|
Dear popeyfan!
my post above is to inform you that nothing is wrong with the trace method, so you should look into your problem in set up, as satyryicon indicated, or in the startup point of trace, rather than reading the post as if I didn't believe you ,which is sadly discouraging to members want to help you. |
britedream,
I need to the find stolen bytes can you point out to me? Im lost as to how many bytes were stolen and here's what ive done ... 006342AA 6300 ARPL DWORD PTR DS:[EAX],EAX 006342AC 0000 ADD BYTE PTR DS:[EAX],AL 006342AE 0000 ADD BYTE PTR DS:[EAX],AL 006342B0 0000 ADD BYTE PTR DS:[EAX],AL 006342B2 0000 ADD BYTE PTR DS:[EAX],AL 006342B4 0000 ADD BYTE PTR DS:[EAX],AL 006342B6 0000 ADD BYTE PTR DS:[EAX],AL 006342B8 0000 ADD BYTE PTR DS:[EAX],AL 006342BA 0000 ADD BYTE PTR DS:[EAX],AL 006342BC 0000 ADD BYTE PTR DS:[EAX],AL 006342BE 0000 ADD BYTE PTR DS:[EAX],AL 006342C0 E8 1B38DDFF CALL PIGUI.00407AE0 006342C5 33C0 XOR EAX,EAX 006342C7 55 PUSH EBP 006342C8 68 78476300 PUSH PIGUI.00634778 006342CD 64:FF30 PUSH DWORD PTR FS:[EAX] 006342D0 64:8920 MOV DWORD PTR FS:[EAX],ESP 006342D3 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18] 00C8C2BC F2: PREFIX REPNE: ; Superfluous prefix 00C8C2BD EB 01 JMP SHORT 00C8C2C0 00C8C2BF 9A F2EB019A EB02 CALL FAR 02EB:9A01EBF2 ; Far call 00C8C2C6 CD 20 INT 20 00C8C2C8 FF7424 1E PUSH DWORD PTR SS:[ESP+1E] 00C8C2CC 6A 74 PUSH 74 00C8C2CE 895C24 04 MOV DWORD PTR SS:[ESP+4],EBX 00C8C2D2 F2: PREFIX REPNE: ; Superfluous prefix 00C8C2D3 EB 01 JMP SHORT 00C8C2D6 00C8C2D5 F3: PREFIX REP: ; Superfluous prefix 00C8C2D6 83EC FC SUB ESP,-4 00C8C2D9 F3: PREFIX REP: ; Superfluous prefix 00C8C2DA EB 02 JMP SHORT 00C8C2DE 00C8C2DC CD 20 INT 20 00C8C2DE C1D3 9B RCL EBX,9B ; Shift constant out of range 1..31 00C8C2E1 2E:EB 02 JMP SHORT 00C8C2E6 ; Superfluous prefix 00C8C2E4 CD 20 INT 20 00C8C2E6 81EB 45478C09 SUB EBX,98C4745 00C8C2EC 3E:EB 02 JMP SHORT 00C8C2F1 ; Superfluous prefix 00C8C2EF CD 20 INT 20 00C8C2F1 81F3 553D2134 XOR EBX,34213D55 00C8C2F7 EB 01 JMP SHORT 00C8C2FA 00C8C2F9 0F26 ??? ; Unknown command 00C8C2FB EB 02 JMP SHORT 00C8C2FF 00C8C2FD CD 20 INT 20 00C8C2FF 6A F9 PUSH -7 00C8C301 2E:EB 02 JMP SHORT 00C8C306 ; Superfluous prefix 00C8C304 CD 20 INT 20 00C8C306 C74424 00 EDC2C8>MOV DWORD PTR SS:[ESP],0C8C2ED 00C8C30E 5B POP EBX 00C8C30F FF53 2C CALL DWORD PTR DS:[EBX+2C] 00C8C312 F0:69C7 E8C7F29A LOCK IMUL EAX,EDI,9AF2C7E8 ; LOCK prefix is not allowed 00C8C319 1F POP DS ; Modification of segment register 00C8C31A C3 RETN 00C8C31B C8 009AC7 ENTER 9A00,0C7 00C8C31F 5B POP EBX 00C8C320 EB 01 JMP SHORT 00C8C323 00C8C322 F3: PREFIX REP: ; Superfluous prefix 00C8C323 F2: PREFIX REPNE: ; Superfluous prefix 00C8C324 EB 01 JMP SHORT 00C8C327 00C8C326 698D 99767F8C 09>IMUL ECX,DWORD PTR SS:[EBP+8C7F7699],1EB> 00C8C330 F0:EB 01 LOCK JMP SHORT 00C8C334 ; LOCK prefix is not allowed 00C8C333 -0F8D 1C858250 JGE 514B4855 00C8C339 2BBD 36EB02CD SUB EDI,DWORD PTR SS:[EBP+CD02EB36] 00C8C33F 2083 F3945B26 AND BYTE PTR DS:[EBX+265B94F3],AL 00C8C345 EB 02 JMP SHORT 00C8C349 00C8C347 CD 20 INT 20 00C8C349 F3: PREFIX REP: ; Superfluous prefix 00C8C34A EB 02 JMP SHORT 00C8C34E 00C8C34C CD 20 INT 20 00C8C34E 55 PUSH EBP 00C8C34F FF7424 1E PUSH DWORD PTR SS:[ESP+1E] 00C8C353 896C24 04 MOV DWORD PTR SS:[ESP+4],EBP 00C8C357 F2: PREFIX REPNE: ; Superfluous prefix 00C8C358 EB 01 JMP SHORT 00C8C35B 00C8C35A -E9 8D642404 JMP 04ED27EC 00C8C35F 8BEC MOV EBP,ESP 00C8C361 33C9 XOR ECX,ECX 00C8C363 26:EB 02 JMP SHORT 00C8C368 ; Superfluous prefix 00C8C366 CD 20 INT 20 00C8C368 F3: PREFIX REP: ; Superfluous prefix 00C8C369 EB 02 JMP SHORT 00C8C36D 00C8C36B CD 20 INT 20 00C8C36D 55 PUSH EBP 00C8C36E FF7424 1E PUSH DWORD PTR SS:[ESP+1E] 00C8C372 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX |
please pm me with the link to the target.
|
Quote:
wish you shed light on it ... and a minor tutorial if not much to ask ... thnx |
thank you very much , it is very ineteresting stolen bytes , I learned something new, I have seen patterns for start up codes over in woodmann forum , and it says for this case it is special case, and it fills only part of the space provided for the stolen, but I found out this isn't special, and found all the bytes that fits in the space provided nicely, once I finish writing my explanation to you I will send it.
Regards. |
hi britedream
May I have a copy of that explanation, britedream?
TIa, hobgoblin |
Could I also get a copy of that.
many thnaks R@dier |
smallFox please pm me with your email for sending you the info.
|
To hobgoblin ,smallfox, and R@dier:
Info Has been sent. |
Yehey! Its running smoothly ...
I should have take extra notice of those repeated bytes but i've never seen anything like it before ... Thanks britedream!!! and great tutorial too ... :D |
my pleasure!,
there are few typing errors due to speed please correct them. ( I didn't go over it due to lack of time) |
Okay, I'll play around with the trace settings a bit more, I came to the same conclusion yesterday, but haven't got it figured out yet, I know I'm tracing from the right place so it isn't that, thanks anyway everyone for your help, I do appreciate it, I guess I over-reacted to your post Brightdream, sorry for that, I guess I was having a bad day.:)
|
errors are corrected and sent to R@dier,hobgoblin,smallfox, noital,and ferrari, please check your emails.
Regards. |
Many Thanks
R@dier |
Britedream, did not recieve ur email, checked just now. i'l pm u again my email id.
Thanks anywayz :) |
To ferrari
Info sent again. |
to Nilrem
tut has been sent ,please check mail. |
Why not simply attach it here for all to read?
