Thread: problem with asprotect 1.2x-1.3x
View Single Post
  #3  
Old 11-29-2004, 21:56
el-kiwi
 
Posts: n/a
shift+F9 till here:

00C40061 C700 AF8DA71B MOV DWORD PTR DS:[EAX],1BA78DAF
00C40067 41 INC ECX
00C40068 67:64:8F06 0000 POP DWORD PTR FS:[0]
00C4006E EB 02 JMP SHORT 00C40072
00C40070 CD 20 INT 20
00C40072 83C4 04 ADD ESP,4
00C40075 034424 38 ADD EAX,DWORD PTR SS:[ESP+38]
00C40079 B8 26C84900 MOV EAX,49C826
00C4007E 58 POP EAX
00C4007F 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
00C40082 E8 3917FFFF CALL 00C317C0
00C40087 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30]
00C4008A A1 E477C400 MOV EAX,DWORD PTR DS:[C477E4]
00C4008F E8 C435FEFF CALL 00C23658
00C40094 51 PUSH ECX
00C40095 E8 2C000000 CALL 00C400C6
00C4009A 52 PUSH EDX
00C4009B F3: PREFIX REP: ; Superfluous prefix
00C4009C EB 02 JMP SHORT 00C400A0
00C4009E CD 20 INT 20
00C400A0 81D2 AD65B152 ADC EDX,52B165AD
00C400A6 64:EB 02 JMP SHORT 00C400AB ; Superfluous prefix

now I put memory breakpoint on access and shift+F9 two times bring me here:

00C37F47 C603 E9 MOV BYTE PTR DS:[EBX],0E9
00C37F4A 8D53 01 LEA EDX,DWORD PTR DS:[EBX+1]
00C37F4D 8902 MOV DWORD PTR DS:[EDX],EAX
00C37F4F 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00C37F52 8910 MOV DWORD PTR DS:[EAX],EDX
00C37F54 B8 05000000 MOV EAX,5
00C37F59 5B POP EBX
00C37F5A 5D POP EBP
00C37F5B C2 0400 RETN 4

now in register:

EAX 00A9D6D9
ECX 00EA05A2
EDX 00A9D6D9
EBX 00402EC4 SystemCl.00402EC4
ESP 0012FEA0
EBP 0012FEA4
ESI 15507F7E
EDI FFFFB4B0
EIP 00C37F47

i trace with F8 to see whats happen,and its look like here is the place where program encrypt oep, and because EBX value is changed some of this address is oep... maybe I m wrong...need to trace little bit more
Reply With Quote