PDA

View Full Version : Ok , first rce topic : asprotect 1.1


tsehp
October 27th, 2000, 20:21
Did someone managed to reverse it or rebuild the import table ?
I made my first attempt on the last commview's version (2.3) and finally used a process patcher coded by r!sc.
It works fine, you just have to kill the anti softice routines and locate
the bytes to patch. The only problem is that your crack is win9x dependent, between nt and 9x , asprotect loads at different addresses. If someone is interested, I can give more details.

tsehp

Alexey Solodovnikov
October 28th, 2000, 06:23
> Did someone managed to reverse it or rebuild the import table ?

Yep, I did.

> If someone is interested, I can give more details

Great! Could you send details to asprotect@aspack.com? I need for
this info for the next version.

JimmyClif
October 28th, 2000, 06:40
LOL...

I bet you did Alexey, hehehe

tsehp
October 28th, 2000, 07:12
Thanks for your reply, I've sent my method to the address you provided me, and also an updated asprotect version to impeach what I found to work. Can you try to reverse it ? I plan to submit a job carrier at asprotect's team :P

regards,

tsehp

tsehp
October 28th, 2000, 08:38
Hi again,
understand that's a reverser's board and I just can
be such a traitor for this community
But I have to admit that I really took some great pleasure to reverse the 1.1, it was much harder
than the 1.05 version, for which I published an essay.
So, congratulations, to me asprotect seems to be
one of the most difficult to beat, but +orc said :
If it runs it can be defeated !

Bogus
October 28th, 2000, 10:53
Import List Rebuilder:
http://www.reversing.net/TOOLS/016/readme.htm
http://www.reversing.net/TOOLS/016/Imp_list.zip
if it can decrypt import - it generate import0.bin - valid import section, just insert it to dump, bla-bla-bla...

freddyk
October 29th, 2000, 05:37
OK a q on aspr 1.1 - it kills regmon when it runs, so you cant watch its registry stuff (same as in the new aspack 2.11... and he says its just updated for bugfixes - yeah right alex) - any idea how to bypass without editing aspr

Also for 2.11 he sets up a reg key for the 30 days stuff - what variable does he use to decide this (the reg location (CLSID) changes on diff PCs)

FK

Dr.Golova
October 29th, 2000, 19:19
for bupassing closing RegMon just change in regmon.exe their window class ("RegmonClass" and window title ("Registry Monitor - Sysinternals: www.sysinternals.com".

Solomon
October 31st, 2000, 04:53
If u are using Win9X, there is another way to bypass the RegMon check:
try "Win-eXpose Registry" from http://www.shetef.com.