Hi,
I used Revirgin 1.01 build 4 on w98 to unpack Tag&Rename 1.9(www.softpointer.com).
I found IAT start 13b1b8 and IAT length 82C.
But Revirgin can't resolve the imports "redirected", even after a "resolve again" and the tracer crashes my system...

(btw this target uses the same scheme as Chameleon Clock 2.51. There is one call to the target's code before the jmp OEP)

Thanks for our help.

downloaded the target and found this :
iat start 1561cc length 844 , try those right values and tell me.

I met the same problem with this target(Tag&Rename 1.9) too , while using revirgin 1.01 build4 .

Not very sure, but I believe it must be some Checksum or CRC checking in Asprotect... coz The program will crash or show strange behavier if u change the code of it.

Target: Tag&Rename 1.9 (fileversion:1.9.1.3)
HASH of Main fiile "TagRename.exe"(Using DAMN Hash Calculator )
=> MD5:9C4C6270408CE694CA8B03DD8650869F

(I'm not on the crc check)
I'm actually fixing revirgin for this target, update posted here pretty soon.

Hi

Some apis are pre processed !
In thunk, when called, you just have something like :

015F:00DCC85C A1DC35DD00 MOV EAX,[00DD35DC]
015F:00DCC861 C3 RET

And ...

015F:00DCC7D8 6A00 PUSH 00
015F:00DCC7DA E82D7CFFFF CALL KERNEL32!GetModuleHandleA
015F:00DCC7DF A3D435DD00 MOV [00DD35D4],EAX
015F:00DCC7E4 E83B7CFFFF CALL KERNEL32!GetVersion
015F:00DCC7E9 A3D835DD00 MOV [00DD35D8],EAX
015F:00DCC7EE 68E435DD00 PUSH 00DD35E4
015F:00DCC7F3 E8347CFFFF CALL KERNEL32!GetVersionExA
015F:00DCC7F8 E8DF7BFFFF CALL KERNEL32!GetCurrentProcess
015F:00DCC7FD A3DC35DD00 MOV [00DD35DC],EAX
015F:00DCC802 E8DD7BFFFF CALL KERNEL32!GetCurrentProcessId
015F:00DCC807 A3E035DD00 MOV [00DD35E0],EAX
015F:00DCC80C E8C37BFFFF CALL KERNEL32!GetCommandLineA
015F:00DCC811 A37836DD00 MOV [00DD3678],EAX
015F:00DCC816 C3 RET

As you can see, only api with no parameters (of course !) can be 'pre-processed'.

Regards SV

Hi reversers

There is an integrity check code .
Key is calculated (like checksum) and some parts are decrypted with this key.
Here it is 00555CAC :

-----TAGRENAME_SV!+0CAC---------------------------byte--------------PROT---(0)--
0167:00555CAC 30 61 17 85 0F B8 F4 25-72 E6 F1 EE 90 36 4C 62 0a.....%r....6Lb
0167:00555CBC A8 01 55 00 00 00 00 00-00 00 00 00 00 00 00 00 ..U.............
-------------------------------------------------------------------------PROT32-
015F:0055010F 8D55EC LEA EDX,[EBP-14]
015F:00550112 8B45FC MOV EAX,[EBP-04]
015F:00550115 E8CAF7FFFF CALL 0054F8E4
015F:0055011A 8D75EC LEA ESI,[EBP-14]
015F:0055011D BFAC5C5500 MOV EDI,00555CAC
015F:00550122 B904000000 MOV ECX,00000004
015F:00550127 F3A5 REPZ MOVSD
015F:00550129 33C0 XOR EAX,EAX
015F:0055012B 5A POP EDX
015F:0055012C 59 POP ECX
015F:0055012D 59 POP ECX

You can insert key (555cac) in unpacked exe and nop repz movsd.
After, you can patch 'register ? call'

Regards SV

And now for my two cents :
I uploaded here the list that you can load inside your own version of revirgin. Your version, doesn't resolve the past alexey's trick that we mentioned here some weeks ago :
(imported from api)
first instr
instr 2
intsr 3
push instr 4 offset
ret

revirgin (private version) detects this since a while now, but the private version is not released immediatly after asprotect evolves (I prefer to let him ask his customers to upgrade their product, so he makes money and we're sure to unprotect much more of them

This revirgin version will be released pretty soon, just when the safedisc 2 beta test will be finished.

just a note, the unresolved thunks you'll see in the listing correspond to what sv mentioned. Hope this helps,
regards;

+Tsehp