Results 1 to 14 of 14

Thread: Either new aspr, better implementation or asshole author code ;)

  1. #1
    nchanta
    Guest

    Exclamation Either new aspr, better implementation or asshole author code ;)

    Hola all, tis me again.

    feels nice to post on this nice new board

    pastel colours and a much kewler interface tsehp

    neway back to my topic, i was reffered to this by a friend on #c4n (hi lost).

    AiS Watermark Pictures Protector v2.1
    http://www.atomintersoft.com

    its got the weirdest implementation of aspr ive seen (i think )

    i unpack as normal/ fix imports as normal, seems nothing new there (it makes me wanna think this isnt a new ver, but i cant be sure).

    but after i fix everything and goto run, it seems the bastard BSOD. i traced it to the first api call a 'EnterCriticalSection' one. i dont think the CriticalSection is Initialised????????

    anyone can help me plz

    NchantA
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    tsehp
    Guest
    checking out with new rv (soon on beta)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    nchanta
    Guest
    ohh goodie.

    hi tsehp+ btw, how is rv going?

    do u know if rv could help in fixing new securom shit?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Damn it is very though.I have completed only part of it.
    OEP 11A59C IAT 124190 import is rebuilded with imprec.

    0045E754 7404 jz 0045E75A change to jmp
    0045E75F 7413 jz 0045E774 change to jmp
    004C5976 E8FD8DF9FF call 0045E778 nop it
    0045E46C FF1500185200 call dword ptr [521800] should be call 004C5828

    it doesnt ends here.It checks asprotect alot.Very pathetic author

  5. #5
    Hiya,
    Reccomend you take a closer look inside the 0045E778 proc.
    "Very pathetic author", why?, name of the game is make it a bit more difficult isn't it?

  6. #6

    IT

    Hi all, Nchanta, tsehp

    Happy to read you again

    Have rebuil a valid IT (exe works with some patches (AS checks)).
    I send IT if it can be usefull.

    SV

    Sorry but attachment doesn't seem to work
    Last edited by sv; September 11th, 2001 at 09:18.

  7. #7

    Re: IT

    Upload works now !
    Thx Tsehp
    Attached Files Attached Files
    Last edited by sv; September 12th, 2001 at 09:44.

  8. #8
    Hiya sv,
    Nice to hear from you. Beat you to this one, still haven't got that f****** aqua though .

  9. #9
    tsehp
    Guest

    Smile I've got it

    first, I'll pray for people that died in this horrible terrorist attack for a long time...

    finally I've made it work, pretty good implementation but only tests in mem if asprotect is present.

    1-with new rv (soon available) trace and find oep 51a59c
    dump your target with procdump while rv's tracer holds the program frozen with the tracer

    use fetch iat, resolve iat's, show unresolved, use 'api emulator' (new function to resolve latest asprotect small api emulation)
    everything is resolved but two entries, trace them and make a resolve again... then iat generator, the new it is dumped into your dump that is realigned.

    2-I'll assume you didn't deviated the first asprotect entries inside the target before reaching the oep

    403eb0 patch to jmp (you've forgotten this laptonic)
    next laptonic's work :

    0045E754 7404 jz 0045E75A change to jmp
    0045E75F 7413 jz 0045E774 change to jmp
    004C5976 E8FD8DF9FF call 0045E778 nop it
    0045E46C FF1500185200 call dword ptr [521800] should be call 004C5828

    and the target loads, I let you the final work to reg it, asprotect is removed.


    regards,

    tsehp
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    tsehp
    Guest

    Re: Re: IT

    Originally posted by sv
    Post attachment test

    Here is error text :

    Warning: SAFE MODE Restriction in effect. The script whose uid is 10012 is not allowed to access /tmp/ais_idata.zip owned by uid 0 in /usr/local/plesk/apache/vhosts/woodmann.com/httpdocs/vbulletin/upload/admin/functions.php on line 1606

    Warning: fopen("/tmp/ais_idata.zip","rb") - Undefined error: 0 in /usr/local/plesk/apache/vhosts/woodmann.com/httpdocs/vbulletin/upload/admin/functions.php on line 1606

    Warning: Supplied argument is not a valid File-Handle resource in /usr/local/plesk/apache/vhosts/woodmann.com/httpdocs/vbulletin/upload/admin/functions.php on line 1607

    Warning: Supplied argument is not a valid File-Handle resource in /usr/local/plesk/apache/vhosts/woodmann.com/httpdocs/vbulletin/upload/admin/functions.php on line 1608

    Warning: SAFE MODE Restriction in effect. The script whose uid is 10012 is not allowed to access /tmp/ais_idata.zip owned by uid 0 in /usr/local/plesk/apache/vhosts/woodmann.com/httpdocs/vbulletin/upload/admin/functions.php on line 1629


    those problems are now over, re upload please !
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Kilby
    Guest
    If you wanna see a properly implemeted asprotect have a look at iglooftp 3

    http:\\w*w.iglooftp.com

    It's a stinker

    Kilby...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    oLD SpeKKeLed HeN SpeKKeL's Avatar
    Join Date
    Aug 2001
    Location
    earth....
    Posts
    153

    Unhappy h'mmmmmm.......

    HaJO !

    Well again about the iat from aiswpp:i downloaded sv's iat and i'am wondering how the 2 directed api's on :

    170c968ush ebp
    mov ebp,esp
    mov eax,[ebp+08]
    pop ebp
    ret 004
    and on
    170c974 ush ebp
    mov ebp,esp
    ret oo4
    are traced to : kernel's lockresource (170c968)and the second to
    kernel's freeresource (170c974)
    I thought i must use kernel 's ord_2f (ret 004) or a getprocaddress ......

    Could someone explain how they did trace to the lock/free resource..

    Van de la SpeKKeL....

  13. #13
    tsehp
    Guest

    Re: h'mmmmmm.......

    Originally posted by SpeKKeL
    HaJO !

    Well again about the iat from aiswpp:i downloaded sv's iat and i'am wondering how the 2 directed api's on :

    170c968ush ebp
    mov ebp,esp
    mov eax,[ebp+08]
    pop ebp
    ret 004
    and on
    170c974 ush ebp
    mov ebp,esp
    ret oo4
    are traced to : kernel's lockresource (170c968)and the second to
    kernel's freeresource (170c974)
    I thought i must use kernel 's ord_2f (ret 004) or a getprocaddress ......

    Could someone explain how they did trace to the lock/free resource..

    Van de la SpeKKeL....

    ha ha ha ha , this funny board self detected some jokes inside your listing

    all those entries are to emulate a ret4 , a normal ret with add esp,4 and that's all.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    oLD SpeKKeLed HeN SpeKKeL's Avatar
    Join Date
    Aug 2001
    Location
    earth....
    Posts
    153

    Lightbulb tHANKS GOING TO TRY IT..

    yEP ,

    mAYBE THE QUESTIONS WERE TO
    SIMPLE....




    tHANKS +TSEPH


    tHINK A'VE GOT THEM ALL


    sPEK..

Similar Threads

  1. Replies: 0
    Last Post: October 21st, 2012, 11:18
  2. RSA implementation
    By LaptoniC in forum RCE Cryptographics
    Replies: 13
    Last Post: December 28th, 2004, 16:53
  3. EICAR sample virus implementation
    By dELTA in forum Off Topic
    Replies: 6
    Last Post: December 10th, 2003, 22:39
  4. aspr oep..
    By SpeKKeL in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: April 25th, 2003, 06:52

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •