PDA

View Full Version : New ASProtect again ?


gAnZ
November 12th, 2000, 08:17
Here is the target
http://www.softpointer.com/tr.htm

gAnZ
November 12th, 2000, 12:30
Quote:
Pandesal (11-12-2000 01:15):
CASPR worked fine with this baby ;-)


What version you have used ?
0.930 seems not to produce working EXE ...

gAnZ
November 12th, 2000, 12:34
Quote:
Pandesal (11-12-2000 01:15):
CASPR worked fine with this baby ;-)


What version you have used ?
0.930 seems not to produce working EXE ...

SV
November 13th, 2000, 05:39
Hi

Why it doesn't work.
Look at entrypoint code.
At 0053D6F4 there is a indirect call. As you can see
with asprotected exe, in this call you land at 0125c540
and at this location the real call is done (53ce54).
Some generic unasprotecter doesn't save in exe offset 54341c
because it's a bss section (offset 142000 virtual size 2000
raw size is 0).
Solution is to patch this location before entering EOP or
to build an exe with this section and replace 40c52501 with 54ce5300.

regards SV

EAX=00000000 EBX=006F0000 ECX=00000000 EDX=00000000 ESI=816443B0
EDI=00000000 EBP=007FFE38 ESP=007FFE2C EIP=0053D6F4 o d I s Z a P c
CS=015F DS=0167 SS=0167 ES=0167 FS=33C7 GS=33CE DS:0054341C=0125C540
-----TAGRENAME_ORG!+141C--------------------------byte--------------PROT---(0)--
0030:0054341C 40 C5 25 01 00 00 00 00-00 00 00 00 00 00 00 00 @.%.............
0030:0054342C 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0030:0054343C 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
-------------------------------------------------------------------------PROT32-
015F:0053D6CD 8BEC MOV EBP,ESP 
015F:0053D6CF 83C4F4 ADD ESP,-0C 
015F:0053D6D2 B88CD15300 MOV EAX,0053D18C
015F:0053D6D7 E80897ECFF CALL 00406DE4
015F:0053D6DC A17C185400 MOV EAX,[0054187C]
015F:0053D6E1 8B00 MOV EAX,[EAX]
015F:0053D6E3 E838F3EFFF CALL 0043CA20
015F:0053D6E8 A1981A5400 MOV EAX,[00541A98]
015F:0053D6ED 8B00 MOV EAX,[EAX]
015F:0053D6EF E8E0FDF2FF CALL 0046D4D4
015F:0053D6F4 FF151C345400 CALL [0054341C] <----This indirect call
015F:0053D6FA A17C185400 MOV EAX,[0054187C]
015F:0053D6FF 8B00 MOV EAX,[EAX]
015F:0053D701 BA24D75300 MOV EDX,0053D724
015F:0053D706 E819EFEFFF CALL 0043C624
015F:0053D70B A17C185400 MOV EAX,[0054187C]
015F:0053D710 8B00 MOV EAX,[EAX]
015F:0053D712 E8A1F3EFFF CALL 0043CAB8
015F:0053D717 E8F863ECFF CALL 00403B14

EAX=00000000 EBX=006F0000 ECX=00000000 EDX=00000000 ESI=816443B0
EDI=00000000 EBP=007FFE38 ESP=007FFE28 EIP=0125C540 o d I s Z a P c
CS=015F DS=0167 SS=0167 ES=0167 FS=33C7 GS=33CE DS:012625C0=0053CE54
--------------------------------------------------byte--------------PROT---(0)--
0030:012625C0 54 CE 53 00 00 00 00 00-00 00 00 00 00 00 00 00 T.S.............
0030:012625D0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
-------------------------------------------------------------------------PROT32-
015F:0125C53F 90 NOP 
015F:0125C540 833DC025260100 CMP DWORD PTR [012625C0],00 
015F:0125C547 7406 JZ 0125C54F
015F:0125C549 FF15C0252601 CALL [012625C0]
015F:0125C54F C3 RET

gAnZ
November 20th, 2000, 11:00
Hey!
Thanks for your reply, but it was clear to me.
My question actually was about VERSION of ASProtecct.
rAD sayed that it is unknown.
(but it could actually unhook this hook
CASPR is newest deprotector, so I've decided that it must understand such tricks and fix'em.
But I was mistaken.

So,so.....
Some work with loaded BRAIN.SYS(.VXD) never can be superfluous after any automatic engine

Good Luck !