hi,

I have a question about revirgin and imprec

I have dumped (with icedump) and resolved (with revirgin) a couple of programs protected with VBOX 4.6.2

When my exe is finished using revirgin and pe editor, my new
rebuilded exe craches

When I do the same with imprec it runs like a baby.

Using revirgin it resolves almost everything, had to fix 2 api
manually. This could not be done with imprec so revirgin works
great here. So my question is why it dont run when using
revirgin to fix my dumped.exe

Maybe this is a stupied question but I am new to this stuff.


regards

arieri

please show us the URL. I'd like to try it.

adobe illustrator v10 tryout

regards

there were some bugs that are fixed in v1.3 please try again with the new version.

regards,

tsehp

tsehp;


I am sorry to tell you but I used your new version of Revirgin 1.3

I tried yesterday to do it manually, generate the .bin file, paste it
at the end of the dumped .exe and change to the right values with pe editor, but the .exe still craches. hmm......................


regards

arieri

I also tried it with latest ReVirgin. The unpacked exe suddenly exits after its main window appears. No exception dialog box pops up. Maybe some API entries are not resolved correctly? Here is my resolved API names.

BTW: I need a tool to compare my resolved API entries with that from others. Have to write one by myself?

Solomon;


I looked at you resolved .txt and if I remeber right this line
is wrong:

538 005748A0 77E86659 01CC KERNEL32.dll InterlockedIncrement

I think it should be:

USER32.dll GetMessageA


regards

arieri

yes, GetMessageA & PeekMessageA(I forgot this old trick )

RV resolves GetMessageA as InterLockedIncrement coz Vbox calls InterLockedIncrement just before it calls GetMessageA.

After correcting this error, the unpacked exe(fixed with RV) runs well. Thx

my data:
OEP = 9292EE,
IAT start RVA = 574000, Length = B58
generated IT RVA = 0079F000

Solomon;


Yes thats extaly the same data for me:


OEP = 9292EE,
IAT start RVA = 574000, Length = B58
generated IT RVA = 0079F000


When I let Revirgin autofix my dumped .exe with the above data
fully resolved it crashes.

If I do this with imprec it runs,,,,,, mystic


regards

arieri

Solomon;

Could you upload your .bin file so I could have a look at it?


regards

arieri

Hi:

There seems to be a bug in Autofix of RV. Just try it yourself. After doing auto-fix, *sometimes*, RV does not paste at the right point. You can see this by the size of the pasted EXE becoming around 2K-12K!!!

My solution is : Try pasting it by hand. Ultraedit, Hexworkshop... and then it should work!

Signed,
-- FoxThree

hi,

I tried to do it manually but the .exe wont execute 0ne byte
before it crash.

Here is what I do (please correct me if I`m wrong)

Oep 009292EE
RVA 00574000
Lenght B58

I resolve it with vith revirgin v1.3 (2 api`s have to be fixed manually)

Enter IT RVA 0079F000
Lenght 1A8 (genarated by Revirgin)
Generate the .bin file,

Enter the Oep in my dumped .exe: 005292EE
Add a new section starting at 0079F000 size 4000, increase the
size of image to 007A3000, change the import table to 0079F000 size 1A8 , Paste the generated .bin file at the end of my .exe 0079F000

As I said in my earlier posting it runs great doing the same with
Imprec , but Imprec resolve only about 70% of the api`s.


I attached my files if someone are interested.



regards

arieri

Hi arieri,

Hmm, what did you mean by your dump does not run a byte? Does it initialise and then crash at some instruction or does it not even initialise properly??

Try disassembling the dump and see if your imports are OK... sometimes Hex Workshop does not work properly for large file, so try Uktra Edit...

Hope that helps, I wanted to try unpacking it but 82MB plus registration with Adobe is just not worth the effort :>....

See ya,

Here is my .BIN file

Hi there:

binh81 is right!

I see the problem you're facing. I faced the same problem some time back with a similar software (see my post on WinSniffer).... and it was all because of HexWorkshop.

Hexworkshop does not work well on file sizes more then 2MB. Try UltraEdit and everything must be fine! BTW, after pasting your IAT, just try to open your file back. You will not see your IAT, but rather tons of 00s. That means your paste wasn't well.

Try again with UltraEdit.

Signed,
-- FoxThree

hi

The .exe don`t initialise, I`ll tried to load the .exe with Iceload,but
it crash before it loads.



Thank you all!!


I`ll try again tonight with ultra-edit


regards

arieri

Hmm....

Found the try out from a friends' harddisk... how did you guys get Revirgin to resolve almost everything? It gave me 82 unresolved IAT entries :<????

Thanx...

I am still thinking how to use revirgin to find OEP, I also use icedump tracex and +splaj BPX GetVersion + S EIP L FFFFFFFF 61,FF,E0 + BPR XXXXXX XXXXXX+1 R IF (EIP==XXXXXX) and also try getprocaddress + map32 + tracex but no luck to find OEP. Any expert there help me to find the OEP please, the program name Advanced Administrative tools version 5.0


Many thank in advance.

hi: binh81

You must use the new version of Revirgin v1.3
After resolving ones, trace the unresolved one by one.
If you choose trace all it might crash.
Resolve again
Now almost everthing is resolved (2 api`s I think you must use
your debugger to locate )

That should be all




regards


arieri

try this thread
http://www.woodmann.net/forum/showthread.php?s=&threadid=2635

hi phop007,

AATools 5.0 oep 002953A8 (006953A8). So now you where it is, name of the game is find out how it gets there.
regards

got it,

thanx arieri

To: Js

Thank you very much. I will try to dump it.

Hi JS:

I try to do this: BPM 006953A8 X, but aatools doesn't stop at that point so how can I dump this Prog:

And again how do you get there at 006953A8, I even try BPX NTContinue but I can't find any IRETD to set BPX. Any help I appreciate it

Are u using Win2K or WinXP?
Win2K uses INT 2E/IRETD to call sys service, WinXP may use SYSENTER/SYSEXIT
h**p://www.anticracking.sk/EliCZ/infos/FastNTCALL.txt
h**p://msdn.microsoft.com/msdnmag/issues/01/12/XPKernel/XPKernel.asp

Hi! Solomon

I use Win XP, I found SYSENTER so maybe I can set BPX on this address. Any suggest?

Hi : Solomon,


At first I do this:

bpx ntcontinue

Brake here:

001B:77F7E5B3 B820000000 MOV EAX,00000020 PRESS F8
001B:77F7E5B8 BA0003FE7F MOV EDX,7FFE0300 PRESS F8
001B:77F7E5BD FFD2 CALL EDX PRESS F8
001B:77F7E5BF C20800 RET 0008


After press F8 jump here:

001B:7FFE0300 8BD4 MOV EDX,ESP PRESS F8
001B:7FFE0302 0F34 OF34 SYSENTER PRESS F8

After press F8 program start, I not even see any SYSEXIT, How can I find the OEP of this aatools:

hi

sorry I deleted my WinXP long time ago. Maybe I need to install a new one to try it According to tsehp, SYSENTER may disable all interrupts( I have not refer to Intel manuals yet). That's why we get lost when pressing F8 at SYSENTER.

Setting BPX at IRETD is to find the addr where it will continue the execution after SEH. So it may be a good idea to check the parameters/context of NtContinue/KiUserExceptionDispatcher to find this address. There may be other good ways to bypass SEHs.