Page 1 of 3 123 LastLast
Results 1 to 15 of 33

Thread: aspack site down ? Need latest asprotect with latest revirgin dev

Hybrid View

  1. #1
    tsehp
    Guest

    aspack site down ? Need latest asprotect with latest revirgin dev

    hi,
    just wanted to test the latest rv with latest asprotect, but the site is down, and I can swear it's not my fault ;-) who has the latest asprotect download ?

    the revirgin's tracer is now working fine on win9x and me, and the beta will soon be available, the new tracer can resolve vbox 4.5 encrypted iat 15 times faster than before, the tracer option allows you to trace a prog like icedump, set put some limits to freeze and later dump the app, I'm almost finished.

    I also have to make a decision :
    asprotect and latest vbox4.5 begins to wrap some api like this :
    iat entry 1
    code 1
    code 2
    real api call
    code 3
    ret

    and a check inside the main exe verifies if tha api was called, splaj did a quick fix by directly putting the api address into iat entry 1, so all the code around is useless, but we can imagine that they could improve this.

    solution 1 : put into rv an option to redirect the iat to a rva offset into your dump that will contain the same code, but this could be long to build if later they make 100 iat's like this.

    solution 2: transform the interesting code into a fake dll, so revirgin could point the iat's to those api call wrappers, harder to do but much more harder to defeat.

    solution3: discussion is open and suggestions are welcome...


    regards,

    tsehp
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373
    Tsehp

    pssst, maybe Alexey retired ;-)

    .........just in case tho' the dll is the way to go for me. You provide a blank 'template' dll and if code is found as before , build it, fill it with the code from aspr , link the IAT/IT to it and bobs yer uncle.

    wow, can't wait for that tracer }>

    CYA soon , still waiting for my best trousers to come back from the cleaners

  3. #3
    Kilby
    Guest
    I downloaded a version just over a week ago.

    But it's probably out of date already.

    Regards,

    Kilby...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    tsehp
    Guest
    +SplAj (06-25-2001 07:43):
    Tsehp

    pssst, maybe Alexey retired ;-)

    .........just in case tho' the dll is the way to go for me. You provide a blank 'template' dll and if code is found as before , build it, fill it with the code from aspr , link the IAT/IT to it and bobs yer uncle.

    wow, can't wait for that tracer }>

    CYA soon , still waiting for my best trousers to come back from the cleaners
    false alarm, it was a temp shut off for the site, maybe some rush of malcontent clients claiming for a refund ;-)

    dll seems to be the best option, but it have to be loaded dynamically, so we're still oblidged to paste some loading code inside the target...

    the tracer is working on every program that I submit to it now, I just have to
    build a small disass into the tracer's window and we're on, then I'll adapt it to win2k. I'll uploat the beta before sunday,regards.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Eternal Bliss
    Guest
    +Tsehp (06-27-2001 17:07):
    +SplAj (06-25-2001 07:43):
    Tsehp

    pssst, maybe Alexey retired ;-)

    .........just in case tho' the dll is the way to go for me. You provide a blank 'template' dll and if code is found as before , build it, fill it with the code from aspr , link the IAT/IT to it and bobs yer uncle.

    wow, can't wait for that tracer }>

    CYA soon , still waiting for my best trousers to come back from the cleaners
    false alarm, it was a temp shut off for the site, maybe some rush of malcontent clients claiming for a refund ;-)

    dll seems to be the best option, but it have to be loaded dynamically, so we're still oblidged to paste some loading code inside the target...

    the tracer is working on every program that I submit to it now, I just have to
    build a small disass into the tracer's window and we're on, then I'll adapt it to win2k. I'll uploat the beta before sunday,regards.

    tsehp,
    I finally had some time to try out ReVirgin and also compared it with MackT's Import Reconstructor... 8P
    One thing I notice is that with ReVirgin resolving import seldom work for me. I am not sure why. 8P But I am able to unpack aspack itself (downloaded 2 days ago) with the imports nicely built.
    Sometimes, I make use of both the programs to build the import table because occasionally, ReVirgin is able to find the imports but not MackT and vis versa. 8P
    And I use MackT's to enter the RVA of the import table and size in ReVirgin too. 8P


    Regards
    EB
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    oLD SpeKKeLed HeN SpeKKeL's Avatar
    Join Date
    Aug 2001
    Location
    earth....
    Posts
    153
    Hajo,

    Can't wait for your new RV.
    Keeps getting better and better,
    Last version tried on PEcompact1.50
    (i know it isn't asp.) and worked 100%!

