Results 1 to 3 of 3

Thread: Problem With Revirgin !

  1. #1
    DigitalBlade
    Guest

    Problem With Revirgin !

    Hi !

    I've problem with revirgin, after dumping a vboxed apps (vbox 4.3) after selecting it on left box (task box) of revirgin, it say that the IAT is damaged and that i can try to recalculate it. After this i try to use IT RVA from procdump (because IAT RVA is 0 ) but with no fortune ( so, can anyone HELP ME PLEASE

    TIA And sorry for my poor english
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373
    AAAAAAHHHHHHH !!!!!!!!

    Ok, ive got that out. Now Revirgin is a reversers tool to use a tool you have to understand why a certain tool is used over another and also how to use such a tool
    In this case you are attempting to use Revirgin BEFORE your main tool .... your BRAIN
    Use this tool to locate the target RVA of the IAT by LoadLibraryA or some other appropriate API call. Revirgin cannot FIND for you this ....... YET ?

    When found place this value on the 'IAT Start RVA' box with an estimated IAT length. Have a play.

    So snippet :-

    Brain:
    If found target IAT RVA
    then Proc Revirgin
    Else Proc Duh
    End
    Revirgin:
    Enter IATaddress in box 1
    Enter IAT Length in box 2
    Press 'IAT Resolver' button
    If All API's found Proc 'Save'
    Else press 'Resolve Again'
    Proc Generator
    Proc Rebuild
    Blah Blah.......
    Run dumped program
    EndProc
    End

    Save:
    Press button 'Save resolved'
    EndProc

    Generator:
    Enter RVA of new section
    Press button 'IAT generator'
    EndProc

    Rebuild:
    Paste new IAT.bin & IT.bin
    change OEip & IT values
    EndProc

    Duh:
    Have a G&T, relax and watch TV instead
    EndProc

    "I can't get off this carousel.......... spaceman, I always wanted you to go, into space man"

    SplAj

  3. #3
    tsehp
    Guest
    some help to find iat start and length :

    launch the app and do :
    -1 bpx getmenu or showwindow
    f12 until you're back, check up where the call comes to.
    you can have
    call [51a4b8]
    or call 51a4b8

    check on those locations; you can have some jum tables like this :
    jmp [51a487]
    add eax, eax
    jmp [51a489]
    51a487 belongs to iat, it's always the last address pointer before the api.
    you can also have some big holes between iat groups (softlock) don't worry, just take the very first iat you find in mem and calculate the global length of the table, considering the very last you find, revirgin
    will take care of what is not an iat between.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Revirgin 1.5.1 Bug???
    By hobferret in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: January 21st, 2003, 03:07
  2. Revirgin 1.4
    By robber804 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 7
    Last Post: May 5th, 2002, 19:36
  3. Revirgin bug ?
    By LaptoniC in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: January 14th, 2002, 06:18
  4. Need help for Revirgin 1.2
    By ash in forum Advanced Reversing and Programming
    Replies: 23
    Last Post: November 18th, 2001, 03:36
  5. Revirgin vs VisualProtect
    By nikkov in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: October 14th, 2001, 06:53

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •