Thread: Entrypoint < 400000 ,then how to dump?[ASProtect 1.22 - 1.23 Beta 21]
View Single Post
  #2  
Old 12-12-2005, 16:47
hosiminh hosiminh is offline
Friend
  
Join Date: Aug 2004
Posts: 202
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
hosiminh Reputation: 1
target version 3.2 sr6
MD5= 063220da662761f8ab27c92d57f68a49 ; HFFR.exe


last exception:
03A12CF2 31C0 XOR EAX,EAX
03A12CF4 64:FF30 PUSH DWORD PTR FS:[EAX]
03A12CF7 64:8920 MOV DWORD PTR FS:[EAX],ESP
03A12CFA 3100 XOR DWORD PTR DS:[EAX],EAX

Dunno what you have been doing , but i put memory bp on 2nd section , passed last exception to program i landed here:

oep:
00432236 55 PUSH EBP
00432237 8BEC MOV EBP,ESP
00432239 6A FF PUSH -1
0043223B 68 F04A4000 PUSH HFFR.00404AF0
00432240 68 FA214300 PUSH HFFR.004321FA ; JMP to msvcrt._except_handler3
00432245 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0043224B 50 PUSH EAX
0043224C 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
00432253 83EC 68 SUB ESP,68
00432256 53 PUSH EBX
00432257 56 PUSH ESI
00432258 57 PUSH EDI
00432259 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0043225C 33DB XOR EBX,EBX
0043225E 895D FC MOV DWORD PTR SS:[EBP-4],EBX
00432261 6A 02 PUSH 2
00432263 FF15 E8174000 CALL DWORD PTR DS:[4017E8] ; msvcrt.__set_app_type

MS VC target...

anti-dump
004222EA FFD0 CALL EAX //nop it

otherwise you will get funny MsgBox:
"Shame On You"
"Protection not found !"
Last edited by hosiminh; 12-12-2005 at 17:10.
Reply With Quote