Hello there:

To test some unpacking theory, I was trying my hand at unpacking RegOrganizer by ChemTable Software (http://www.chemtable.com). I found one reference to this software by _spl/\j and wanted to test his theory.

However, the version number has been bumped up and I guess this is a new version. I've found out the "double-dipping" that asprotect does just like +spl/\j mentions:

once at 0041B068

and then jumps back into unpacking code and finally the OEiP itself is at 00419DF8

I ran Revirgin (latest beta) on this target and it shows only re-directed/emulated api. I press on resolve again but now it shows imports only from KERNEL32.dll and no other DLLs!

This seems to be a major bug in RV as if I use this import table and rebuild as +spl/\j mentions, the application GPFs due to a wrong import!

Also few other observations:

(1) Whenever I try to trace or api emulate the system just freezes or reboots. The RefCount is not zero or is not listed (blank).

(2) Why always references only to KERNEL32.dll? What about other DLLs?

BTW, I'm running on Win98SE.

Is there something that I'm missing here or is it a RV bug?

Thanks.

Signed,
-- FoxThree

Seems not to be a RV's bug !!
I just have downloaded & rebuilded last beta version 1.3 b2.
There is a call (412d34) to do before OEP (401000).
IT is located at 5d0134 -> 5d1110 with a lot of null bytes.
IT rebuilded is attached.

Regards SV

Hi SV:

Okay, in my first post I was referring to the 1.25 Version.

But today, I tried as you'd done on the 1.3 Beta 2! Still same result! This time on Windows 2000. BTW, I didn't put much of effort on this, which I'm planning to do by today evening.

What I did on the 1.3Beta2 was to put in 0x00401000 as the OEiP in Revirgin and did a IAT resolve! It shows only imports from KERNEL32.dll (just like before). Now I did put the CALL address you'd mentioned and did a Rebuild! EXACTLY IDENTICAL RESULT!

Now it seems that like +spl/\j wrote in his tutorial this aspr does some double-dipping so we need to dump at the earlier and all... but why is revirgin still building an IAT consisting of only KERNEL32.dll imports?

From your IDATA, I see that every thing is rebuilt correctly? So, obviously I'm missing something... which is ......?

Signed,
-- FoxThree

Hi

The prob is that using 'auto' to find the IAT + length with your public release of RV is not working correct with this target due to the 'un-natural' nature of the IAT. There are a LOT of 000000 padding between each API as SV mentioned. Plus the IAT 1st DLL is NOT Kernel32.dll..............so 2 probs.

I suggest you manually change the start of the IAT address to a rounded thousand and set the length to 1200 or so. Then all DLL/API links will be found.

Use SI to examine the IAT memory range and you will see what I mean.

Spl/\j

Hi +spl/\j:

Thanks for your tip. I'll definitely give it a shot. Now I see things much clearly... ;-)

Signed,
-- FoxThree

splaj ! I hope you're feeling well with your leg and will recover pretty soon.

I'll post today on index page the rv update.

regards,

tsehp