    Greetz SpeKKeL....

  7. #7
    tsehp
    Guest
    I just studied mackT new tool, the presentation is different than mine, more compact but I still prefer my old good iat table, even if it takes more place, I go quicker with it.
    It lacks a real tracer, but a little more better done concerning the disass trace section, it just looks at the iat entry and report the first api call encountered, but this could lead to failures if alexey calls severals around.

    After a while, I came to the idea to add a new function :
    show listing when an Iat doesn not lead to the main api, I could maybe let the user set some limits and paste this code at the dumped end, then entering into the iat the code's rva... what do you think ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Eternal Bliss
    Guest
    +Tsehp (06-29-2001 17:49):
    I just studied mackT new tool, the presentation is different than mine, more compact but I still prefer my old good iat table, even if it takes more place, I go quicker with it.
    It lacks a real tracer, but a little more better done concerning the disass trace section, it just looks at the iat entry and report the first api call encountered, but this could lead to failures if alexey calls severals around.

    After a while, I came to the idea to add a new function :
    show listing when an Iat doesn not lead to the main api, I could maybe let the user set some limits and paste this code at the dumped end, then entering into the iat the code's rva... what do you think ?
    Are you refering to something like cs:call dword ptr [IAT_Entry] where IAT_Entry is the VA of some codes that is in a totally different address space and not 00400000? I have seen something like that in azpr.exe (unpacked last night). It is used to call DialogBoxIndirectParamA and also uses FindResource, LoadResourceA, LockResource. I had to copy and write that section of the code in a empty part of the file and patch the call.

    If that is what you are refering to, I think it is a great idea. 8) Save a lot of trouble and time. 8P
    Also, is it possible to have the option to rearrange all the IAT according to the dlls? 8P

    Regards
    EB
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    madmax
    Guest
    Im not sure how necessary it is to save that whole routine with the load/lock/freeresource apis with dialogbox api as well...If i recall, in elcomsoft.com products the load/lockresource apis are replaced by null reroutes, which assumes they are not important apis! But you can easily spot these when rebuilding the IAT and fix em, then replace the entry leading to the routine you copied with a simple dialogbox API...I think the advanced pdf program was like this...My two cents =P

    madmax
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    tsehp
    Guest
    eternal bliss : exactly, code is located inside asprotect and make some eventual tests to jump above the api call, especially if some parameters are null...

    madmax: you're also right, at this point all this mess leads to a unique api, and it's normal because otherwise he would have extract the original code into another place, it's just some mess put arount the api call to confuse the live tracer.

    But if we simply invert the process by importing this code and paste it at the dumped target's end, we don't have to trace those routines no more and the process is simplified. Maybe I'll wait a little more to see how things evoluate on this subject, adding such a functionnality while it's not very imperative is maybe not worth the case at the moment.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Eternal Bliss
    Guest
    Hiya,
    this is going to sounds quite lame but I have a question about ReVirgin... 8P

    There is IAT Resolver which I know what it is for.
    There is Resolve Again button which I am supposed to click on after IAT Resolver for the redirected APIs. This all goes well.
    But after that what is to be done?

    Right-clicking on an empty entry gives me the choice of Enable Trace and Trace. What is the difference between them?
    I tried Trace and usually it crashes and I have to go into Sice to revert a conditional jump to bring tracer.dll out of a loop. 8P
    I tried Enable Trace and the entry is changed to to_resolve. So, naturally, I would click on Resolve Again but then, the entry becomes empty like before. 8P

    Then there is the Tracer button which brings up this window with 4 edit boxes. Do I fill them in or what do I do with them? 8P When I try launching an app, it gives me a non-english error message that starts with "Impossible" so I thought it might be because the packed app is already running (so that ReVirgin can resolve the entries in the first place). I am totally lost. 8P

    Ok. Enough of my lameness. 8P
    I have attached a tut on unpacking azpr with this message. heh

    EB
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    tsehp
    Guest
    yes I admit my interface is sometime a little hard to understand, when you have clicked resolve again, it only fixes the redirected api calls and eventually addresses that you've manually put inside the iat entry.

    When you click enable trace, it puts the iat entry into a rv internal state, here they are :
    1-resolved
    2-not resolved
    3-redirected (to resolve)
    4-traced (to resolve)

    to resolve means that an address is found and you have to click resolve again.

    The tracer button is the next future feature of revirgin : trace an app to dump it when it lands to the oep.

    Now you've found the failure : you had to patch a jmp to avoid my tracer to go to an infinite loop, so I think that I could do this task :
    when the tracer is blocked on this case, I could also add an option to disass the iat entry, select the line entry to trace, this line should contain a call [xxxxxxxx] so when doesn't care anymore about the tests around.

    splaj : finally the dll template is a bad idea, just because they can put later some check code to see in the real protection is present, the above one seems simpler, maybe coupled with a an option to import the selected code into the dumped target.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    NotMe
    Guest
    Eternal Bliss (06-28-2001 04:41):
    tsehp,
    I finally had some time to try out ReVirgin and also compared it with MackT's Import Reconstructor... 8P
    ......
    ..ReVirgin is able to find the imports but not MackT and vis versa. 8P
    And I use MackT's to enter the RVA of the import table and size in ReVirgin too. 8P

    Regards
    EB
    Are you sure you can do it successfully like this way?
    My answer is NO !!! Coz they handle the "Size" in different ways.

    If you got "IAT Start RVA" and "IAT Length" in Revirgin, and wanna put it to MackT's ,
    you need plus 4 to the IAT Length .Or you may get an uncompleted Import Table in MackT's.

    Actually, I prefer RV ^_^ .
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    tsehp
    Guest
    a pre beta is available, with a new tracer, that is also used to trace an entire app.
    notme, write me if you want to test.

    about RV, the interface is far to be perfect from my point, I used to work a lot on the internal code and a lot of friends helped me to debug it, but I'm still open for suggestions to improve the ergonomy.

    regards,

    tsehp


    MODIFICATION : 3/7/2001 I have enough pre beta testers ! stop writing me, I'll do soon an announce here for the real beta. Please be patient.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    Eternal Bliss
    Guest
    NotMe (07-02-2001 14:54):
    Are you sure you can do it successfully like this way?
    My answer is NO !!! Coz they handle the "Size" in different ways.

    If you got "IAT Start RVA" and "IAT Length" in Revirgin, and wanna put it to MackT's ,
    you need plus 4 to the IAT Length .Or you may get an uncompleted Import Table in MackT's.

    Actually, I prefer RV ^_^ .
    Well, I am sure I know what I am doing although I might not be saying what I thought I wanted to say. 8)
    Regards
    EB
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. SoftICE: CreateFile(\\.\NTICE) doesnt work with latest ver?
    By onebitshort in forum Tools of Our Trade (TOT) Messageboard
    Replies: 18
    Last Post: November 29th, 2006, 22:34
  2. aspack or asprotect
    By tHE SnaKe in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: June 14th, 2002, 17:17
  3. Crypt Cotelem latest version
    By Alyta in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: July 15th, 2001, 21:44
  4. To make a point on latest asprotect 1.2, applied to aoepr.exe
    By tsehp in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: June 29th, 2001, 16:55
  5. some problems about latest version of winace
    By NikDH in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: January 4th, 2001, 09:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •