Hi,

I'm working on a packed target (apdfprp from elmsoft), which I couldn't unpack with aspackdie. So I thought I try to find the correct key, then I don't have to unpack it. But to make life easier I tried to get some kind of disassembled code. I therefore run the packed target normally and then used PEditor to dump it and disassemble it with IDA. Of course I have no OEP and no imports but it's better than nothing.
Then I thought I might use revirgin 1.5 to get some imports. So I selected my running target used the OEP shown by revirgin (which is wrong) and pressed Fetch IAT. To my surprise I got some values for RVA and Length and after I pressed IAT-Resolver and Resolve-again I basically got all function calls !!

So, how can revirgin get the imports without me providing the correct OEP ??

Anyway, I thought who cares and pressed "Generate". This created a new section (tsehp) in my dumped file and also wrote the import table to a separate file (it.bin). I used IDA and actually got exactly what I wanted.

This is great, but how does revirgin find the IAT without a correct OEP ? Actually, how does revirgin find the IAT with a correct OEP ?

Maybe somebody can de-confuse me :-)

Many thanks,

MrSmith

This behaviour was discussed earlier on HideFolders I think. One of the explanations is that RV sometimes finds the correct OEiP just by giving the code section start 00401000 (which in some cases of ASPRed apps happen to the OEiP after packing). So, sometimes RV just works with 00401000 as OEiP

This helps?

Signed,
-- FoxThree

Hi FoxThree,

>This behaviour was discussed earlier on HideFolders I think.

Hm, I think I will have a look at this discussion. What is HideFolders, a forum ? Do you have a link ?

Many thanks,

MrSmith

You need to use the search forum to get the link. Bah, I'm too lazy to do that for you sorry!

Signed,
-- FoxThree