Exetools
Page 3 of 4 12 3 4
Show 40 post(s) from this thread on one page

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   where's the error in this asprotect-target? (https://forum.exetools.com/showthread.php?t=3126)

MaRKuS-DJM 01-01-2004 01:45
mtw, how did you fix these two entries?

zlatko 01-01-2004 01:48
Markus,

this is completely NEW target. Please read string
"Target:" in MSDG.txt file.
Problem with zup is resolved !

Z

MaRKuS-DJM 01-01-2004 02:01
oh i see... this is a program like aspack which works with Dword-calls... seems harder to fix... but your IAT should be correct. i came to the same

MaRKuS-DJM 01-01-2004 02:14
ok, zlatko, i came to the following with your program.

your IAT is correct. now the parts to edit:

0056901C 55 PUSH EBP
0056901D 8BEC MOV EBP,ESP
0056901F 83C4 F0 ADD ESP,-10
00569022 B8 848B5600 MOV EAX,MsDataGe.00568B84
00569027 E8 00DFE9FF CALL MsDataGe.00406F2C
0056902C A1 B4C65600 MOV EAX,DWORD PTR DS:[56C6B4]
00569031 8B00 MOV EAX,DWORD PTR DS:[EAX]
00569033 E8 C0B2EFFF CALL MsDataGe.004642F8
00569038 FF15 E8C15600 CALL DWORD PTR DS:[56C1E8]
0056903E A1 B4C65600 MOV EAX,DWORD PTR DS:[56C6B4]
00569043 8B00 MOV EAX,DWORD PTR DS:[EAX]
00569045 E8 46B3EFFF CALL MsDataGe.00464390
0056904A E8 05B6E9FF CALL MsDataGe.00404654

Edit to:

0056901C > $ 55 PUSH EBP
0056901D . 8BEC MOV EBP,ESP
0056901F . 83C4 F0 ADD ESP,-10
00569022 . B8 848B5600 MOV EAX,dumped_.00568B84
00569027 . E8 00DFE9FF CALL dumped_.00406F2C
0056902C . A1 B4C65600 MOV EAX,DWORD PTR DS:[56C6B4]
00569031 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00569033 . E8 C0B2EFFF CALL dumped_.004642F8
00569038 . E8 8FFAFFFF CALL dumped_.00568ACC
0056903D . 90 NOP
0056903E . A1 B4C65600 MOV EAX,DWORD PTR DS:[56C6B4]
00569043 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00569045 . E8 46B3EFFF CALL dumped_.00464390
0056904A . E8 05B6E9FF CALL dumped_.00404654

and this:

00568AD4 68 378B5600 PUSH MsDataGe.00568B37
00568AD9 64:FF30 PUSH DWORD PTR FS:[EAX]
00568ADC 64:8920 MOV DWORD PTR FS:[EAX],ESP
00568ADF A1 5CE25600 MOV EAX,DWORD PTR DS:[56E25C]
00568AE4 50 PUSH EAX
00568AE5 E8 B6FFFFFF CALL MsDataGe.00568AA0
00568AEA 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00568AED A1 5CE25600 MOV EAX,DWORD PTR DS:[56E25C]
00568AF2 E8 7D13EAFF CALL MsDataGe.00409E74
00568AF7 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00568AFA A1 30C65600 MOV EAX,DWORD PTR DS:[56C630]
00568AFF E8 94BCE9FF CALL MsDataGe.00404798
00568B04 A1 30C65600 MOV EAX,DWORD PTR DS:[56C630]
00568B09 8B00 MOV EAX,DWORD PTR DS:[EAX]
00568B0B E8 FCBEE9FF CALL MsDataGe.00404A0C
00568B10 85C0 TEST EAX,EAX
00568B12 7E 08 JLE SHORT MsDataGe.00568B1C
00568B14 A1 44C35600 MOV EAX,DWORD PTR DS:[56C344]
00568B19 C600 01 MOV BYTE PTR DS:[EAX],1
00568B1C E8 4BFFFFFF CALL MsDataGe.00568A6C
00568B21 33C0 XOR EAX,EAX

to:

00568AD4 |. 68 378B5600 PUSH dumped_.00568B37
00568AD9 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00568ADC |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00568ADF 90 NOP
00568AE0 90 NOP
00568AE1 90 NOP
00568AE2 90 NOP
00568AE3 90 NOP
00568AE4 |. 50 PUSH EAX ; /Arg1 => 00C23405
00568AE5 |. E8 B6FFFFFF CALL dumped_.00568AA0 ; \dumped_.00568AA0
00568AEA |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00568AED |. A1 5CE25600 MOV EAX,DWORD PTR DS:[56E25C]
00568AF2 |. E8 7D13EAFF CALL dumped_.00409E74
00568AF7 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00568AFA |. A1 30C65600 MOV EAX,DWORD PTR DS:[56C630]
00568AFF |. E8 94BCE9FF CALL dumped_.00404798
00568B04 |. A1 30C65600 MOV EAX,DWORD PTR DS:[56C630]
00568B09 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00568B0B |. E8 FCBEE9FF CALL dumped_.00404A0C
00568B10 |. 85C0 TEST EAX,EAX
00568B12 |. 7E 08 JLE SHORT dumped_.00568B1C
00568B14 |. A1 44C35600 MOV EAX,DWORD PTR DS:[56C344]
00568B19 |. C600 01 MOV BYTE PTR DS:[EAX],1
00568B1C |> E8 4BFFFFFF CALL dumped_.00568A6C
00568B21 |. 33C0 XOR EAX,EAX

MaRKuS-DJM 01-01-2004 02:18
i think the rest isn't very hard.
registration flag is

56E24C
or 16E24C (for hex-editor), change it to 1 and all is ok

MaRKuS-DJM 01-01-2004 02:49
these call & the mov aren't neccessary for the program to work. it's only advanced asprotect-protection and should crackers cost time.

zlatko 01-01-2004 03:26
Thanks Markus,

I did same thing as you are in the first part but second part I misted ( at 00568ADC ) !

Regards ,

Z

PS. Would you PM me your email address or if you wish I can PM you mine.
It's much easier to work trough e-mail then on board.

MaRKuS-DJM 01-01-2004 03:38
i pm'ed you

zlatko 01-01-2004 04:09
I'm STUPID !

All changes I've made with Hiew ( instead with HexEd ) and you know what's happens ! -> Access v...

Z

PS. Thanks for address

MaRKuS-DJM 01-01-2004 04:23
i only use winhex and hiew, don't know about HexEd :)

mtw 01-01-2004 05:30
@Markus

Just change the rva to 0014A0EC or even lower 0014A000
it takes more time to search but you will know you have
a correct IAT. Impec does get this value wrong alot and
increase the size a few hundred more.

MaRKuS-DJM 01-01-2004 05:44
yes, i've done that, but imprec can't find the function GetTimeFormatW, and the other api... it has resolved it as Shell32

mtw 01-01-2004 07:43
There is a plugin for imprec called AsProtection 1.22 use it
to resolve some entries you can seam to correct it does
a good job finding them.

And a hint on the unwrapped protection
415B40 and 4158B1 these 2 locations will save you some
time looking for the reg check.

MaRKuS-DJM 01-01-2004 19:43
yes, the reg-check was easy to find :)

MaRKuS-DJM 01-01-2004 20:10
mtw, is this the standard ImportRec 1.6 Plugin? if not, can you attach it? i can't find this plugin. and the standard-plugin can't resolve it


All times are GMT +8. The time now is 20:51.
Page 3 of 4 12 3 4
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX