Results 1 to 3 of 3

Thread: ReVirgin 1.31 problem with large IAT

  1. #1
    Lbolt99
    Guest

    ReVirgin 1.31 problem with large IAT

    Hi, I've been using RV fine on many things but it seems to be hiccuping on creating the IT binary for a large program I'm working on. The target is Helpjotter 6.0.19.201.

    Its protected with ASPR 1.4+ but that doesn't seem to have anything to do with the problem. I used RV successfully to get the IAT except for the unresolved entries, which I fixed.

    BTW I'm not sure if this would be fixed in 1.4 -- I couldn't get it to run, even after changing the date/time stamp.

    Anyway, it seems to want to generate a 8.9MB .bin from the IAT list. I've attached the IAT list for review, if anyone else wants to try it. The IAT RVA is 3F41F4 and the length A9C. After dumping, it should be pasted at offset 00588000.

    Please note that every other IT I've generated with RV has worked fine. The only differences are that this one is significantly larger than other's I've worked with.

    I tried both auto-pasting it with RV (created 14mb file from 5mb dump Also tried simply creating the .bin. Neither method worked.

    Thanks for helping
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Lbolt99
    Guest

    Looks like bug in RV :(

    Follow-up:

    This morning I downloaded IMPRec 1.3 from Programmers Tools. It is a convoluted mess and I had to fix lots of things to get the IAT to match the Revirgin one I had.

    There does appear, unfortunately, to be a bug in RV, at least v1.31. IMPrec successfully created the binary IT to paste onto the end of the dumped file.

    As said before, the IAT processed with Revirgin creates a 9 meg .bin file. I think something in the IAT is throwing off RV and causing an endless loop somewhere in the program.

    Anyway, I have informed .tsehp and hopefully it'll be fixed in RV 1.41
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Lbolt99
    Guest

    Update again :)

    Another quick update:
    I looked further into the 9mb IAT file that RV created. It turned out that it just appended 8.x mb of 0s to the end of the file. I truncated it all. Basically if you run into this problem with RV and do this just make sure you leave two bytes (zeros) after the text string of the final thunk: example:

    GetOpenFileNameA..

    The two dots would be your 0x00h 0x00h, and then the file ends.


    RV 1.4 had same problem. I got RV to run by doing this:
    bpx messageboxa
    ret until u see exitprocess in code below
    change ip to xxxxxxb5 (will be a dec instruction a few instructions away)
    it'll run then

    Helpjotter runs after pasting it!! No Dips found so far..
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. IDA Pro - Automated Function Recognition on large binaries
    By OHPen in forum Tools of Our Trade (TOT) Messageboard
    Replies: 7
    Last Post: December 15th, 2012, 06:22
  2. Windows Error-Program too large to fit in memory
    By charcoal in forum OllyDbg Support Forums
    Replies: 1
    Last Post: April 25th, 2003, 15:02
  3. Softice and large memory configuration
    By Anticode in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: November 14th, 2001, 17:01
  4. THe ReVirgin PRoblem!
    By NeO'X'QuiCk in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: April 8th, 2001, 15:14
  5. WDASM page faults with large files?
    By nud in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: January 22nd, 2001, 00:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •