Results 1 to 4 of 4

Thread: ASProtect v1.23 drive me crazy :(

  1. #1
    BruceLee
    Guest

    ASProtect v1.23 drive me crazy :(

    Hi,

    Now I have a little problem with ASprotect v1.23.

    Proggie is Simple.ReStopAll.Pro 1.0 build 6
    url: DELETED - Get the Hint?
    size: ~500kb

    but no matters

    Problem is:

    I found entry point: 0040BDF3h and dump and bla bla.
    Start ImpREC & try first IAT auto search, but nothing. Then I enter real entry point and again search.
    ImpREC found IAT at RVA: 11000 Size 360
    )))
    ok!
    then show invalid , trace level1 and ImpREC is dead! POOF!
    I attach you unresolved.zip!
    ok, ok, now I want to do this manualy, there is a problem!

    example:

    1 00011194 kernel32.dll 0210 InterlockedIncrement
    0 00011198 ? 0000 00DD1210
    1 0001119C kernel32.dll 0131 FreeEnviromentStringsW

    I put breakpoint on real entry point and trying to unassemble 00DD1210h:

    004111A8 65369210 65369040 65367A40 6536B5E0 ..6e@.6e@z6e..6e
    ---------------------------------------------------------------------------
    0040BEB4 56 PUSH ESI
    0040BEB5 FF1598114100 CALL [00411198] ; here I am
    0040BEBB 50 PUSH EAX

    <F8>

    :00DD120E 8BC0 MOV EAX,EAX ;landing here
    :00DD1210 55 PUSH EBP
    :00DD1211 8BEC MOV EBP,ESP
    :00DD1213 8B4508 MOV EAX,[EBP+08]
    :00DD1216 85C0 TEST EAX,EAX
    :00DD1218 7507 JNZ 00DD1221 ; no jump
    :00DD121A A17469DD00 MOV EAX,[00DD6974]
    :00DD121F EB06 JMP 00DD1227 ;jump , hmmm
    :00DD1221 50 PUSH EAX
    :00DD1222 E8313FFFFF CALL KERNEL32!GetModuleHandleA
    :00DD1227 5D POP EBP ; after jump
    :00DD1228 C20400 RET 0004

    it is GetModuleHandle or what??

    Next example drive me crazy!!!!

    0041114C 00DD1270 00DE4DB8 00DE4DC4 00DE4DD0 p....M...M...M..e..6e
    컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴횾ROT32
    :0040BE67 FF154C114100 CALL [0041114C] ; I am here <F8>
    :0040BE6D A3A8734100 MOV [004173A8],EAX

    landing here

    :00DD1270 6A00 PUSH 00
    :00DD1272 E8E13EFFFF CALL KERNEL32!GetModuleHandleA
    :00DD1277 FF35F06CDD00 PUSH DWORD PTR [00DD6CF0]
    :00DD127D 58 POP EAX
    :00DD127E C3 RET

    GetModuleHandle again? I don't think so!
    but which API is it???
    after ret

    EAX=8158B5D8 EBX=00560000 ECX=815ACEBC EDX=815A8090 ESI=00000000
    EDI=00000000 EBP=0066FE38 ESP=0066FDC4 EIP=0040BE72 o d I s z a P c
    CS=0167 DS=016F SS=016F ES=016F FS=2DC7 GS=0000
    컴컴훀ESTOPALL!+33A8컴컴컴컴컴컴컴컴컴컴컴컴훐word컴컴컴컴컴컴횾ROT컴(0)컴
    :004173A8 8158B5D8 00000000 00000000 00000000 ..X.............
    :004173B8 00000000 00000000 00000000 00000000 ................
    :004173C8 00000000 00000000 00000000 00000000 ................
    :004173D8 00000000 00000000 00000000 00000000 ................
    :004173E8 00000000 00000000 00000000 00000000 ................
    :004173F8 00000000 00000000 00000000 00000000 ................
    :00417408 00000000 00000000 00000000 00000000 ................
    :00417418 00000000 00000000 00000000 00000000 ................
    컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴PROT32
    :0040BE67 FF154C114100 CALL [0041114C]
    :0040BE6D A3A8734100 MOV [004173A8],EAX

    hmmm... I'm lost How can I know which aPi is correct & how can I found them.

    Sorry for bad English! Please give me a hand! I know that is no problem for you!

    Regards,
    Bruce Lee
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    Do a search...

    If you do a search on this board (the button up on the right), you will find that all your questions will be answered after doing a little bit of reading.
    Just to help you off: do a search for kayaker (or G6 FTP server, if you want...). Read all in that threads.
    What you are asking is pure basics for unpacking Asprotect. When I started reading the threads, I quickly learned the necessary skills. It is much better to read, try out stuff and learn as you go by than get served a ready made solution. That's my opinion.:-)
    Good luck.:-)
    hobgoblin

    PS. I checked out this program before posting this reply, and didn't find any particular problems at all.

  3. #3
    BruceLee
    Guest

    Thx!

    Thank you for responding I'll try!

    BruceLee
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    BruceLee
    Guest

    Hmmm I have a few question?

    I read previous thread about asprotect.. I read that asprotect is in dll. But how dump aspr.dll for reversing?

    And how we know what return example GetCommandlineA?

    Thx, Bruce Lee
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. obfuscated java script that result to drive-by download
    By ansar313 in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: May 31st, 2013, 00:34
  2. Some of my crazy ideas...Not now...
    By tHE mUTABLE in forum Off Topic
    Replies: 9
    Last Post: February 14th, 2008, 13:52
  3. ASProtect v1.3x
    By trnc in forum OllyDbg Support Forums
    Replies: 4
    Last Post: February 7th, 2006, 10:25
  4. Safecast is driving me crazy Help needed
    By eclipse2k2 in forum Malware Analysis and Unpacking Forum
    Replies: 15
    Last Post: January 29th, 2004, 03:33

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •