britedream either you got previous version or newer one? or the OEP from the attached tree is wrong

and maybe this IAT won't work with my dumped exe! :(

i got Whereisit? v3.60.521 and right OEP is: 002FB5EC (006FB5EC)

for any where is it version or just latest one look with W32dasm for the unique text string : AMAINICON go a little up where that piece of code start
( 558BEC83C4F0 .....)that's the OEP.

would you confirm which exactly version you got?

Regards

you are right my version is 3.59 , but by fixing the table it will not work, there are anti dumps you have to over come. I am also looking to make it works on other pces . so give some time .


note:
I have to give you my unpacked to work with it ,becuase if you dump from your
original, the doors to iat already changed to asprotect area.

Hi,
More and more unAmrmadiloed, unAsproteced stuff refuse to run on non XP machines. RestoreLastError cannot be found in non XP kernel.

I have fixed this replacing RestoreLastError with FlushFileBuffers

Am I wrong?

To R@der and hobgoblin:

I sent you the unpacked target that should work on all xp pces, please feed back.

sorry svensk I don't have your email.

In all instances, you should replace calls to RestoreLastError with SetLastError.

To britedream
 

Runs fine on my computer. thanks for the files. I'm about to start digging now. :)

regards,
hobgoblin

To hobgoblin
 

Thanks hobglobin for the feed back, now extools forum may be the first to unpack this lovable protector.


regards.

TARGET: http://www.jufsoft.com/badcopy

Protection: Latest ASProtect

Used Britedream's Olly script for "ASPR 1.3b" and got to OEP

Without using Ollyscript I did this to get to the OEP.

Hit Shift+F9 26 times and here:
0115E56E 0156 00 ADD DWORD PTR DS:[ESI],EDX

Put BP here:
0115E588 833D 6C3B1601 00 CMP DWORD PTR DS:[1163B6C],0

And hit Shift+F9 and Olly breaks. Then Alt+M and put BP on memory access on code. Then Set the debugging options and hit F9 once and you are at the OEP(Remove analysis) with no stolen bytes.

00501184 55 PUSH EBP
00501185 8BEC MOV EBP,ESP
00501187 83C4 F0 ADD ESP,-10
0050118A B8 240E5000 MOV EAX,BadCopy.00500E24
0050118F E8 105EF0FF CALL BadCopy.00406FA4


Dumped the target and there were no unresolved pointers and fixed IAT and then dump file.

But target wont run

Error: Access violation while reading [1181B34]

00407294 $- FF25 C841C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleFileNameA
0040729A 8BC0 MOV EAX,EAX
0040729C $- FF25 CC41C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleHandleA
004072A2 8BC0 MOV EAX,EAX
004072A4 $ FF25 341B1801 JMP DWORD PTR DS:[1181B34]
004072AA 8BC0 MOV EAX,EAX
004072AC $- FF25 D041C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetProfileStringA
004072B2 8BC0 MOV EAX,EAX
004072B4 $- FF25 D441C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetStdHandle

How to fix this plz help.

Regards,

IAT..
 

and how did you find the address for the IAT?

regards,
hobgoblin

err. spank me, I did not save the tree. I started Imprec, attached to the process and just hit IAT auto search (did not enter the OEP) and got the message found something, get imports, size was something around 7xx and there were no unresolved pointers, all import functions were valid. But now again when I do the same Imprec displays could not find anythng :confused:
I have the "dump_.exe" Shall I upload?

Regards,

Thanks
 

Thanks for the reply. How to find the place in aspr code where the iat table is created/written to memory somehow eludes me. Usually I use a bp GetProcAddress to find it, but this time I don't. I do find a place where this api is called to find the addresses to an iat, but I'm not sure whether this is the correct one.
Well, well. I have to dig deeper I guess. :)

regards,
hobgoblin

Let me give you some help hobgoblin :)... aspr IAT redirection code is all here... of course the memory address will be diff but i am sure you can figure out how to get there based on relative offset :)

@hobglobin:

O there was a misunderstanding. Now I understand, your question was addressed to britedream :D and I thought you were asking me :eek:

Anyways britedream will you plz help me on this target I posted ;)

Regards,

no
 

It was for you. :)
I was looking at Badcopy...

hobgoblin

To crusader: I guess the code you listed is for BadCopy? Or maybe its a general code?

nice bit of IDA work crusader :)

well let the app load into memory and find one the of call [xxxxxxxx] that points to the aspr memory, take a note of the address of the call opcode and add 2 to it so u have address of the offset, load your target into ollydebug and set the data window to the address u found, set olly to stop on exceptions and let the target run, keep an eye on the data window as u pass
each exception, u will see the data change once as aprs decodes / unpacks
and then the data will change once more as the code crusader pasted does it stuff, u can count the number of exceptions from the 1st change to the second change, stop on the last one before the data changes again, look below and should be very close to the code crusader pasted.

also its possible to set a bpm from within sice on the data address
to stop when its written to. (not %100)

- Darren