The new asprotect 1.31

[britedream]

you are right my version is 3.59 , but by fixing the table it will not work, there are anti dumps you have to over come. I am also looking to make it works on other pces . so give some time .


note:
I have to give you my unpacked to work with it ,becuase if you dump from your
original, the doors to iat already changed to asprotect area.

Hi,
More and more unAmrmadiloed, unAsproteced stuff refuse to run on non XP machines. RestoreLastError cannot be found in non XP kernel.

I have fixed this replacing RestoreLastError with FlushFileBuffers

Am I wrong?

[britedream]

To R@der and hobgoblin:

I sent you the unpacked target that should work on all xp pces, please feed back.

sorry svensk I don't have your email.

Quote:

Originally Posted by drbyte

I have fixed this replacing RestoreLastError with FlushFileBuffers

Am I wrong?

In all instances, you should replace calls to RestoreLastError with SetLastError.

[hobgoblin]

Runs fine on my computer. thanks for the files. I'm about to start digging now.

regards,
hobgoblin

[britedream]

Thanks hobglobin for the feed back, now extools forum may be the first to unpack this lovable protector.


regards.

TARGET: http://www.jufsoft.com/badcopy

Protection: Latest ASProtect

Used Britedream's Olly script for "ASPR 1.3b" and got to OEP

Without using Ollyscript I did this to get to the OEP.

Hit Shift+F9 26 times and here:
0115E56E 0156 00 ADD DWORD PTR DS:[ESI],EDX

Put BP here:
0115E588 833D 6C3B1601 00 CMP DWORD PTR DS:[1163B6C],0

And hit Shift+F9 and Olly breaks. Then Alt+M and put BP on memory access on code. Then Set the debugging options and hit F9 once and you are at the OEP(Remove analysis) with no stolen bytes.

00501184 55 PUSH EBP
00501185 8BEC MOV EBP,ESP
00501187 83C4 F0 ADD ESP,-10
0050118A B8 240E5000 MOV EAX,BadCopy.00500E24
0050118F E8 105EF0FF CALL BadCopy.00406FA4


Dumped the target and there were no unresolved pointers and fixed IAT and then dump file.

But target wont run

Error: Access violation while reading [1181B34]

00407294 $- FF25 C841C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleFileNameA
0040729A 8BC0 MOV EAX,EAX
0040729C $- FF25 CC41C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleHandleA
004072A2 8BC0 MOV EAX,EAX
004072A4 $ FF25 341B1801 JMP DWORD PTR DS:[1181B34]
004072AA 8BC0 MOV EAX,EAX
004072AC $- FF25 D041C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetProfileStringA
004072B2 8BC0 MOV EAX,EAX
004072B4 $- FF25 D441C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetStdHandle

How to fix this plz help.

Regards,

[hobgoblin]

and how did you find the address for the IAT?

regards,
hobgoblin

[britedream]

Quote:

Originally Posted by ferrari

Error: Access violation while reading [1181B34]

00407294 $- FF25 C841C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleFileNameA
0040729A 8BC0 MOV EAX,EAX
0040729C $- FF25 CC41C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleHandleA
004072A2 8BC0 MOV EAX,EAX
004072A4 $ FF25 341B1801 JMP DWORD PTR DS:[1181B34]
004072AA 8BC0 MOV EAX,EAX
004072AC $- FF25 D041C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetProfileStringA
004072B2 8BC0 MOV EAX,EAX
004072B4 $- FF25 D441C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetStdHandle

How to fix this plz help.

Regards,

here is the same code in my unpacked target:

00407294 - FF25 C041C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetMod>; kernel32.GetModuleFileNameA
0040729A 8BC0 MOV EAX,EAX
0040729C - FF25 C441C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetMod>; kernel32.GetModuleHandleA
004072A2 8BC0 MOV EAX,EAX
004072A4 - FF25 7C47C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetPro>; kernel32.GetProcAddress
004072AA 8BC0 MOV EAX,EAX
004072AC - FF25 C841C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetPro>; kernel32.GetProfileStringA
004072B2 8BC0 MOV EAX,EAX
004072B4 - FF25 CC41C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetStd>; kernel32.GetStdHandle
004072BA 8BC0 MOV EAX,EAX
004072BC - FF25 D041C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetStr>; kernel32.GetStringTypeExA

Quote:

Originally Posted by ferrari

TARGET: http://www.jufsoft.com/badcopy

Protection: Latest ASProtect

Used Britedream's Olly script for "ASPR 1.3b" and got to OEP

Without using Ollyscript I did this to get to the OEP.

Hit Shift+F9 26 times and here:
0115E56E 0156 00 ADD DWORD PTR DS:[ESI],EDX

Put BP here:
0115E588 833D 6C3B1601 00 CMP DWORD PTR DS:[1163B6C],0

And hit Shift+F9 and Olly breaks. Then Alt+M and put BP on memory access on code. Then Set the debugging options and hit F9 once and you are at the OEP(Remove analysis) with no stolen bytes.

00501184 55 PUSH EBP
00501185 8BEC MOV EBP,ESP
00501187 83C4 F0 ADD ESP,-10
0050118A B8 240E5000 MOV EAX,BadCopy.00500E24
0050118F E8 105EF0FF CALL BadCopy.00406FA4


Dumped the target and there were no unresolved pointers and fixed IAT and then dump file.

But target wont run

Error: Access violation while reading [1181B34]

00407294 $- FF25 C841C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleFileNameA
0040729A 8BC0 MOV EAX,EAX
0040729C $- FF25 CC41C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleHandleA
004072A2 8BC0 MOV EAX,EAX
004072A4 $ FF25 341B1801 JMP DWORD PTR DS:[1181B34]
004072AA 8BC0 MOV EAX,EAX
004072AC $- FF25 D041C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetProfileStringA
004072B2 8BC0 MOV EAX,EAX
004072B4 $- FF25 D441C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetStdHandle

How to fix this plz help.

Regards,

regards
ferrari maybe your oep is wrong,i found oep on different way,fix iat and program is working,i m under xp. I attach file,and maybe can help you.
with best wishes