Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: Attempt to apply ReVirgin on Pc Guard protection on app Iris

  1. #1
    BlackB
    Guest

    Attempt to apply ReVirgin on Pc Guard protection on app Iris

    Well, Pc Guard is pretty ASProtect alike, only better. I tried to unprotect the program Iris, which is a unbelievable powerful packet sniffer (a thousand times more powerful than commview btw). As the price (i think it was 1700$) is pretty high, a good protection is necessary

    Well, this is all of no importance actually. I just wanted to succeed in unpacking it with help of revirgin. So I launched Iris (don't forget to load icedump to avoid sice detection), launched revirgin.
    IAT adress: BA478
    Length: 12C0

    Other useful info:
    OEiP: 446C9C-400000=46C9C
    ImportTable RVA: 12E12C

    Revirgin recognizes ALL api's from the usual .dll's (kernel, gdi, etc...). But, it doesn't recognize ANY of the MFC42.dll . Anyway, I let ReVirgin make the IT.BIN and IAT.BIN, did everything, but of course, when running the dumped file it says "Can't find needed .dll".
    Note that I dumped IT.BIN at 12E12C. This will result in an increase of the filelength. I realigned the sections with PE-editor. I also tried to add a new section at the end of the file (I think at 12F000), but that didn't work either. Disassembling was possible and IDA didn't complain about anything. The disassembling however ended after 2 minutes, and that's a little bit too fast for a > 1MB file. When looking at it I also had the impression that big chunks of the .exe are still encrypted.

    When looking in PE-editor 1.7, all the API's are there but they have no dll name.

    For people still not tired of trying to unpack these heavily protected apps, here's the url to download Iris: http://www.eeye.com/html/Products/Iris/download.html
    The PC-Guard hompage: http://www.pc-guard.co.yu

    Heh, I think I just want to do too much at a time, and pick the most difficult targets to test revirgin However, I have learnt quite a lot already after three days

    Feel free to post your findings on this protection

    Greets

    BlackB
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373
    Hi BlackB

    Iris is also prewrapped with PEShiELD or somethin by AnAkin
    then PCG32 is applied. The silly Laurentiou also failed to use the Licence system of PCG instead relying on his own feeble
    serial algo.

    Also check out offset ~62888 or so in the dumped exe, you should see an infamous name }>

    Dont try and get the 'names' of those MFC's I informed Tsehp about my concerns in the early trials of Revirgin.
    Just carry on regardless.It does not matter as these API's are 'nameless ones'

    SplAj

    Yes good work BlackB you are trying VERY hard, soon +BlackB

  3. #3
    SV
    Guest
    Hi

    I have unpacked this one and if it can help you
    i post a complete rebuild IAT (generated to be
    inserted in new section at 12F000).

    Regards SV
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    SV
    Guest
    Hi

    I have unpacked this one and if it can help you
    i post a complete rebuild IAT (generated to be
    inserted in new section at 12F000).

    Regards SV
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    BlackB
    Guest
    Hehehe, +Splaj, it will still be a long run before I can put that + before my nick
    Btw, I noticed about that additional PE packing. I noticed it in hexworkshop when dumping it and iat

    Anyway, thx a lot splaj/sv/tsehp who're helping me on this unpacking subject, I already owe ya a lot.
    At the moment of writing I'm with my girlfriend, and tomorrow too, so I don't have the time to test certain things out. Relaxation in life is also important

    well, gotta go......someone 's waiting, heh

    greets

    The Blackbird aka BlackB
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,143
    Blog Entries
    5
    Hiya BlackB,

    Here's something to check if you're still having problems with MFC imports being resolved. I had this come up with earlier versions of Revirgin that I'd always meant to mention to Tsehp. But since I haven't tried it with the most recent version, I didn't want to complain *too* early in case he'd fixed it

    There seemed to be a problem with some of the MFC Imports if the listing was interrupted by another dll Import. Even though the Import resolved OK and you could glean its ordinal value from the Save Resolved text file, once it was generated into the IAT the entry was 00000000.

    Here's a section of the text file as resolved as it was going to get:

    308 000494E0 6C2B5760 0A5C MFC42.DLL
    309 000494E4 6C2B56EC 0685 MFC42.DLL
    310 000494E8 00000000 001A RPCRT4.dll I_RpcBindingInqDynamicEndpointA
    311 000494EC 6C303B14 035B MFC42.DLL
    312 000494F0 6C31DE8E 0844 MFC42.DLL
    313 000494F4 6C31DEB0 081E MFC42.DLL
    314 000494F8 00000000 001A RPCRT4.dll I_RpcBindingInqDynamicEndpointA
    315 000494FC 00000000 001A RPCRT4.dll I_RpcBindingInqDynamicEndpointA
    316 00049500 6C30C3C7 187E MFC42.DLL

    You can see that all the MFC4 imports are resolved, but in the corresponding IAT entry the MFC just preceding the RPCRT4 Import is now 0 instead of the ordinal value it should be.