Regards, |
it is only my explanation of how to get the stolen in specific target requested by smallfox, which I don't think it is realy of much interest to majority.
regards. |
I keep coming back to that Registry Defragmentation program every few days to try again with a fresh mind, trying to get rid of the bloody "file corrupted" message is just about doing my poor little brain in, I've traced and retraced, nopped, altered jumps, the fucking code just seems to go round in circles, if someone could do a tut on this one, I'm sure a lot of people could really learn a lot about Asprotect.
|
Pompeyfan, I was going to refer you to the mini-tut I wrote on unpacking Elcor TweakRAM that Kyrios had already mentioned, since it has basically the same protection mechanisms as RegDefrag. But, it seems my mini-tut has been deleted from the FTP (along with almost everything else...). :(
I don't have that mini-tut on my hard drive any more, since I wasn't expecting the exetools FTP to get wiped out.. Unlikely, but just in case, I'll ask: By chance, does anyone happen to have the files that used to be on the FTP in the "/incoming/Elcor TweakRAM 3.31.0.3404" folder? If so, could you reupload them please? Thanks in advance... Regards, Satyric0n |
I do, I'll upload them.
|
Ah, thank you very much, Nilrem. :D I owe you one. ;)
Regards |
Np, my pleasure. Heh. :)
|
Actually I have read your mini tut on TweakRAM, but the file corrupted message in Registry Defragmentation seems far more complex, in TwekRAM if I remember right, all you had to do is change 4 conditional jumps to JMP's, this one has about 12 calls to the error message, and all sorts of avenues lead to those calls, it is a frigging nightmare, if I had an ounce of sense I'd let it go, but for some reason I cant, grrrrrrrrr
|
Pompeyfan, I took a look at RegDefrag a few months ago, and at the time, it actually seemed easier than TweakRAM. Could be that they've improved their protection recently... If I get some time I'll take a look at it, but I can't make any guarantees, as work and my Winamp keygenning tutorial are taking up all my time right now. :)
Regards, Satyric0n |
Thanks mate, don't worry if you are pressed for time.:)
|
TweakRAM
Hi pompeyfan,
Have you practiced on the TweakRAM? If yes, did it run smoothly? If i remembered correctly, you MUST XORing EAX in another file. I didn't remember the name of that file. But the file is used as system service. You can look at it by Ctrl+Alt+Del and look for that file. It has small size (less than 100 kb), when scanned using PEID, it tell you it's delphi. Like i said be4, the protection is same with TweakRAM. kyrios |
I think I had problems unpacking the TweakRAM program from memory, I might try it again soon, but I did read the mini tut thoroughly, and the code in that program seems totally different from that is in Registry Defragmentation around the File Corrupted message.
|
popeyfan !,
I looked at the tweak. and regdef. today and their protection almost equal, I will try to help you on regdefrag : at the oep you see three calls , enter the second one , use F8 , you will have two eedfade exceptions pass them by SHIFT+F7, after that the show begins,step through the code with F8, first call , I believe it checks iF registered,pass it, the next call checks if target ep start at 1000, inside the call change the last two je to jmp, next call, put retn inside, next call, the target should take off but there is a problem, I will leave it to you to solve the last problem.(the program will start with the above corrections I made but still need to be fixed) regards. britedream. |
Thanks a ton mate, I really appreciate that, this one for some reason has been nagging at me for ages, good idea to leave some for me to figure out, but I never would have figured out the first bit.:)
|
Hi,
I was going okay with your instructions until here: "the next call checks if target ep start at 1000, inside the call change the last two je to jmp, next call, put retn inside" How do you mean put a retn inside the next call, inside this call I have: 0041040C /$ 55 PUSH EBP 0041040D |. 8BEC MOV EBP,ESP 0041040F |. 51 PUSH ECX 00410410 |. 53 PUSH EBX 00410411 |. 8B05 C6554000 MOV EAX,DWORD PTR DS:[4055C6] ; <&kernel32.GetModuleHandleA> 00410417 |. 8B18 MOV EBX,DWORD PTR DS:[EAX] 00410419 |. FF33 PUSH DWORD PTR DS:[EBX] 0041041B |. 895D FC MOV DWORD PTR SS:[EBP-4],EBX 0041041E |. 8F03 POP DWORD PTR DS:[EBX] 00410420 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00410423 |. 5B POP EBX 00410424 |. 59 POP ECX 00410425 |. 5D POP EBP 00410426 \. C3 RETN and if I F8 from here, I hit an access violation, and the file corrupted message comes up soon after. What should I change in this call, and why? I really appreciate your help. |
my address is slightly different due to my pc setup, but codes look right , so change 55 "push ebp", to c3 " retn", or nope the call.
