Log in

View Full Version : Problems with RV tracer

Lbolt99
January 16th, 2003, 23:56
Hello,

I need help getting the RV tracer to work. Not the API tracer but the one used for finding OEP. I'm using RV 1.51 on a Win2k SP3 platform on a "clean" system (ie minimal processes running).

I select the app to trace, then put in the boundaries, hit start trace. After a few seconds, it comes back with 0's for # of instr traced. The process is left running in the background, and can't be killed unless the system is rebooted.

I did another test and ran UPX on notepad.exe, so I have a known OEP, re-ran RV tracer, put in a range containing the OEP, same results.

I tried on another Win2k system and the same thing happened

Any comments? thanks
Cunegonde
January 27th, 2003, 10:00
hello!

Well, to find the OEP, you should use PEiD which is way better than RV.
To rebuild you IAT, use Imprect, which is WAY better than RV!

Good luck
nofurs
January 27th, 2003, 10:05
>>Well, to find the OEP, you should use PEiD

Are you sure you are using the right tools?
Cunegonde
January 27th, 2003, 10:16
At least I don't use revirgin

Use PEiD, tracex, guw, or SCU, whatever, but not revirgin!
nofurs
January 27th, 2003, 10:21
Please don't complain about tools here.If you are so great write your own
Cunegonde
January 27th, 2003, 10:28
I don't complain at all.
There are very good tools available, which work, I'm just happy with them! I only try to share this with a guy having problems. I think that this can help.
And in any case, it's always better to know all the tools available, to test them, and then to choose what suits your needs.
nofurs
January 27th, 2003, 10:31
>>Use PEiD, tracex, guw, or SCU, whatever, but not revirgin!

This is the evidence!
the_analyst
January 27th, 2003, 12:55
Quote:
Originally posted by cluesurf
>>Well, to find the OEP, you should use PEiD

Are you sure you are using the right tools?


PEid has a "find OEP" function.
I guess he refered to thise one.. :-)

my 2 cents,

Analyst
Lbolt99
January 27th, 2003, 16:57
Quote:
Originally posted by Cunegonde
hello!

Well, to find the OEP, you should use PEiD which is way better than RV.
To rebuild you IAT, use Imprect, which is WAY better than RV!

Good luck


I have tried Imprec for rebuilding the IAT, but I could never get it to work as well as RV. Since migrating to a Win2k platform, I have yet to see an "OEP finder" that works right. I find them manually now using various techniques.

I still use tracex on a win98 platform for asprotect, to check for double dips, but that's it. Even that I want to abandon as soon as I figure out how to find the DD's without tracing.
nikolatesla20
January 27th, 2003, 22:02
Howdy Lbolt99

asprstripperXP will tell you the DD's, it works great. Might as well use it



-nt20