Thread: Newbie question ASPR 1.23 RC4 (long!)
View Single Post
  #113  
Old 02-17-2004, 13:02
JMI JMI is offline
Leader
  
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 98 Times in 96 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
Well, the answer is an unsatisfying "that depends." If you go back and look at JackD's post on the previous page, you will see he wrote:

ASPR processes 'dips' before reaching the OEP that modify addresses to point to ASPR at 620484, 62048C, 620494, 620498, and 62049C.

data BEFORE ASPR dips
00620480: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00620490: 00 8D 40 00-F4 85 57 00-20 86 57 00-20 86 57 00
006204A0: 00 00 00 00-FE FF FF FF-FE FF FF FF-00 00 00 00
006204B0: FE FF FF FF-FE FF FF FF-00 8D 40 00-00 00 8B C0

data AFTER ASPR dips
00620480: 00 00 00 00-61 38 60 01-00 00 00 00-FC 1E 63 01
00620490: 00 8D 40 00-08 1C 61 01-A4 1B 61 01-D8 1B 61 01
006204A0: FE FF FF FF-1E 00 00 00-1E 00 00 00-FE FF FF FF
006204B0: 00 00 00 00-00 00 00 00-00 8D 40 00-00 00 8B C0

data that WORKS
00620480: 00 00 00 00-F0 3F 61 00-00 00 00 00-00 00 00 00
00620490: 00 8D 40 00-F4 85 57 00-20 86 57 00-20 86 57 00
006204A0: FE FF FF FF-1E 00 00 00-1E 00 00 00-FE FF FF FF
006204B0: 00 00 00 00-00 00 00 00-00 8D 40 00-00 00 8B C0

If you look closely at the last two lines of the first listing "Before ASPR Dips" and compare them to the last two lines of "after ASPR Dips" you should notice that during the "dip" ASPR overwrote some of the code "during" the dip. The code there "before" the dip will not work, and the code "after" the dip will (according to JackD's Data that Works statement.)

What this tells you is that if you dumped the exe "before" that dip occurred, the code is never "fixed" and the program will NOT run correctly. Therefore, you have to make sure that ASPR has finished "dipping" before you dump. This is one of the ways ASPR attempt to catch the unwary who fail to dump at the correct place.

So in this case, it is NOT letting the "dip" occur which appears to be the problem. I seem to recall reading that there was a time when the "opposite" condition was found, meaning some necessary data was moved by ASPR and unpacking the exe without ASPR left jumps to ASPR code which no longer existed. Afterall it is Alexy's job to try to stay ahead of the rest of us and sometimes he recycles things previously used and ignored for a while.

And, yes, he and/or his troops do read these types of Forums to find out what is being said about his product. He has even posted on the Woodman Forum a couple of times.

You can search "dips" on the Woodman Forum and find some discussion of these issues there, some from +Splaj who delights is unwinding the twists and turns of these programs, and discusses when there were "double dips."

Regards,
__________________
JMI
Reply With Quote