Results 1 to 7 of 7

Thread: ASProtect 1.2 'Revirginated'

  1. #1
    hOrn_dOg
    Guest

    ASProtect 1.2 'Revirginated'

    ASProtect 1.2 (11/02/01) Revirginated (on Win2K)
    ================================================

    IAT at RVA 0x66118 Length 0x5C4 OEip at 0x458F7C (LoL ~3 hours
    manually found !)

    Dumped.exe is 632kb

    One 'problem' API at '00066260 00C1C424 0000 ?????? to_Resolve'just
    replace with KERNEL32 GetProcAddress (use SI to get the memory
    address)

    Make a new section at 0x9E000 0x2000 long - named .SplAj
    Paste IAT.bin to 0x66118 and IT.bin to 0x9E000. Fix up yer header
    (OEiP & IT addresses) with PEeditor 1.7

    It Runs ? ..... slight problem with a call to 'C7C6D8' but this is
    just a high call with a 'C3 RET' so change the D8C670 at offsets
    0x64FAC and 0x64FB0 (reverse byte order !)to C84F46 and put a value
    of 'C3' at offset 0x64FC8.

    Finished

    BTW the ASprotect is AUTO registered now. Just try to protect
    Notepad.exe and then run it......... NO NAG !!!!

    hOrn_dOg (aka +SplAj)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    SV
    Guest
    Hi

    Have rebuilded too ... but it's not registred
    Nag screen is show at random !
    Try to execute many time. (Hi Alex)

    SV
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    hOrn_dOg
    Guest
    Hi SV

    Your right...about 20 runs then the NAG !

    As R!sc always says..." you have more work to do "
    but not today I have to treat the wife :*

    hOrny
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    tsehp
    Guest

    poor asprotect 1.2

    I'm disappointed by the new version,
    only a small modification in the redirected iat's, just a push->ret instead of a call.

    No more encrypted iat's on my asprotected 1.2 notepad.

    Alexey, send us the source, we'll fight for you

    regards,

    +Tsehp
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    You devils 3, is nothing sacred? Heh, heh. 8)

  6. #6
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Hi All,

    I've been walking around the dungeons of Asprotect looking for where the shareware nag is written into a file. Just emerged for more supplies.

    As usual the protection peeled like a banana under Revirgin. The shareware nag is in this little snippet (from Notepad) between the Import decryption routine and the OEP jump. BTW, I found a slightly different OEP for the packer on Win98SE.

    :0068FB7C EB02 JMP 0068FB80
    :0068FB7E FF2569152830 JMP [30281569]
    :0068FB84 690005840808 IMUL EAX,[EAX],08088405
    :0068FB8A 42 INC EDX
    :0068FB8B 891528306900 MOV [00693028],EDX
    :0068FB91 F7E2 MUL EDX
    :0068FB93 89D0 MOV EAX,EDX
    :0068FB95 48 DEC EAX
    :0068FB96 09C0 OR EAX,EAX
    :0068FB98 7510 JNZ 0068FBAA
    :0068FB9A EB02 JMP 0068FB9E

    Force the JNZ 0068FBAA and there's no nag. Interesting little routine that gives the delayed nag, not sure exactly how it works though. The value of [EAX] in IMUL EAX,[EAX],08088405 seems to be the determining semi-random factor, but doesn't seem to be stored outside of memory. I thought there might be a simple copying of these bytes to the file during packing, but it doesn't seem so. They exist as hex in the unpacked packer, but don't seem to be used directly.

    So I broke on the btnProtectClick event in the unpacked packer and started tracing right up to where the packed image is written to file. Didn't find much 'cept lotsa Delphi bloat.

    Well, back into it. If I haven't returned in 24hrs send help

    PS, no worries Alexey, I don't think anyone on this end is planning to distribute copies of Asprotect. Think of it as beta testing

    Regards,
    Kayaker

  7. #7
    hOrn_dOg
    Guest
    Hi , and todays OEiP is......458FD8 !

    Everyday a new one Alexey ?

    Ya knows we just play with your nice ASProtect, as we do with all the commercial boys, and sure I have no product bigger than 5k to protect so phear not I release a 'patch' exe protected with ASP

    Thanks for the challenges, as you know we would have nothing to reverse without you ;D

    +SplAj
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. ASProtect 2.1x SKE
    By asm in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: June 7th, 2006, 19:30
  2. ASProtect v1.3x
    By trnc in forum OllyDbg Support Forums
    Replies: 4
    Last Post: February 7th, 2006, 10:25
  3. ASProtect 1.23 RC4 - 1.3.08.24
    By LaBBa in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: May 13th, 2004, 11:52
  4. ASProtect 1.23
    By dlt_ in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: October 15th, 2003, 23:05
  5. ASProtect 1.2x
    By tigeros in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: July 4th, 2001, 19:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •