Thread: Still need help with Asprotect
View Single Post
  #1  
Old 03-06-2004, 17:32
Pompeyfan
 
Posts: n/a
Unhappy Still need help with Asprotect
Wondering if someone could help me with this target, I thought I'd learned a lot from the Wtm CD Protect V1.54 tut of LaBBas, but I cant seem to get the OEP for the following, PEid reports OEP at 00417338, but nothing leads me there by tracing:

Registry Defragmentation for Windows 95-XP
Version 5.0b
Authors: Nick Nifontov
Alexander Berezovsky
Copyright � Elcor Software 2001-2004
hxxp://www.elcor.net/

This is what I tried so far:

Shift & F9 26 times, breakpoint on RETN then shift & F9, trace TC EIP<900000, Ctrl & A (analyse), then here:

0040531C $-FF25 44B24100 JMP DWORD PTR DS:[41B244]
00405322 8BC0 MOV EAX,EAX
00405324 $-FF25 40B24100 JMP DWORD PTR DS:[41B240]
0040532A 8BC0 MOV EAX,EAX
0040532C $-FF25 3CB24100 JMP DWORD PTR DS:[41B23C]
00405332 8BC0 MOV EAX,EAX
00405334 $-FF25 38B24100 JMP DWORD PTR DS:[41B238]
0040533A 8BC0 MOV EAX,EAX
0040533C /$ 50 PUSH EAX
0040533D |. 6A 40 PUSH 40
0040533F |. E8 E0FFFFFF CALL RegDefra.00405324
00405344 \. C3 RETN

F8 one time, and you are here:

009A1C64 55 PUSH EBP
009A1C65 8BEC MOV EBP,ESP
009A1C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
009A1C6A 85C0 TEST EAX,EAX
009A1C6C 75 13 JNZ SHORT 009A1C81
009A1C6E 813D A47A9A00 00>CMP DWORD PTR DS:[9A7AA4],400000 ; ASCII "MZP"
009A1C78 75 07 JNZ SHORT 009A1C81
009A1C7A A1 A47A9A00 MOV EAX,DWORD PTR DS:[9A7AA4]
009A1C7F EB 06 JMP SHORT 009A1C87
009A1C81 50 PUSH EAX
009A1C82 E8 3135FFFF CALL 009951B8 ; JMP to kernel32.GetModuleHandleA
009A1C87 5D POP EBP
009A1C88 C2 0400 RETN 4

Press F8 to RET command and you are here:

004053F1 . A3 10A74100 MOV DWORD PTR DS:[41A710],EAX ; RegDefra.00400000
004053F6 . A1 10A74100 MOV EAX,DWORD PTR DS:[41A710]
004053FB . A3 8C904100 MOV DWORD PTR DS:[41908C],EAX
00405400 . 33C0 XOR EAX,EAX
00405402 . A3 90904100 MOV DWORD PTR DS:[419090],EAX
00405407 . 33C0 XOR EAX,EAX
00405409 . A3 94904100 MOV DWORD PTR DS:[419094],EAX
0040540E . E8 C1FFFFFF CALL RegDefra.004053D4
00405413 . BA 88904100 MOV EDX,RegDefra.00419088
00405418 . 8BC3 MOV EAX,EBX
0040541A . E8 9DE5FFFF CALL RegDefra.004039BC
0040541F . 5B POP EBX
00405420 . C3 RETN

Dump full with Loredpe, then F8 till after the RETN, and you are at the Fake OEP I thought:

00418E88 E8 DB E8

Tried fixing the Import table here without success, Imprec gives me message nothing good here, tried IAT autosearch, and also tried entering the OEP I thought I had found.

Brightdreams OEP finder script ends here:

0040531C FF DB FF

After Ctrl & A:

0040531C $-FF25 44B24100 JMP DWORD PTR DS:[41B244]
00405322 8BC0 MOV EAX,EAX
00405324 $-FF25 40B24100 JMP DWORD PTR DS:[41B240]
0040532A 8BC0 MOV EAX,EAX
0040532C $-FF25 3CB24100 JMP DWORD PTR DS:[41B23C]
00405332 8BC0 MOV EAX,EAX
00405334 $-FF25 38B24100 JMP DWORD PTR DS:[41B238]
0040533A 8BC0 MOV EAX,EAX
0040533C /$ 50 PUSH EAX
0040533D |. 6A 40 PUSH 40
0040533F |. E8 E0FFFFFF CALL RegDefra.00405324
00405344 \. C3 RETN

Has anyone else tried this target, and can they give me a few tips on where to go from here?
Reply With Quote