Hello, RV userz32!

In this thread I will try help newbies how correct RV "little" bug.
Problem is here:
Sometimes (& very often) compilers in IT puts 2 or more entries for
same DLL. For example here in DS_IT we have 3 KERNEL, 2 USER entries.
And in this case RV has not problem, because between same DLL entries
are another DLL entries.
So bug appears, when there is no another DLL between same DLL-entries.
Lets explore DS_IT:

...
516 001559F0 SHELL32.dll DragAcceptFiles

><here at RVA 1559F4 is 00000000. This means END of SHELL32 IT_thunks block.
> But then again starts second SHELL32 IT_thunks block

517 001559F8 SHELL32.dll SHGetSpecialFolderLocation
...

525 00155A1C comdlg32.dll GetOpenFileNameA

><here at RVA 155A20 is 00000000. This means END of COMDLG32 IT_thunks block.
> But then again starts second COMDLG32 IT_thunks block

526 00155A24 comdlg32.dll GetSaveFileNameA

If you will look in original-packed DS_IT at 85588hex, you can find:
2 "shell32.dll" and 2 "comdlg32.dll"!

So what does wrong RV? RV wipes this 00000000 and joins 2 in 1. So we have wrong IT!

What we can DO?
1. wait for RV update
2. or use my easy method.
MY METHOD:
I simple duplicate previous entry, but of course change RVA!
516 001559F0 SHELL32.dll DragAcceptFiles
516 001559F4 SHELL32.dll DragAcceptFiles <inserted-duplicated
___________^ RVA for 00000000

ASLO, when I fetch IAT, size is -10h. Enlarge guys...

compare

I see now, thanx a lot evaluator :>

Hmm, does that mean we have to manually look through each of our IAT entry to make sure that they are continuous? Ah well, it's better than manually putting in every single entry anyway :>....

I remember adding this test to avoid such gaps into the listing.

I don't understand what kind of problems does this makes because those 0 entries are unused ? Is there some tests in the code to check if they are present ? Or a check to see if thunk still contains two modules because of this 0 between the same collection of dll.

Anyway, if you want I can correct this fast, someone mails me this app's url and I'll correct the bug.

regards,

tsehp

I have said this bug earlier in TOT forum with example program.Revirgin bug (http://www.woodmann.net/forum/showthread.php?s=&threadid=2508)

Tsehp, you can easy solve this problem in this
lamer way:
RV will check distance between previous and
next thunk (in RESOLVED.TXT) and IF > 4h,
then will create new entry for same DLL in IT.

-----------
From series:
~EASY-PEASY SUGGESTIONS~

Hi Tseph,

may I also suggest that you allow user to load resolved without the protected program running so I dont have to run the program everytime i load my saved resolved imports...

Thanx

rv needs the program to run to scan/trace it's own process memory and resolve the iat so it can't work without the target being launched.

laptonic:thanks but this is not the target evaluator talked about.

evaluator : I can't resolve this in a lamer way, this method could maybe make appear more serious problems with apps, I must stick to the legal/normal way to rebuild an it,
so give me the url of ds please, I don't know what this prog is.

At the first version, rv was making two different modules, but this was causing bugs for isolated modules with only one iat without separation with a 0, cause there are two ways to code it_thunks , the m$ way and borland way.

Anyway this is a small bug pretty easy to resolve, but I have to work on the program that eveluator talked about, so URL please !

Here is the url to Digi Secret 1.1

hxxp://www.tamofiles.com/ds1.zip

Yep, hope this will do... anyway, thanx for a great tool :>

Tsehp!

Problem happens because RV _WIPES_ this 00000000 and puts
HERE next thunk, so all next thunks are moved from their
original locations and we have incorrect IAT. Is now clear?
So RV must NOT wipe this 00000000 &-SO add new descriptor
in IT for same DLL.

if you try to rebuild iat in win98 with revirgin you will see one shell32.dll entry with one null entry like evaluator said.If you try to rebuild with Imprec you will see two shell32.dll which is correct.But anyway

got it, it's sad to get older don't you think.


I downloaded the target and made a correction to the bug.
Evaluator , please do as we actually act to make the rv pre test and report me on this new version using your test targets, report on the usual place.

Everyone else will soon have the new version at the main page.

thanks,

tsehp