PDA

View Full Version : Asprotect V1.3?


LunarC
July 22nd, 2001, 11:34
Well! I ran across Winsniffer 1.22 at winsniffer.com
This program is basically similar to Iris or Spynet!

well i would like to peek inside its protection but found out that it was packed with ASprotect V1.3 as reported by File Info V2.45a by Michael Hering! I try another scanner PeScan and it says the file wdsm.exe is protected by asprotect v1.2

I went and check the aspack.com ! the latest file is asprot V1.2

my question is! is there really V1.3 exist or somebody play around with peheader?

well! i try to hexedit it but no nfo is available!
somebody would like to clarify? or better still i'll mail to Mr. hering if i have time

cya

Alexey Solodovnikov
July 22nd, 2001, 14:57
Quote:
LunarC (07-22-2001 09:34):
I went and check the aspack.com ! the latest file is asprot V1.2

my question is! is there really V1.3 exist or somebody play around with peheader?

well! i try to hexedit it but no nfo is available!
somebody would like to clarify? or better still i'll mail to Mr. hering if i have time

cya


You can ask me by e-mail I'm ready to help.

Alex.

hz
July 22nd, 2001, 15:44
Hiya Alexey,
Man I have got some q's for yer . keep it going.
regards

Alexey Solodovnikov
July 22nd, 2001, 16:34
You're welcome, bro.

NchantA
July 23rd, 2001, 00:40
love or hate eh?

im a great admirer of your work budd, sorry bout the up and coming tutorial, but someone had to do it

your tricks are a welcome distraction, as most shareware are really mindless in their protections these days. Its good to see a protectionist that keeps abreast of forums like this, actually trying to improve his product instead of lying about it, and relying on flashy websites and marketing. remind you of someone splaj? (Bi-Tarts die )

good luck alexey, im not even going to try and spell your last name aha.

nc.

Kilby
July 23rd, 2001, 03:36
Hey Alexy,

Just to say thanks for giving us something interesting to work on.

As several folks have said asprotect, is the one product that dosn't offer the world, but offers more than any of the others on the market.

But could you please let us know when an update is released, so as we can have a little race amongst ourselves


Regads and best wishes,

Kilby...

Kilby
July 23rd, 2001, 04:05
LunarC,

It's safe to assume that it's some form of 1.2, as Alexy appears to have a habit of updating asprotect without telling anybody (anybody around here anyway).

I dunno what way the file typer/identifier decides which version of asprotect it is but it probably isn't a couple of bytes containing the version information.

regards,

Kilby...

sv
July 23rd, 2001, 07:15
Hi reversers

Interesting target, some code are crypted but you can add yours to show real password.
For example ftp case :

015F:0040505C 6A04 PUSH 04
015F:0040505E 6838AF4000 PUSH 0040AF38
015F:00405063 FF75FC PUSH DWORD PTR [EBP-04]
015F:00405066 FF157C754000 CALL [0040757C]
015F:0040506C 83C40C ADD ESP,0C
015F:0040506F 85C0 TEST EAX,EAX
015F:00405071 7523 JNZ 00405096
015F:00405073 8B45FC MOV EAX,[EBP-04]
015F:00405076 83C005 ADD EAX,05
015F:00405079 50 PUSH EAX
015F:0040507A EB4A JMP 004050C6

and
0167:0040AF38 50 41 53 53 00 00 00 00-00 00 00 00 00 00 00 00 PASS............


Include idata file.

Kilby
July 23rd, 2001, 07:35
Long time no chat SV, hope you are keeping well,

You can also redirect some of the other print routines to return the password instead.

The anoying thing is that it only appears to grab the password if it's on the standard port on the last version.

A small but important oversight, especially for those users of proxy servers.

Kilby...

LunarC
July 23rd, 2001, 10:33
thanks all!
Hey is it really you alex? nahhh I don't buy it!

