PDA

View Full Version : Asprotect again


LaptoniC
September 19th, 2001, 02:12
I had some problems with new asprotect it is really headeche.Program is Aha-soft ArtIcons v2.52 h*tp://www.aha-soft.com

Everyting is founded by Revirgin great tool!

Recently all asprotected softs checks asprotect in memory a lot.What I mean is not directly checking the memory locations for some bits.Instead it maps addresses to asprotect memory and calls from there.So if no asprotect no code to run.
Only way to make it run -in my opinion- dump asprotect memory and make new section and paste it.Then change asprotect memory locations with the ones with your loader at the end.I have completed only part of it

loader contents
dump CF3405
dump CFC4A8

change dwords at 5067C0 5067D0 and 5067D4 so that they will point to loader.

However with this modifications program runs but when exits it gives error.Before going deep inside I want to learn that, is there a anyway to fix this, other than making loader and pointing to it?Sorry for my bad english hope you understand.
Thanks

Kilby
September 19th, 2001, 03:13
usually they are in the form of

CALL [xxxxxxxx]

xxxxxxxx JMP RealCallAddress

Usually there are 3 or 4 of these near the initialisation of the app.

What I have done in the past is simply replace the call [xxxxxxxx] with

CALL RealCallAddress
NOP

I think a previous version of articons was the first time I saw this.

As I metioned before, the future look of asprotect is in IglooFTP, unless I did something real dumb with the IT that night.

Kilby...

+SplAj
September 19th, 2001, 06:43
Kilb,

what is the prob with IGFTPRO ? I saw your previous thread and d/l immediately but found no probs, unpacked and fixed main exe as well as the PowerUP and PowerDL exe's that were aspr'd. I saw no news on this target over the sad week so assumed all was fixed.

Only prob is fixing the many MFC42 calls to make it registered

So, here are my IAT for all 3 exe's...........

+Spl/\j

Kilby
September 20th, 2001, 06:15
I will go and have a look at iglooftp 3 again.

Last time I looked at it the entrys where all over the place and made absolutely no sense at all.

I looked at it twice, just to make sure.

Obviously I was too tired that night.

(well that's my excuse anyway)

Regards,

Kilby...