PDA

View Full Version : Asprotect 1.4 !!!


+SplAj
December 24th, 2001, 18:39
LOL got ur attention now

Is there a *new* aspr version or not ......

NEW API CLUSTER TRICK !!!!
==========================

JS sent me a new target but I was too bizee fuxin Bi-Tarts new Titty3 'kryptor' (pfff)
hey trannies yer shits r decrypted and sent to favorit store for ppl to d/l

Back to this new trick :-

'Reg Organizer 1.2' from ChemTable Software

I rebuilt the exe with RV, slight prob with LENGTH of IAT auto-fetcher ? [001AE134 to
001AF0F4 is correct range, and NOT contiguous,ie lots of 00 padding between dll?], but could not see the usual API 'cluster' just as JS
mentioned ??? so, lets run.. duh no way, stack is corrupted ? But I missed the dummy
1st dip into real code at 419350 to set memory variables, then back to aspr then onto
401000 OEiP. So I redumped at 419350, set OEiP to this and patched JMP 401000 at 419507.
Now runnin....NO ! got STACK corrupted still....that RET at 401256 and made exception ???

0167:00401214 803D586C5A0000 CMP BYTE PTR [005A6C58],00
0167:0040121B 7538 JNZ 00401255
0167:0040121D B8BC114000 MOV EAX,004011BC
0167:00401222 E8597B1000 CALL 00508D80
0167:00401227 A3FC575700 MOV [005757FC],EAX
0167:0040122C B8F0575700 MOV EAX,005757F0
0167:00401231 E84A7B1000 CALL 00508D80
0167:00401236 A300585700 MOV [00575800],EAX
0167:0040123B E888311700 CALL KERNEL32!GetModuleHandleA <==was is das???
0167:00401240 8B15446B5A00 MOV EDX,[005A6B44]
0167:00401246 8902 MOV [EDX],EAX
0167:00401248 8A4514 MOV AL,[EBP+14]
0167:0040124B 3401 XOR AL,01
0167:0040124D 8B15506B5A00 MOV EDX,[005A6B50]
0167:00401253 8802 MOV [EDX],AL
0167:00401255 5D POP EBP <== corrupts stack in regular code
0167:00401256 C3 RET

But tracing in ASPR returned GetCommandLineA in EAX *NOT* GetModuleHandleA ???:-

0167:00E2CA17 90 NOP
0167:00E2CA18 6A00 PUSH 00
0167:00E2CA1A E8597AFFFF CALL KERNEL32!GetModuleHandleA <==DUMMY API for IAT rebuilders !
0167:00E2CA1F FF355036E300 PUSH DWORD PTR [00E33650] <==GetCommandLineA API
0167:00E2CA25 58 POP EAX <==POP'd into EAX !!!
0167:00E2CA26 C3 RET <==in aspr OK, but STACK WRONG for us

See the GetModuleHandleA in EAX is discarded, EAX is pop'd with GetCommandLineA ptr !!!
So this is the *NEW* variant of the APICluster trick we all got used to for several months.

Similar tricks for the other GetWhatWeNeed API calls :-
eg GetVersion poked into [E33640]

0167:00E2C9D3 90 NOP
0167:00E2C9D4 6A00 PUSH 00
0167:00E2C9D6 E89D7AFFFF CALL KERNEL32!GetModuleHandleA <==DUMMY API for IAT rebuilders !
0167:00E2C9DB FF354036E300 PUSH DWORD PTR [00E33640] <==GetVersion API
0167:00E2C9E1 58 POP EAX <==POP'd into EAX !!!
0167:00E2C9E2 C3 RET <==in aspr OK, but STACK WRONG for us

Here are my findings for the Usual Suspects :-

[E33640] ==> GetVersion
[E33644] ==> GetCurrentProcess
[E33648] ==> GetModuleHandleA
[E3364C] ==> GetCurrentProcessId
[E33650] ==> GetCommandLineA

You have to change the RV/Imprec tracer in IAT rebuilding to the correct API *NOT* GetCommandLineA...........but woooa it's 1am 25/12/01 and I can hear sleigh bells... Santa is coming with my new notebook better get to bed or he won't deliver it.......

So, goodnight from him and goodnight from me

PS sorry for the late response JS and thanks for the tip off .....

Spl/\j

endeavor
December 26th, 2001, 13:37
Quote:
Originally posted by +SplAj

There is a very fine line between “hobby” and “mental illness.”

..in my own way i find myself crossing that fine line all the time

..but in the meantime - happy holidays

endeavor

Viper
December 26th, 2001, 17:39
Who don't like crossing that line more times then not?

evaluator
December 31st, 2001, 13:21
Hello, SPLAJ!

Some interesting old-trick-enhansements added to this version,
I managed all... Prog runs from 401000, you did some wrong..
In attachment another NEW-YEAR GIFT - idata for ...
paste it at 1AE000h (5AE000), in values for peditor:
IT 001AE000
SIZE 00000134

+SplAj
December 31st, 2001, 18:49
hi eval,

you chasin my ass again to become king unpaxor !!! good luck for 2002

Spl/\j

sv
January 11th, 2002, 13:09
Hi

I have 2 differences with eval's IT
First at 5ae3e4:
AS code is:
0167:0133CA38 55 PUSH EBP
0167:0133CA39 8BEC MOV EBP,ESP
0167:0133CA3B E8507AFFFF CALL KERNEL32!GetVersion
0167:0133CA40 5D POP EBP
0167:0133CA41 C20400 RET 0004
eval have GetVersion and i have found FreeResource
and at 5ae4f4, eval have justEvaluator and me LockResource.
others are same

EIP is 401000 but call 419350 must be done before.

SV

evaluator
January 13th, 2002, 16:37
For Spek resolved.txt