    000004E0 5C0A 0080 0000 0000 0000 0000 5B03 0080 \...........[...
    000004F0 4408 0080 0000 0000 9433 0B00 0000 0000 D........3......
    00000500 7E18 0080

    I thought maybe this was because I_RpcBindingInqDynamicEndpointA wasn't resolved and I just had a weird app that actually used RPCRT4.dll. I fixed the pointers for both the missing MFC42 imports as well as the RPCRT4 ones in the IAT manually before pasting into the dumped file, but there was still a few things I had to check to get it to work right and the project kind of went by the wayside.

    Anyway, check this out, it might still be an issue with Revirgin. In any case I'll give it another shot and let you know Tsehp.

    Cheers,
    Kayaker

  7. #7
    tsehp
    Guest
    Kayaker (02-28-2001 12:58):
    Hiya BlackB,

    Here's something to check if you're still having problems with MFC imports being resolved. I had this come up with earlier versions of Revirgin that I'd always meant to mention to Tsehp. But since I haven't tried it with the most recent version, I didn't want to complain *too* early in case he'd fixed it

    There seemed to be a problem with some of the MFC Imports if the listing was interrupted by another dll Import. Even though the Import resolved OK and you could glean its ordinal value from the Save Resolved text file, once it was generated into the IAT the entry was 00000000.

    Here's a section of the text file as resolved as it was going to get:

    308 000494E0 6C2B5760 0A5C MFC42.DLL
    309 000494E4 6C2B56EC 0685 MFC42.DLL
    310 000494E8 00000000 001A RPCRT4.dll I_RpcBindingInqDynamicEndpointA
    311 000494EC 6C303B14 035B MFC42.DLL
    312 000494F0 6C31DE8E 0844 MFC42.DLL
    313 000494F4 6C31DEB0 081E MFC42.DLL
    314 000494F8 00000000 001A RPCRT4.dll I_RpcBindingInqDynamicEndpointA
    315 000494FC 00000000 001A RPCRT4.dll I_RpcBindingInqDynamicEndpointA
    316 00049500 6C30C3C7 187E MFC42.DLL

    You can see that all the MFC4 imports are resolved, but in the corresponding IAT entry the MFC just preceding the RPCRT4 Import is now 0 instead of the ordinal value it should be.

    000004E0 5C0A 0080 0000 0000 0000 0000 5B03 0080 \...........[...
    000004F0 4408 0080 0000 0000 9433 0B00 0000 0000 D........3......
    00000500 7E18 0080

    I thought maybe this was because I_RpcBindingInqDynamicEndpointA wasn't resolved and I just had a weird app that actually used RPCRT4.dll. I fixed the pointers for both the missing MFC42 imports as well as the RPCRT4 ones in the IAT manually before pasting into the dumped file, but there was still a few things I had to check to get it to work right and the project kind of went by the wayside.

    Anyway, check this out, it might still be an issue with Revirgin. In any case I'll give it another shot and let you know Tsehp.

    Cheers,
    Kayaker
    I get it kayaker, for example just take this interruption :
    494e4 : mfc import
    494e8 : rpcrt4 import

    I choosed the borland way of generating iat + it files, so the iat pointers *must* be interrupted by a dword 0 to interrupt the dll export list, in this case the interrupt should resilde in 494e8 and this entry should be 0, but in the target it's not, in the actual version of revirgin I just can't rebuild a rpcrt4 at this iat location, I'm oblidged to put a dword 0 and put this antry at 494ec, but this entry belongs to
    mfc...do you see the problem, it's a windows problem.
    maybe someone have an idea, maybe I can solve this giving up the borland way of creating iat files and switch back to m$ way, does someone have an idea on this ? if yes, I'll update in revirgin 1.01, soon available for 0$ except for alexey, 500$
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    BlackB
    Guest
    Frustration regarding iris, hehehe :P

    All right, there must be something I'm doing wrong. Maybe a little detail that you guys see as normal, but that I never heard of (?)
    Well, here's EXACTLY what I do to unpack IRIS. If I don't mention something then I also didn't do it:

    -Run Iris.exe WITH Icedump to avoid detection. Dumping with PE-editor.

    -Directly after dumping, I'm adding a section named .BlackB @ 12F000, virtual/raw size 20000 (just to make it big enough )
    Nothing else is done.

