NeO'X'QuiCk
April 4th, 2001, 16:11
I have bin reading the The Blackbird tut about unpacking Iris!
I got to problem i cant find the ReVirgin!
How they can be found:
1. Run the program with a breakpoint on UpdateWindow (or another one), when SoftICE breaks, press F12 until you are back in Iris maincode. Then trace into every call you come across until you turn out to be in the jump table. A jump table looks like this:
Start partial code
015F:004469D8 JMP [004BAF4C]015F:004469DE JMP [004BAF50]015F:004469E4 JMP [004BAF54]015F:004469EA JMP [004BAF58]015F:004469F0 JMP [004BAF5C]015F:004469F6 JMP [004BAF60]015F:004469FC JMP [004BAF64]015F:00446A02 JMP [004BAF68]015F:00446A08 JMP [004BAF6C]015F:00446A0E JMP [004BAF70]015F:00446A14 JMP [004BAF74]015F:00446A1A JMP [004BAF78]015F:00446A20 JMP [004BAF7C]015F:00446A26 JMP [004BAF80]
End partial code
Now, scroll through the jump table and try to find the lowest jump offset (i.e. find the JMP xxxxxxxx where xxxxxxxx is the lowest value in the whole jumptable). Note that this jump table can be divided by a lot of other instructions, so you'll have to scroll to make sure you saw the whole jumptable.
Another method to find the lowest offset, is to take a random offset in the jumptable (like 4BAF80), type d 4BAF80 and scroll up in the datawindow until there's no more data, but only zeros.
In Iris, the beginning of the IAT is @ offset 4BA48C. Fill in BA48C in ReVirgin.
Could you help me where to fing it!
Thanks in advance!
NeO'X'QuiCk
I got to problem i cant find the ReVirgin!
How they can be found:
1. Run the program with a breakpoint on UpdateWindow (or another one), when SoftICE breaks, press F12 until you are back in Iris maincode. Then trace into every call you come across until you turn out to be in the jump table. A jump table looks like this:
Start partial code
015F:004469D8 JMP [004BAF4C]015F:004469DE JMP [004BAF50]015F:004469E4 JMP [004BAF54]015F:004469EA JMP [004BAF58]015F:004469F0 JMP [004BAF5C]015F:004469F6 JMP [004BAF60]015F:004469FC JMP [004BAF64]015F:00446A02 JMP [004BAF68]015F:00446A08 JMP [004BAF6C]015F:00446A0E JMP [004BAF70]015F:00446A14 JMP [004BAF74]015F:00446A1A JMP [004BAF78]015F:00446A20 JMP [004BAF7C]015F:00446A26 JMP [004BAF80]
End partial code
Now, scroll through the jump table and try to find the lowest jump offset (i.e. find the JMP xxxxxxxx where xxxxxxxx is the lowest value in the whole jumptable). Note that this jump table can be divided by a lot of other instructions, so you'll have to scroll to make sure you saw the whole jumptable.
Another method to find the lowest offset, is to take a random offset in the jumptable (like 4BAF80), type d 4BAF80 and scroll up in the datawindow until there's no more data, but only zeros.
In Iris, the beginning of the IAT is @ offset 4BA48C. Fill in BA48C in ReVirgin.
Could you help me where to fing it!
Thanks in advance!
NeO'X'QuiCk