Exetools - Still need help with Asprotect

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Still need help with Asprotect (https://forum.exetools.com/showthread.php?t=3599)

Err... What exactly are you doing a trace for?

If you're trying to find the OEP, just set a memory (on execution) breakpoint on the app's code section and run.

If you're trying to find the stolen bytes... Well, let's just say there are ways other than using a trace; I certainly don't ever trace in Olly...

Regards,
Satyric0n

I mean doing the trace by either method, either the TC EIP<900000 at the command line first mentioned in LaBBas tuts, or when doing the memory (on execution) breakpoint on the app's code section and then pressing ctrl & F11.
On some programs it just keeps hanging on the trace, and last night I left it for some considerable time on TweakRAM, it still showed tracing in the bottom right, but I'm sure it had hung.

Hi Pompeyfan:)

I don't use this forum much, I prefer the RCE one:cool:

Hey your work is good. I just managed to work out your thing about Pompey rock Saint's suck:D

How about Pompey <17 Saint's >17 OK - ha ha:D

Long live Merredin - WA State of Excitement:cool:

/hobferret

Alright now, I want all you soccer fans to behave yoursleves in the stands from now on. Way too many people getting hurt just trying to enjoy a game. ;) Sometimes they seem to need reminding that this is not WAR, it is a GAME. Unfortunately it is a lack of perspective that is evident in many sports, in many parts of the world, including my own. :rolleyes:

Not quite a bad as those, of whatever pursuasion, who seem to believe that the Diety sanctions their wanton slaughter of the innocent in the name of their personal views of religion, politics, or territorial imperative.

Regards,

If we only win 1 match more this season, I hope it is March 21, home to Southampton, actually JMI usually you have great insight, but on this point I differ, just a game, nah, Pompey vs Saints =WAR:D

Quote:

If you're trying to find the OEP, just set a memory (on execution) breakpoint on the app's code section and run.

Yes, I see that finds the OEP okay, so do you then use the method explained by Labba to find the stolen bytes, seems harder than doing a trace if the darn thing will work.

trace does work fine on tweakram leatest version. use my script asprbp to be on the right address for trace, set bp on memory access, then control+F11. that is all.

Now if it worked fine on my PC, I wouldn't waste my time posting saying the trace hung would I:mad: , glad to hear it works for you.

Quote:

so do you then use the method explained by Labba to find the stolen bytes, seems harder than doing a trace if the darn thing will work.

I use my own method for finding stolen bytes, not one I ever saw in a tutorial. Try using your own head instead of blindly following someone else's tutorial, and you will find things become much easier. (Acknowledgement of the fact that JMI has already said this recently goes here. ;))

Quote:

Now if it worked fine on my PC, I wouldn't waste my time posting saying the trace hung would I:mad: , glad to hear it works for you.

You probably have the options on the Trace tab in Olly's Debugging Options set wrong. Try reading about what those options do, and maybe you can solve your own problem.

Regards,
Satyric0n

Dear popeyfan!
my post above is to inform you that nothing is wrong with the trace method, so you should look into your problem in set up, as satyryicon indicated, or in the startup point of trace, rather than reading the post as if I didn't believe you ,which is sadly discouraging to members want to help you.

britedream,

I need to the find stolen bytes

can you point out to me?

Im lost as to how many bytes were stolen and here's what ive done ...

006342AA 6300 ARPL DWORD PTR DS:[EAX],EAX
006342AC 0000 ADD BYTE PTR DS:[EAX],AL
006342AE 0000 ADD BYTE PTR DS:[EAX],AL
006342B0 0000 ADD BYTE PTR DS:[EAX],AL
006342B2 0000 ADD BYTE PTR DS:[EAX],AL
006342B4 0000 ADD BYTE PTR DS:[EAX],AL
006342B6 0000 ADD BYTE PTR DS:[EAX],AL
006342B8 0000 ADD BYTE PTR DS:[EAX],AL
006342BA 0000 ADD BYTE PTR DS:[EAX],AL
006342BC 0000 ADD BYTE PTR DS:[EAX],AL
006342BE 0000 ADD BYTE PTR DS:[EAX],AL
006342C0 E8 1B38DDFF CALL PIGUI.00407AE0
006342C5 33C0 XOR EAX,EAX
006342C7 55 PUSH EBP
006342C8 68 78476300 PUSH PIGUI.00634778
006342CD 64:FF30 PUSH DWORD PTR FS:[EAX]
006342D0 64:8920 MOV DWORD PTR FS:[EAX],ESP
006342D3 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]

00C8C2BC F2: PREFIX REPNE: ; Superfluous prefix
00C8C2BD EB 01 JMP SHORT 00C8C2C0
00C8C2BF 9A F2EB019A EB02 CALL FAR 02EB:9A01EBF2 ; Far call
00C8C2C6 CD 20 INT 20
00C8C2C8 FF7424 1E PUSH DWORD PTR SS:[ESP+1E]
00C8C2CC 6A 74 PUSH 74
00C8C2CE 895C24 04 MOV DWORD PTR SS:[ESP+4],EBX
00C8C2D2 F2: PREFIX REPNE: ; Superfluous prefix
00C8C2D3 EB 01 JMP SHORT 00C8C2D6
00C8C2D5 F3: PREFIX REP: ; Superfluous prefix
00C8C2D6 83EC FC SUB ESP,-4
00C8C2D9 F3: PREFIX REP: ; Superfluous prefix
00C8C2DA EB 02 JMP SHORT 00C8C2DE
00C8C2DC CD 20 INT 20
00C8C2DE C1D3 9B RCL EBX,9B ; Shift constant out of range 1..31
00C8C2E1 2E:EB 02 JMP SHORT 00C8C2E6 ; Superfluous prefix
00C8C2E4 CD 20 INT 20
00C8C2E6 81EB 45478C09 SUB EBX,98C4745
00C8C2EC 3E:EB 02 JMP SHORT 00C8C2F1 ; Superfluous prefix
00C8C2EF CD 20 INT 20
00C8C2F1 81F3 553D2134 XOR EBX,34213D55
00C8C2F7 EB 01 JMP SHORT 00C8C2FA
00C8C2F9 0F26 ??? ; Unknown command
00C8C2FB EB 02 JMP SHORT 00C8C2FF
00C8C2FD CD 20 INT 20
00C8C2FF 6A F9 PUSH -7
00C8C301 2E:EB 02 JMP SHORT 00C8C306 ; Superfluous prefix
00C8C304 CD 20 INT 20
00C8C306 C74424 00 EDC2C8>MOV DWORD PTR SS:[ESP],0C8C2ED
00C8C30E 5B POP EBX
00C8C30F FF53 2C CALL DWORD PTR DS:[EBX+2C]
00C8C312 F0:69C7 E8C7F29A LOCK IMUL EAX,EDI,9AF2C7E8 ; LOCK prefix is not allowed
00C8C319 1F POP DS ; Modification of segment register
00C8C31A C3 RETN
00C8C31B C8 009AC7 ENTER 9A00,0C7
00C8C31F 5B POP EBX
00C8C320 EB 01 JMP SHORT 00C8C323
00C8C322 F3: PREFIX REP: ; Superfluous prefix
00C8C323 F2: PREFIX REPNE: ; Superfluous prefix
00C8C324 EB 01 JMP SHORT 00C8C327
00C8C326 698D 99767F8C 09>IMUL ECX,DWORD PTR SS:[EBP+8C7F7699],1EB>
00C8C330 F0:EB 01 LOCK JMP SHORT 00C8C334 ; LOCK prefix is not allowed
00C8C333 -0F8D 1C858250 JGE 514B4855
00C8C339 2BBD 36EB02CD SUB EDI,DWORD PTR SS:[EBP+CD02EB36]
00C8C33F 2083 F3945B26 AND BYTE PTR DS:[EBX+265B94F3],AL
00C8C345 EB 02 JMP SHORT 00C8C349
00C8C347 CD 20 INT 20
00C8C349 F3: PREFIX REP: ; Superfluous prefix
00C8C34A EB 02 JMP SHORT 00C8C34E
00C8C34C CD 20 INT 20
00C8C34E 55 PUSH EBP
00C8C34F FF7424 1E PUSH DWORD PTR SS:[ESP+1E]
00C8C353 896C24 04 MOV DWORD PTR SS:[ESP+4],EBP
00C8C357 F2: PREFIX REPNE: ; Superfluous prefix
00C8C358 EB 01 JMP SHORT 00C8C35B
00C8C35A -E9 8D642404 JMP 04ED27EC
00C8C35F 8BEC MOV EBP,ESP
00C8C361 33C9 XOR ECX,ECX
00C8C363 26:EB 02 JMP SHORT 00C8C368 ; Superfluous prefix
00C8C366 CD 20 INT 20
00C8C368 F3: PREFIX REP: ; Superfluous prefix
00C8C369 EB 02 JMP SHORT 00C8C36D
00C8C36B CD 20 INT 20
00C8C36D 55 PUSH EBP
00C8C36E FF7424 1E PUSH DWORD PTR SS:[ESP+1E]
00C8C372 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX

please pm me with the link to the target.

Quote:

Originally posted by britedream
please pm me with the link to the target.

done. its v2.7g

wish you shed light on it ...

and a minor tutorial if not much to ask ...

thnx

thank you very much , it is very ineteresting stolen bytes , I learned something new, I have seen patterns for start up codes over in woodmann forum , and it says for this case it is special case, and it fills only part of the space provided for the stolen, but I found out this isn't special, and found all the bytes that fits in the space provided nicely, once I finish writing my explanation to you I will send it.

Regards.