Results 1 to 5 of 5

Thread: Alexeys *new* trick ?

  1. #1
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373

    Alexeys *new* trick ?

    Hi fellow reversers,

    We all know very well the redirected API trick that ASprotect employs to deter dumping and rebuilding protected exe's.

    Well last nite I played with Rot8 target 'TagRename' from softpointer.com. When I had unpacked it with Revirgins help, the program still did not run. Further analysis showed the following call very early on :-

    EAX=00000000 EBX=00710000 ECX=00000000 EDX=00000000 ESI=818AD11C
    EDI=00000000 EBP=0081FE38 ESP=0081FE28 EIP=0127C784 o d I s Z a P c
    CS=0167 DS=016F SS=016F ES=016F FS=1B57 GS=3356 DS:012835A8=00536778
    컴컴훂AGRENAME!+0C44컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴byte컴컴컴컴컴컴컴PROT컴(0)컴
    0030:0053BC44 84 C7 27 01 00 00 00 00-00 00 00 00 00 00 00 00 ..'.............
    0030:0053BC54 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    0030:0053BC64 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    0030:0053BC74 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    0030:0053BC84 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    0030:0053BC94 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    0030:0053BCA4 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    0030:0053BCB4 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    0030:0053BCC4 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    0030:0053BCD4 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴횾ROT32
    0167:0127C783 90 NOP 
    0167:0127C784 833DA835280100 CMP DWORD PTR [012835A8],00 
    0167:0127C78B 7406 JZ 0127C793
    0167:0127C78D FF15A8352801 CALL [012835A8]
    0167:0127C793 C3 RET

    The CALL [012835A8] is really CALL 536778.

    i.e. there is now REDIRECTED 'CODE' as well. In this case just 1 call to manually fix to point to the real 'call 536778' instead of the 0127C784 .Replacing the bytes 84C72701 at 53BC44 with 78675300 (reverse bytes) . Then the program ran sweet. BUT in the future maybe many of these with a twist of bitter lemon for us ???

    So what else can he do ?

    SplAj

  2. #2
    tsehp
    Guest
    he can do a lot of things, using registers , or making the calls bounce
    in mem 1000 times :
    1- the tracer can be used to detect this if the redirections became too complicated
    2- considering asprotect, this will stay (unfortunatly) a private discussion, the guy takes too much info from this site

    regards,

    +Tsehp
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    McNy@Work
    Guest
    Hi,

    Tag&Rename used this method since version 1.6 or 1.7 (it was protected by Asprotect 1.1x then).
    It used a ASProtect API to do this.

    p/s: SoftPointer had learned a bad habit from that guy. They updated and changed the program files without changing the date and updating news on their WebSite 8-) (Just for a smile...)
    So, the call value and redirect value what u saw might not same with +SplAj ...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    BlackB
    Guest
    *ehem*

    What did I post on this messageboard concerning Asprotect-discussion, some months ago? Yes, to keep it private.....nobody agreed with my opinion......what a sudden change of thought now :P

    I think it's a good idea to keep in mind that we're the BAD guys, and he (Alexey) is the GOOD guy. He protects, we try to deprotect and thus also taking away money for him.
    So be careful with the so-called reverser/author friendship.
    And you know, if I was a protector, I'd infiltrate the crackingscene and try to set 'em all up. Yeah, I'm evil too, but luckely a cracker

    greets

    BlackB
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    tsehp
    Guest
    Now I agree with you blackB, at a certain level, we must keep things private, but we also could infiltrate some protector's msgboards and
    set them up also, the bad news is that I don't know about some
    existing ones, it must be too private for me to know.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Any trick
    By w_a_r_1 in forum The Newbie Forum
    Replies: 4
    Last Post: July 15th, 2009, 09:03
  2. How to solve this trick ?
    By linhan in forum Malware Analysis and Unpacking Forum
    Replies: 12
    Last Post: November 9th, 2007, 23:30
  3. Maybe new Azpr trick ?!
    By Nigma in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: November 3rd, 2002, 21:27
  4. Asprotect trick?
    By banshee in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: August 17th, 2002, 17:10
  5. Solomon's trick
    By Risotto in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: June 17th, 2002, 23:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •