PDA

View Full Version : Either new aspr, better implementation or asshole author code ;)


nchanta
September 10th, 2001, 10:07
Hola all, tis me again.

feels nice to post on this nice new board

pastel colours and a much kewler interface tsehp

neway back to my topic, i was reffered to this by a friend on #c4n (hi lost).

AiS Watermark Pictures Protector v2.1
http://www.atomintersoft.com

its got the weirdest implementation of aspr ive seen (i think )

i unpack as normal/ fix imports as normal, seems nothing new there (it makes me wanna think this isnt a new ver, but i cant be sure).

but after i fix everything and goto run, it seems the bastard BSOD. i traced it to the first api call a 'EnterCriticalSection' one. i dont think the CriticalSection is Initialised????????

anyone can help me plz

NchantA

tsehp
September 10th, 2001, 11:15
checking out with new rv (soon on beta)

nchanta
September 10th, 2001, 21:23
ohh goodie.

hi tsehp+ btw, how is rv going?

do u know if rv could help in fixing new securom shit?

LaptoniC
September 10th, 2001, 21:44
Damn it is very though.I have completed only part of it.
OEP 11A59C IAT 124190 import is rebuilded with imprec.

0045E754 7404 jz 0045E75A change to jmp
0045E75F 7413 jz 0045E774 change to jmp
004C5976 E8FD8DF9FF call 0045E778 nop it
0045E46C FF1500185200 call dword ptr [521800] should be call 004C5828

it doesnt ends here.It checks asprotect alot.Very pathetic author

Js
September 11th, 2001, 06:05
Hiya,
Reccomend you take a closer look inside the 0045E778 proc.
"Very pathetic author", why?, name of the game is make it a bit more difficult isn't it?

sv
September 11th, 2001, 09:08
Hi all, Nchanta, tsehp

Happy to read you again

Have rebuil a valid IT (exe works with some patches (AS checks)).
I send IT if it can be usefull.

SV

Sorry but attachment doesn't seem to work

sv
September 11th, 2001, 09:13
Upload works now !
Thx Tsehp

Js
September 11th, 2001, 10:26
Hiya sv,
Nice to hear from you. Beat you to this one, still haven't got that f****** aqua though .

tsehp
September 11th, 2001, 18:22
first, I'll pray for people that died in this horrible terrorist attack for a long time...

finally I've made it work, pretty good implementation but only tests in mem if asprotect is present.

1-with new rv (soon available) trace and find oep 51a59c
dump your target with procdump while rv's tracer holds the program frozen with the tracer

use fetch iat, resolve iat's, show unresolved, use 'api emulator' (new function to resolve latest asprotect small api emulation)
everything is resolved but two entries, trace them and make a resolve again... then iat generator, the new it is dumped into your dump that is realigned.

2-I'll assume you didn't deviated the first asprotect entries inside the target before reaching the oep

403eb0 patch to jmp (you've forgotten this laptonic)
next laptonic's work :

0045E754 7404 jz 0045E75A change to jmp
0045E75F 7413 jz 0045E774 change to jmp
004C5976 E8FD8DF9FF call 0045E778 nop it
0045E46C FF1500185200 call dword ptr [521800] should be call 004C5828

and the target loads, I let you the final work to reg it, asprotect is removed.


regards,

tsehp

tsehp
September 11th, 2001, 19:25
Quote:
Originally posted by sv
Post attachment test

Here is error text :

Warning: SAFE MODE Restriction in effect. The script whose uid is 10012 is not allowed to access /tmp/ais_idata.zip owned by uid 0 in /usr/local/plesk/apache/vhosts/woodmann.com/httpdocs/vbulletin/upload/admin/functions.php on line 1606

Warning: fopen("/tmp/ais_idata.zip","rb" - Undefined error: 0 in /usr/local/plesk/apache/vhosts/woodmann.com/httpdocs/vbulletin/upload/admin/functions.php on line 1606

Warning: Supplied argument is not a valid File-Handle resource in /usr/local/plesk/apache/vhosts/woodmann.com/httpdocs/vbulletin/upload/admin/functions.php on line 1607

Warning: Supplied argument is not a valid File-Handle resource in /usr/local/plesk/apache/vhosts/woodmann.com/httpdocs/vbulletin/upload/admin/functions.php on line 1608

Warning: SAFE MODE Restriction in effect. The script whose uid is 10012 is not allowed to access /tmp/ais_idata.zip owned by uid 0 in /usr/local/plesk/apache/vhosts/woodmann.com/httpdocs/vbulletin/upload/admin/functions.php on line 1629




those problems are now over, re upload please !

Kilby
September 12th, 2001, 09:28
If you wanna see a properly implemeted asprotect have a look at iglooftp 3

http:\\w*w.iglooftp.com

It's a stinker

Kilby...

SpeKKeL
September 12th, 2001, 14:45
HaJO !

Well again about the iat from aiswpp:i downloaded sv's iat and i'am wondering how the 2 directed api's on :

170c968ush ebp
mov ebp,esp
mov eax,[ebp+08]
pop ebp
ret 004
and on
170c974 ush ebp
mov ebp,esp
ret oo4
are traced to : kernel's lockresource (170c968)and the second to
kernel's freeresource (170c974)
I thought i must use kernel 's ord_2f (ret 004) or a getprocaddress ......

Could someone explain how they did trace to the lock/free resource..

Van de la SpeKKeL....

tsehp
September 12th, 2001, 15:10
Quote:
Originally posted by SpeKKeL
HaJO !

Well again about the iat from aiswpp:i downloaded sv's iat and i'am wondering how the 2 directed api's on :

170c968ush ebp
mov ebp,esp
mov eax,[ebp+08]
pop ebp
ret 004
and on
170c974 ush ebp
mov ebp,esp
ret oo4
are traced to : kernel's lockresource (170c968)and the second to
kernel's freeresource (170c974)
I thought i must use kernel 's ord_2f (ret 004) or a getprocaddress ......

Could someone explain how they did trace to the lock/free resource..

Van de la SpeKKeL....



ha ha ha ha , this funny board self detected some jokes inside your listing

all those entries are to emulate a ret4 , a normal ret with add esp,4 and that's all.

SpeKKeL
September 12th, 2001, 15:26
yEP ,

mAYBE THE QUESTIONS WERE TO
SIMPLE....




tHANKS +TSEPH


tHINK A'VE GOT THEM ALL


sPEK..