    -Revirgin is launched, IAT and IT are created after resolving with folowing options:
    RVA: BA478
    Length: 12F4
    IT adress: 12F000
    Length: 61C

    -iris_dump.exe is opened in hexworkshop
    IAT.BIN is dumped at BA478, number of bytes: 4658
    IT.BIN is dumped at 12F000, 17562 bytes are added to iris_dump.exe

    -PE-editor is launched.
    Entrypoint is changed to 46C9C
    Sorry, but even with the latest downloaded version, I get this as OEiP
    Importtable RVA is changed to 12F000 and the length to 61C
    Saving changes
    To end, I let PE-editor realign the iris_dump.exe

    -Disassembling with IDA runs perfectly, the entrypoint really looks like an entrypoint: starts with a 'push ebp'

    -Running the iris_dump.exe: "Not enough memory to run application".

    Well that's it. Some help is really needed. Goddamned, what am I doing wrong ?
    IT.BIN and IAT.BIN are attached in Iris.ace
    Note: download latest winace to extract!

    greets

    The Blackbird aka BlackB

    ps to tsehp: there's nothing really wrong with revirgin, except for some bugs, but i'll soon make a list of them
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    BlackB
    Guest

    forgot attachement

    here it is

    BlackB
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    tsehp
    Guest
    and for my two cents, I just corrected revirgin not to make this bug anymore on mfc42, it was coming from the code analyser (yes there is one !) that believed mfc42.dll exports were some iat redirectors,
    you can set the up mem limit to stop the auto analyse now, I checked only the listing on iris 2.0 and this works fine.

    regards,

    +Tsehp
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    tsehp
    Guest

    much more simple that we thought !

    well I just did this :
    launch the target, tracing with latest icedump 6.022
    at oep 446c9c, do a /pedump 400000 46c9c [file]

    launch your dump, the target runs !!!!!
    (+splaj, I'll accept you to send me another target, I own you a night spent of cracking a target

    the target is included here

    regards,

    +Tsehp
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    BlackB
    Guest
    pfffff, it 's just not fair :P
    i'm working about two days on it with revirgin, while another simply does a /pedump :P

    ah well, my day will come hehe

    greets to everyone
    thx to tsehp/splaj/cv/kayaker

    BlackB
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    BlackB
    Guest
    hmmm, just some little advice asking.....

    I'm cracking for a cracking group for some time (two years or so), and....well......i'm starting to feel guilty to release cracks. You see, people like you (tsehp, +splaj, etc...) give me this good advice on reverse engineering, that I will then apply to make a stupid crack for all those lame people out there, not caring about what we do.
    I'm having this thought for some time, but now that I'm busy with this asprotect/pc guard stuff, I'm really starting to feel uncomfortable with it.

    On the other hand it's good that there are cracks for certain programs (like windows and other MS products) but I'd really hate to damage smaller companies by releasing a crack.
    My doubts about releasing cracks also increased when I started a topic on the datarescue board concerning ida and cracking.......well, I just ask to give your opinions and thoughts about releasing cracks.....

    thx

    BlackB
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    G-RoM
    Guest
    Mr BlackB :

    First of all... fair or not, some people tries what is the easiest and for instance goes faster than you. This is a question of analysis and efficiency, then u know what is the most suitable with the tools u have. Speaking of that, sometimes I laugh a lot when i read posts about that and that, when people could use an existing hydra plugin that would do all the work in one single pass... I suppose nobody cared to check this. Not surprising... most people seems to need huge advertising and easy to use GUI.

    Speaking of ur conscience wake up... Well well... Are u trying to get benediction of people in here to continue to release cracks ? U fear to harm little companies ? U should have thought about ur acts... besides I can't see why harming a bigger company would be ok. It is up to u to decide about ur life... makes ur choice urself and don't ask people in here to make u feel better. A crack is a crack... cost money for companies big or small... u know it... So now deal with it.

    Cheers,
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    HalVar
    Guest
    Iris is an eeye product. Eeye deserves to be hurt. Thats all I have
    to say to this. Release it :-)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. IDA: create and apply structs
    By deepzero in forum The Newbie Forum
    Replies: 4
    Last Post: July 31st, 2013, 03:12
  2. Keygen Attempt
    By personmans in forum The Newbie Forum
    Replies: 8
    Last Post: February 29th, 2008, 16:25
  3. Auto apply the patches
    By ldril in forum OllyDbg Support Forums
    Replies: 1
    Last Post: March 3rd, 2004, 10:21
  4. Iris v3.2
    By BlackB in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: June 25th, 2001, 13:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •