Exetools
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   where's the error in this asprotect-target? (https://forum.exetools.com/showthread.php?t=3126)

mtw 01-01-2004 05:30
@Markus

Just change the rva to 0014A0EC or even lower 0014A000
it takes more time to search but you will know you have
a correct IAT. Impec does get this value wrong alot and
increase the size a few hundred more.

MaRKuS-DJM 01-01-2004 05:44
yes, i've done that, but imprec can't find the function GetTimeFormatW, and the other api... it has resolved it as Shell32

mtw 01-01-2004 07:43
There is a plugin for imprec called AsProtection 1.22 use it
to resolve some entries you can seam to correct it does
a good job finding them.

And a hint on the unwrapped protection
415B40 and 4158B1 these 2 locations will save you some
time looking for the reg check.

MaRKuS-DJM 01-01-2004 19:43
yes, the reg-check was easy to find :)

MaRKuS-DJM 01-01-2004 20:10
mtw, is this the standard ImportRec 1.6 Plugin? if not, can you attach it? i can't find this plugin. and the standard-plugin can't resolve it

mtw 01-02-2004 07:08
ASProtect 1.22.dll comes in the 1.6 zip file,
and if u still cant resolve them load the protected app
and follow it till you hit the jmp table for imports
and look at the window to see the address of the
function your in then just use imprec and tell
it what that function that jmp is and what dll it is.

Ive had todo this for Codecoffer protected apps until
I wrote a plugin for imprec to resovle them, it takes
longer but if there is only a few it dont take long and 1
other thing I'm running w2k so there maybe a diff in the
way imprec looks up the address's.

MaRKuS-DJM 01-02-2004 18:13
i tried to follow the table (OllyDebug) and it says "no memory at the specified adress", this is the reason why i'm so confused.

mtw 01-03-2004 10:37
What is the jmp table address in the app and the address
it is trying to jmp to. There is one jmp i have to manually
make a function(retrn 4) for a jmp address that is part of the protection. If this is the address I can tell you how to
resolve this. But from your I dont believe this is the one.

Your best bet is to put a bp on that jmp address in the
protected app after you hit the oep. Then when it breaks
trace it it might be part of the protection.

MaRKuS-DJM 01-15-2004 22:52
mtw, i got it handled now :) but thanks for your reply. it doesn't find the GetTimeFormatW (all @too high adress) but it works perfect. maybe it's because i have windows XP and you Windows 2000


All times are GMT +8. The time now is 00:22.
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX