ASPR 1.2 question

[gabri3l]

I'm glad you noticed the same thing I did JMI. Why is that jump there? I know this program has a CRC check, do you suppose that is part of the routine. A theory that I have not yet explored. I haven't had too much time to step through this in the past few days. But I am hoping to make some time today. I will let you know if i find anything.

This may be stating the obvious, but here goes...

A "PUSH $address" followed by a RETN is functionally identical to "JMP $address". The instructions are different, but they accomplish the exact same thing, since RETN basically just does what can be thought of as "POP EIP".

If the purpose of examing the difference between the two was to try to find a pattern of some sort (i.e. the PUSH, RETN is there when there are stolen bytes, the JMP is there when there aren't), then my comment has no relevance.

But, since it appears there is no such pattern (as evidenced by the fact that the VCD app has the PUSH, RETN), the difference between the two seems irrelevant to me. Maybe ASPR just generates one or the other randomly, to try to confuse people?

Regards,
Satyric0n

[JMI]

Hey Satyric0n:

Just because something is "obvious" doesn't mean one actually managed to "observe" it. This is at least the second time in this thread that I've been so intent on what I "thought" I was doing, I did not actually notice what was right in front of me.

What you said is "obviously" true, but I was so intent on "looking" for a "pattern," I completely failed to "think" about "what" the code was doing. Well Duh! Since it was the ONLY one I had ever seen like that, I was mesmerized by the possibility of discovering an identifying pattern. You know, immortality, name in lights, ticker tape parades, and all that

Thanks for throwing that bucket of cold water on my head to wake me up. Maybe a good slap will get me to focus.

Regards and thanks.

[gabri3l]

Quote:

Originally Posted by Satyric0n

This may be stating the obvious, but here goes...

A "PUSH $address" followed by a RETN is functionally identical to "JMP $address". The instructions are different, but they accomplish the exact same thing, since RETN basically just does what can be thought of as "POP EIP".

If the purpose of examing the difference between the two was to try to find a pattern of some sort (i.e. the PUSH, RETN is there when there are stolen bytes, the JMP is there when there aren't), then my comment has no relevance.

But, since it appears there is no such pattern (as evidenced by the fact that the VCD app has the PUSH, RETN), the difference between the two seems irrelevant to me. Maybe ASPR just generates one or the other randomly, to try to confuse people?

And it seemed to have worked. I believe you may be correct. If there is a pattern then it is not very evident. I just thought it odd when this jump shows up after all the other ASPR programs i tried had returns. If someone happens to see it again in another program let me know because I still find it interesting.

Seems we needed a extra voice of reason to get us focused again.

[britedream]

Quote:

Originally Posted by JMI

The "stolen bytes" themselves, if they have been stolen, are not in this part of the ASPR code and are found in the section of the code which is later erased by

just small note:
all protected targets with stolen ;acprotect,svkp,asprotect.... , the stolen bytes are excuted inside the protector by emulating it-most of the time-, and then some times erased, before it jumps to the codes in the code section.