|
Hi PopeyFan,
With the information I gave you it is easy now, it shouldn't take you long to fix it. :) |
I still get the file corrupted message after the changes, here is the call stack from when I get the message now:
Call stack of main thread Address Stack Procedure / arguments Called from Frame 0012EB0C 77D43C53 Includes 7FFE0304 user32.77D43C51 0012EB40 0012EB10 77D4B3F2 user32.WaitMessage user32.77D4B3ED 0012EB40 0012EB44 77D4D9A0 user32.77D4B265 user32.77D4D99B 0012EB40 0012EB6C 77D6AE8E user32.77D4D8EC user32.77D6AE89 0012EB68 0012EE24 77D6A911 ? user32.SoftModalMessageBox user32.77D6A90C 0012EDAC 0012EF6C 77D6AFD5 ? user32.77D6A7D7 user32.77D6AFD0 0012EEF4 0012EFC4 77D6B0BD user32.MessageBoxTimeoutW user32.77D6B0B8 0012EFC0 0012EFF8 77D6B04A ? user32.MessageBoxTimeoutA user32.77D6B045 0012EFF4 0012F018 77D6B02E ? user32.MessageBoxExA user32.77D6B029 0012F014 0012F01C 00000000 hOwner = NULL 0012F020 004109B4 Text = "File corrupted ! Please ru 0012F024 004109AC Title = "Warning" 0012F028 00001030 Style = MB_OK|MB_ICONEXCLAMATION|M 0012F02C 00000000 LanguageID = 0 (LANG_NEUTRAL) 0012F030 004109AA ? <JMP.&user32.MessageBoxA> RegDefra.004109A5 0012F034 00000000 hOwner = NULL 0012F038 004109B4 Text = "File corrupted ! Please ru 0012F03C 004109AC Title = "Warning" 0012F040 00001030 Style = MB_OK|MB_ICONEXCLAMATION|M 0012F044 00418A40 ? RegDefra.00410994 RegDefra.00418A3B |
Quote:
My suggestion here is to NOP two instructions:
@Pompeyfan: As to understanding what this procedure is doing (this is just as important, if not more important, than merely fixing it), I describe this in my TweakRAM mini-tut. I also describe exactly how to fix this procedure in the mini-tut, which you claim to have read... So have you read it or not?? :confused: Regards, Satyric0n |
please do the changes as I noted, save them, run the program out side olly, if the program dosn't run , then you may have a problem with your dump.
|
To satyricon:
I have the program running fine on the info I posted. |
I have all these references to the call for this message box:
References in RegDefra: to 00410994 Address Disassembly Comment 00410994 PUSH 1030 (Initial CPU selection) 00412D68 CALL RegDefra.00410994 00413C3E CALL RegDefra.00410994 00414569 CALL RegDefra.00410994 00415DD1 CALL RegDefra.00410994 0041680B CALL RegDefra.00410994 00416AD1 CALL RegDefra.00410994 00416FD0 CALL RegDefra.00410994 004176B6 CALL RegDefra.00410994 004176EA CALL RegDefra.00410994 004181C3 CALL RegDefra.00410994 00418A3B CALL RegDefra.00410994 00418C70 CALL RegDefra.00410994 00418CA6 CALL RegDefra.00410994 00418CDC CALL RegDefra.00410994 00418D0F CALL RegDefra.00410994 00418D42 CALL RegDefra.00410994 And a lot of the code where the calls are made look like this, with unconditional jumps above the call, but the one just above the call usually calls up 00410094 anyway, I've traced them earlier in trying to figure it out. 00418A34 . EB 0F JMP SHORT RegDefra.00418A45 00418A36 .^E9 11ABFEFF JMP RegDefra.0040354C 00418A3B . E8 547FFFFF CALL RegDefra.00410994 00418A40 . E8 E7ACFEFF CALL RegDefra.0040372C |
Quote:
I am only noting that your solution does not work for me (due apparently to the different way we seem to be dumping the app), and so I am posting the solution that does work for me. Regards, Satyric0n |
| All times are GMT +8. The time now is 18:37. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX