Icedump to avoid detection. Dumping with PE-editor.

-Directly after dumping, I'm adding a section named .BlackB @ 12F000, virtual/raw size 20000 (just to make it big enough )
Nothing else is done.

-Revirgin is launched, IAT and IT are created after resolving with folowing options:
RVA: BA478
Length: 12F4
IT adress: 12F000
Length: 61C

-iris_dump.exe is opened in hexworkshop
IAT.BIN is dumped at BA478, number of bytes: 4658
IT.BIN is dumped at 12F000, 17562 bytes are added to iris_dump.exe

-PE-editor is launched.
Entrypoint is changed to 46C9C
Sorry, but even with the latest downloaded version, I get this as OEiP
Importtable RVA is changed to 12F000 and the length to 61C
Saving changes
To end, I let PE-editor realign the iris_dump.exe

-Disassembling with IDA runs perfectly, the entrypoint really looks like an entrypoint: starts with a 'push ebp'

-Running the iris_dump.exe: "Not enough memory to run application".

Well that's it. Some help is really needed. Goddamned, what am I doing wrong ?
IT.BIN and IAT.BIN are attached in Iris.ace
Note: download latest winace to extract!

greets

The Blackbird aka BlackB

ps to tsehp: there's nothing really wrong with revirgin, except for some bugs, but i'll soon make a list of them

here it is

BlackB

and for my two cents, I just corrected revirgin not to make this bug anymore on mfc42, it was coming from the code analyser (yes there is one !) that believed mfc42.dll exports were some iat redirectors,
you can set the up mem limit to stop the auto analyse now, I checked only the listing on iris 2.0 and this works fine.

regards,

+Tsehp

well I just did this :
launch the target, tracing with latest icedump 6.022
at oep 446c9c, do a /pedump 400000 46c9c [file]

launch your dump, the target runs !!!!!
(+splaj, I'll accept you to send me another target, I own you a night spent of cracking a target

the target is included here

regards,

+Tsehp

pfffff, it 's just not fair :P
i'm working about two days on it with revirgin, while another simply does a /pedump :P

ah well, my day will come hehe

greets to everyone
thx to tsehp/splaj/cv/kayaker

BlackB

hmmm, just some little advice asking.....

I'm cracking for a cracking group for some time (two years or so), and....well......i'm starting to feel guilty to release cracks. You see, people like you (tsehp, +splaj, etc...) give me this good advice on reverse engineering, that I will then apply to make a stupid crack for all those lame people out there, not caring about what we do.
I'm having this thought for some time, but now that I'm busy with this asprotect/pc guard stuff, I'm really starting to feel uncomfortable with it.

On the other hand it's good that there are cracks for certain programs (like windows and other MS products) but I'd really hate to damage smaller companies by releasing a crack.
My doubts about releasing cracks also increased when I started a topic on the datarescue board concerning ida and cracking.......well, I just ask to give your opinions and thoughts about releasing cracks.....

thx

BlackB

Mr BlackB :

First of all... fair or not, some people tries what is the easiest and for instance goes faster than you. This is a question of analysis and efficiency, then u know what is the most suitable with the tools u have. Speaking of that, sometimes I laugh a lot when i read posts about that and that, when people could use an existing hydra plugin that would do all the work in one single pass... I suppose nobody cared to check this. Not surprising... most people seems to need huge advertising and easy to use GUI.

Speaking of ur conscience wake up... Well well... Are u trying to get benediction of people in here to continue to release cracks ? U fear to harm little companies ? U should have thought about ur acts... besides I can't see why harming a bigger company would be ok. It is up to u to decide about ur life... makes ur choice urself and don't ask people in here to make u feel better. A crack is a crack... cost money for companies big or small... u know it... So now deal with it.

Cheers,

Iris is an eeye product. Eeye deserves to be hurt. Thats all I have
to say to this. Release it :-)

i agree with him.

Don't care about Iris...A crack has already been released some weeks ago

If a crack is already released weeks ago then it will not work for the latest version :P

Anyway, even if there's already a crack for it, I'm still interested in the protection......crack-minded damn people :P

greets

BlackB