Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Help with ASProtect variant please?
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 04-22-2008, 07:13
Exocist Exocist is offline
Friend
  
Join Date: May 2002
Posts: 19
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Exocist Reputation: 0
Question Help with ASProtect variant please?
Hi guys,

for quite some time I have been inline patching various ASProtect programs with no problems at all. Recently however I've come across a variant that has me a bit puzzled. It concerns the kernel32.MapViewOfFileEx call which proceeds the CRC check.

Prior to this change it was simply a case of finding the

PUSH 0
PUSH 0
PUSH 0
PUSH 4

6a 00 6a 00 6a 00 6a 04

This has to be patched because we redirect the code to our code afterwards and place the original bytes back into the mapped file address space. If this doesnt occur then the dreaded ASProtect CRC error appears.

Everything about these targets up to this point is the same but the CRC check now seems to be handled differently and I'm having trouble finding it.

An example program is the VSTi instrument called Morphine from www.image-line.com.

Here is where I'm at with my patch points, the next one (#8) needs to be the CRC check...

Code:
100BC185   E9 45000000      JMP 100BC1CF		#1


	
100BC247  ^0F85 B1FFFFFF    JNZ 100BC1FE		#2
100BC24D   E8 06000000      CALL 100BC258


100BC328   E9 2F000000      JMP 100BC35C		#3



100BC432   E9 1E000000      JMP 100BC455		#4



100BC619   68 00800000      PUSH 8000			#5
100BC61E   6A 00            PUSH 0
100BC620   56               PUSH ESI
100BC621   FF95 FB030000    CALL DWORD PTR SS:[EBP+3FB]
100BC627   68 00000000      PUSH 0
100BC62C   C3               RETN



009E30F3   68 00800000      PUSH 8000			#6
009E30F8   6A 00            PUSH 0
009E30FA   50               PUSH EAX
009E30FB   FF95 7D294400    CALL DWORD PTR SS:[EBP+44297D]
009E3101   8D85 512C4400    LEA EAX,DWORD PTR SS:[EBP+442C51]
009E3107   50               PUSH EAX
009E3108   C3               RETN



009E35C1   61               POPAD			#7
009E35C2   75 08            JNZ SHORT 009E35CC
009E35C4   B8 01000000      MOV EAX,1
009E35C9   C2 0C00          RETN 0C
009E35CC   68 F0A69D00      PUSH 9DA6F0
009E35D1   C3               RETN
Anyone have any experience with this new method? Thank you!

(sorry mod about previous deletion, having a brain fart! thanks!)
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
ASProtect or UPX? int21h General Discussion 2 12-14-2006 11:02
Help with ASProtect 1.23 RC4 Perdition General Discussion 7 06-09-2004 01:48


All times are GMT +8. The time now is 19:40.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )