PDA

View Full Version : New revirgin 1.01 minor update


tsehp
March 4th, 2001, 14:58
More simple to use but needs maybe a little beta test...
Now the iat file format is microsoft based, so the problem that we talked about on the iris topic is resolved, it's also more simple to use
because only one file will be pasted into the target, see the readme for details.
download at tsehp.cjb.net

tsehp
March 6th, 2001, 17:01
Ok I surround, I'll use zip now.
But I managed to gain up to 40% space using winace.
For example revirgin.zip = 788 kb revirgin .ace = 473 kb

Where do you have problems with revirgin ?

later,

+Tsehp

tsehp
March 7th, 2001, 04:42
Quote:
ArthaXerXes (03-07-2001 00:58):
I do not really have problems with it, I just cannot figure it out. :-)

Its an iat rebuilder with a tracer included, working in a different way
than past ones that were working on dumped files.
Mine works on loaded targets, you give it the iat start, length and a place for dumping the resulted IT table.
It defeats redirected, encrypted, dispersed iat's modified by protection schemes like softlock, asprotect, vbox,...
What did you try on the tool ?

the analyst
March 7th, 2001, 06:22
Quote:
+Tsehp (03-06-2001 23:09):
Ok I surround, I'll use zip now.
But I managed to gain up to 40% space using winace.
For example revirgin.zip = 788 kb revirgin .ace = 473 kb

Where do you have problems with revirgin ?

later,

+Tsehp


hello Tsehp

congrats again with your Revirgin
i wanted to have a look at it, downloaded zip version (thx god)
but there is a lil mistake
the zip file contains the ACE file too
and there is no revirgin.exe
only an ACE file, so the zip is useless heh
could u please remove the ace file in the zip , and update with the exe ?

thx
regards,

the analyst / UCF

tsehp
March 7th, 2001, 08:13
Quote:
the analyst (03-07-2001 03:22):

hello Tsehp

congrats again with your Revirgin
i wanted to have a look at it, downloaded zip version (thx god)
but there is a lil mistake
the zip file contains the ACE file too
and there is no revirgin.exe
only an ACE file, so the zip is useless heh
could u please remove the ace file in the zip , and update with the exe ?

thx
regards,

the analyst / UCF

thanks !
sorry for this stupid mistake, you can download it now.
regards

tsehp
March 7th, 2001, 08:21
Quote:
ArthaXerXes (03-07-2001 04:02):
I have not yet tried the new version, but the old version had a very confusing interface, plus the fact that you need to supply the start and length of the IAT requires that you reversed a bit the executable...

I was hoping you had some program for lazy people, just one clik and hop, IAT rebuilt. :-) But still, it might come in handy...

the new has the same interface, I'm not very good for those things but I'm open for ideas for some modifications, it's not hard to with visual c++, so thanks to try to make a picture here of what I should change, this is not a problem.

You're also right about iat auto find, I actually simply go to the pe location if it's not corrupted, I could implement some heuristic searches, if you can provide me some algos I'll implement them.
I'm actually working on something else, renormalizing the exports from dll, just to impeach several names to point to the same address inside windows nt dll's. This is already done in icedump, so I have to port this on windows 2000.
regards,

+Tsehp

MackT
March 9th, 2001, 08:15
Quote:
+Tsehp (03-07-2001 05:21):
Quote:
ArthaXerXes (03-07-2001 04:02):
I have not yet tried the new version, but the old version had a very confusing interface, plus the fact that you need to supply the start and length of the IAT requires that you reversed a bit the executable...

I was hoping you had some program for lazy people, just one clik and hop, IAT rebuilt. :-) But still, it might come in handy...

the new has the same interface, I'm not very good for those things but I'm open for ideas for some modifications, it's not hard to with visual c++, so thanks to try to make a picture here of what I should change, this is not a problem.

You're also right about iat auto find, I actually simply go to the pe location if it's not corrupted, I could implement some heuristic searches, if you can provide me some algos I'll implement them.
I'm actually working on something else, renormalizing the exports from dll, just to impeach several names to point to the same address inside windows nt dll's. This is already done in icedump, so I have to port this on windows 2000.
regards,

+Tsehp



'llo,
I made an algo for looking for original IAT. Its purpose is to trace at the OEP (you must have it) until you find a call of the first API. You will have an address in the original IAT so you just need to scan before and after it to have the range of the IAT. I have tested it on several packed executables and it seems to work very well.
If you are interested in it Tsehp, just mail me ;-)

Best regards,
MT

tsehp
March 9th, 2001, 17:55
very interesting, you've got my mail right away.