Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Help with ASProtect variant please? (https://forum.exetools.com/showthread.php?t=11620)

Exocist 04-22-2008 07:13
Help with ASProtect variant please?
 
Hi guys,

for quite some time I have been inline patching various ASProtect programs with no problems at all. Recently however I've come across a variant that has me a bit puzzled. It concerns the kernel32.MapViewOfFileEx call which proceeds the CRC check.

Prior to this change it was simply a case of finding the

PUSH 0
PUSH 0
PUSH 0
PUSH 4

6a 00 6a 00 6a 00 6a 04

This has to be patched because we redirect the code to our code afterwards and place the original bytes back into the mapped file address space. If this doesnt occur then the dreaded ASProtect CRC error appears.

Everything about these targets up to this point is the same but the CRC check now seems to be handled differently and I'm having trouble finding it.

An example program is the VSTi instrument called Morphine from www.image-line.com.

Here is where I'm at with my patch points, the next one (#8) needs to be the CRC check...

Code:

100BC185  E9 45000000      JMP 100BC1CF                #1


       
100BC247  ^0F85 B1FFFFFF    JNZ 100BC1FE                #2
100BC24D  E8 06000000      CALL 100BC258


100BC328  E9 2F000000      JMP 100BC35C                #3



100BC432  E9 1E000000      JMP 100BC455                #4



100BC619  68 00800000      PUSH 8000                        #5
100BC61E  6A 00            PUSH 0
100BC620  56              PUSH ESI
100BC621  FF95 FB030000    CALL DWORD PTR SS:[EBP+3FB]
100BC627  68 00000000      PUSH 0
100BC62C  C3              RETN



009E30F3  68 00800000      PUSH 8000                        #6
009E30F8  6A 00            PUSH 0
009E30FA  50              PUSH EAX
009E30FB  FF95 7D294400    CALL DWORD PTR SS:[EBP+44297D]
009E3101  8D85 512C4400    LEA EAX,DWORD PTR SS:[EBP+442C51]
009E3107  50              PUSH EAX
009E3108  C3              RETN



009E35C1  61              POPAD                        #7
009E35C2  75 08            JNZ SHORT 009E35CC
009E35C4  B8 01000000      MOV EAX,1
009E35C9  C2 0C00          RETN 0C
009E35CC  68 F0A69D00      PUSH 9DA6F0
009E35D1  C3              RETN
Anyone have any experience with this new method? Thank you! :)

(sorry mod about previous deletion, having a brain fart! thanks!)


All times are GMT +8. The time now is 13:29.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX