Results 1 to 8 of 8

Thread: problem after unpacking asprotect

  1. #1
    loman
    Guest

    problem after unpacking asprotect

    Hi, I've just unpacked powerstrip, protected with asprotect.... trying to run it , I receive an exception error, due to an instruction

    mov al,[ebx]

    I discovered that happens because outiside the call containing the instruction above, there's a call to GetVersion.
    In original file it calls the GetModuleHandleA,pushes results in a location of memory and then pop this value in eax and them move in eax a value stored in memory....... I don't past code since don't want to go against board's rules..... btw I discovered that the zone of memory from wich data are fetched are initilized by GetVolumeInformationA, that's not run anymore after chaining the ip... my question is how to get the real call done since I've no the info of getvolume? is there any irc channel where I can discuss with you? thanks.......regards .....

    -loman
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,489
    Blog Entries
    1
    write unresolved adress for fake GetVersion

    U can also paste little disassembly here

  3. #3
    loman
    Guest
    seg000:0040287A call GetVersion <-Fake
    seg000:0040287F lea edx, [ebp+var_4]
    seg000:00402882 call sub_0_4027F8
    seg000:00402887 mov ebx, eax
    seg000:00402889 xor esi, esi


    at 004027f8 we've

    seg000:004027F8 push ebx
    seg000:004027F9 push esi
    seg000:004027FA add esp, 0FFFFFF00h
    seg000:00402800 mov ebx, eax
    seg000:00402802 jmp short FUNCTION

    eax in dumped is C0000A04 while in original one is something as 8173A1A8,


    seg000:00402804 inc ebx
    seg000:00402805 mov al, [ebx] <-exception
    seg000:00402807 test al, al
    seg000:00402809 jz short primo_salto
    seg000:0040280B cmp al, 20h
    seg000:0040280D jbe short loc_0_402804
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,489
    Blog Entries
    1
    Congratz!

    So it is:

    GetCommandLineA


    You are ~100 newb asked about incorrect
    GetVersion (plugin use:)

  5. #5
    loman
    Guest
    how do you say it's getcommandlinea?? from what do you understand it??

    are you reachable on irc?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    SilSaLaMaTa
    Guest
    Hi ,
    Just search in the forum ...

    Look at the next lines (after getversion) .
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    loman
    Guest
    thanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    loman
    Guest
    I've fixed it...now it works only under win998, on XP I receive a Exception Error..... I'll install debugger under it...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. ELF - problem with unpacking
    By danci in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: November 19th, 2010, 09:57
  2. armadillo unpacking problem
    By fighter_81 in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: February 3rd, 2005, 09:41
  3. help in unpacking asprotect(alomst completed but hanged in between)
    By thematrix in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: November 5th, 2003, 05:23
  4. Strange problem after unpacking
    By tazmanian in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: February 19th, 2003, 17:49

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •