Still need help with Asprotect

[britedream]

this is the snippet:

Quote:

Originally Posted by Wurstgote

It's me again



0057890C /$ PUSH EBP
0057890D |. MOV EBP,ESP
0057890F |. PUSH ECX
00578910 |. PUSH EBX
00578911 |. MOV EAX,DWORD PTR DS:[40781E] ;<&kernel32.GetModuleHandleA>
00578917 |. MOV EBX,DWORD PTR DS:[EAX]
00578919 |. PUSH DWORD PTR DS:[EBX]
0057891B |. MOV DWORD PTR SS:[EBP-4],EBX
0057891E |. POP DWORD PTR DS:[EBX]
00578920 |. MOV EAX,DWORD PTR SS:[EBP-4]
00578923 |. POP EBX
00578924 |. POP ECX
00578925 |. POP EBP
00578926 \. RETN

Regards
Wurstgote

please forgive my memory, this was your solution.

Quote:

Originally Posted by Satyric0n

Hmm. This is not acceptable.. This would move whatever data was [EBX] to [EAX], overwriting whatever was there already (the value in EBX, at this point), which may be something critical (like an IAT entry). Standard procedure here is just to NOP the instructions at 578919 and 57891E.


I use Visual Studio, but a small app like ResHack or something should do the trick, too. That's a fairly small download, I think. Any resource editor should work; there are many out there, and most are free.

Regards,

Satyric0n

now by nopping the 578919 and 57891e, you rendered the snippet useless,
pop ebx,pop ecx, pop ebp, are restoring what is pushed at the beginning,eax is xored right after retun, so by changing push ebp, to return is equal in effect to your nopping.
and I see no differnce between what I did ,and your nopping.

regards.

[britedream]

popeyfan ,

did you do the test I told you, run target outside olly. the startup codes look ok
to me , but I don't have the same va so the value to move to eax, I will not be able to say if it is the right one or not. btw, are you runnig windows xp.
can you send me your dump I will check it for you.
regrads.

Yes, I did try running in & out of Olly, I'll email you my dumped file to check, thanks for that, very good of you.

Hi, you can access it at hxxp://members.optusnet.com.au/~vincewmb/Aussiepompeyfan/RegDefrag.rar, I see I cant email you, so I uploaded it to my website.

Looks like my ISP doesn't like that file, you can get it from here, I've put it on the AR Cracking FTP, hxxp://www.grinders.withernsea.com/tools/RegDefrag.zip

[britedream]

I just downloaded the dump, double clicked on it , and it sarts the same way as mine, it gives a warning msg., then registration reminder,after clicking ok it ran.
I checked the version, both have the same one,"5.5283". I am running windows xp.

[britedream]

the only thing I can think of right now is that your target may be expired, so it is excuting different code that produced errors you have. it wasn't that either, I force it to expired, but the registration reminder came up fine .

Quote:

Originally Posted by britedream

pop ebx,pop ecx, pop ebp, are restoring what is pushed at the beginning,eax is xored right after retun, so by changing push ebp, to return is equal in effect to your nopping.
and I see no differnce between what I did ,and your nopping.

regards.

I admit that I never looked at the code CALLing 57890C in that example, so I was unaware that EAX was XORed immediately after the procedure returned. So, my assumption that the value in EAX was important was incorrect.

Also, upon rereading what you first posted here, when you said 'so change 55 "push ebp", to c3 " retn"', for some reason I thought you were referring to the instruction at 410419, not the one at 41040C. Hence my comments about corrupting the stack (which now turn out are entirely irrelevant)...

Sorry, my misunderstanding, my fault. Maybe I should slow down when reading next time, so I don't get confused so easily and throw off the whole thread.

Regards,
Satyric0n