Alexey Solodovnikov
July 23rd, 2001, 15:18
Quote:
LunarC (07-23-2001 08:33):
thanks all!
Hey is it really you alex? nahhh I don't buy it!


It's really me. As I said before you can reach me by e-mail to check it

Alexey VeryLongRussianSureName

NeO'X'QuiCk
July 23rd, 2001, 18:36
What is your Email Alexey Solodovnikov

NeO'X'QuiCK

tsehp
July 23rd, 2001, 19:09
hiya alex ,
when will as 1.3 be available for download ? Or can you leave it here as an attachment ? (I'm half dreaming ;-)

this is not crack request, but prot request ;-) don't flame me please :-)

tsehp

NchantA
July 23rd, 2001, 23:44
LOL tsehp

i dont mind withholding the unpacking tutorial until the next version is released, if indeed there even is to be a new version or new flavour soon. im sure tsehp will agree with me here. although i will honour any personal requests.

NchantA

tsehp
July 24th, 2001, 07:30
yes nChant, and you can be sure that the "Alexey" that is speaking here will consider as a pleasure to help us adapt the tutorial to version 1.3 ;-)

nchanta
July 26th, 2001, 09:11
WebSite watcher v3.21. http://www.aignes.com
very interesting. i have a dump and iat RVA aswell as size.

this looks to me like a new trick of alexys, i may be wrong though.

it seems that the IAT jmp table doesnt actually jump to the api anymore. instead it jumps to a little bastard routine, which does a few things and then push ADDR_OF_API and then ret's into the api.

highly annoying. after using imprec to patch in the full rebuilt iat (attatched, pleaz notify me if there is an error), the program crash's. its trying to find the piece of memory that jumps to the api, instead of jumping to the damn thing.

is this as unusual as i think or am i retarded?

LaptoniC
July 26th, 2001, 12:32
Hi Nchanta,
I guess your OEP is wrong according to my lame findings
OEP: 00165608 IATRVA: 0016E178 IATSize: 00001828
My IATRVA maybe wrong (0016E250 maybe just you found),but I am dead sure about the OEP.
Icedump tracex first stop at 54D52C but it is fake.If you look at closely you will see that it checks .key file in the directory and registry key.When you retun from this call you will be again at asprotect code.So when you retun from this call again use tracex comand and program will stop at entrypoint.Then do what ever you want
However my dumped exe didnt run with my fixed iat.Anyway maybe my iat start is wrong or it is looking some code from asprotect.I have attached my iat hope it helps.

hz
July 26th, 2001, 15:59
Hiya,
nothing new in this version from v3.20, for imprec use
0016E17C 00000824
LaptoniC's OEP is right. EB's tut explains better than I would how to fix up the unresolved, its posted on the board somewhere.
regards

+SplAj
July 28th, 2001, 04:11
OEiP VA 565608 (rva 165608 )
IAT va 0x16E17C L 0x81C
.NewSec 0x1E3000

LOL imprec !!!!! WTF is wrong with RV ???

PROBLEM IS 'InitialiseCriticalSection' is ALREADY done and flagged by aspr

check the disa and see flag is set at [56B430] == 01 .......
so code at 402210, 40239D and 40270C can never be called....... SO clear ALL the variables around this area everything to 00.

It's also a Delphi5 .........

managed to decode that wswatch.cfg. The checksum code is from 49B160 to 49B228. Also there is nice SEH by the programmer and any interference gives a nice messagebox with a RED PIRATE icon ......LOL nice touch.

I attach some bits of info (the iat 'SPLAJ' is for Win98/ME cos kernel_02F is used for RET004)

+Spl/\j
'patch+play'

FlyingRaichu
August 23rd, 2001, 00:00
thought some in this thread might be interested in checking out the just released website-watcher 3.21 crack.
there is a long description of the crack; splaj and this thread is given much credit in the discussion on unpacking and fixing.

and i wanted to say thanks in person as well.
-flying raichu