The new asprotect 1.31

Quote:

Originally Posted by drbyte

I have fixed this replacing RestoreLastError with FlushFileBuffers

Am I wrong?

In all instances, you should replace calls to RestoreLastError with SetLastError.

[hobgoblin]

Runs fine on my computer. thanks for the files. I'm about to start digging now.

regards,
hobgoblin

[britedream]

Thanks hobglobin for the feed back, now extools forum may be the first to unpack this lovable protector.


regards.

TARGET: http://www.jufsoft.com/badcopy

Protection: Latest ASProtect

Used Britedream's Olly script for "ASPR 1.3b" and got to OEP

Without using Ollyscript I did this to get to the OEP.

Hit Shift+F9 26 times and here:
0115E56E 0156 00 ADD DWORD PTR DS:[ESI],EDX

Put BP here:
0115E588 833D 6C3B1601 00 CMP DWORD PTR DS:[1163B6C],0

And hit Shift+F9 and Olly breaks. Then Alt+M and put BP on memory access on code. Then Set the debugging options and hit F9 once and you are at the OEP(Remove analysis) with no stolen bytes.

00501184 55 PUSH EBP
00501185 8BEC MOV EBP,ESP
00501187 83C4 F0 ADD ESP,-10
0050118A B8 240E5000 MOV EAX,BadCopy.00500E24
0050118F E8 105EF0FF CALL BadCopy.00406FA4


Dumped the target and there were no unresolved pointers and fixed IAT and then dump file.

But target wont run

Error: Access violation while reading [1181B34]

00407294 $- FF25 C841C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleFileNameA
0040729A 8BC0 MOV EAX,EAX
0040729C $- FF25 CC41C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleHandleA
004072A2 8BC0 MOV EAX,EAX
004072A4 $ FF25 341B1801 JMP DWORD PTR DS:[1181B34]
004072AA 8BC0 MOV EAX,EAX
004072AC $- FF25 D041C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetProfileStringA
004072B2 8BC0 MOV EAX,EAX
004072B4 $- FF25 D441C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetStdHandle

How to fix this plz help.

Regards,

[hobgoblin]

and how did you find the address for the IAT?

regards,
hobgoblin

Quote:

Originally Posted by hobgoblin

and how did you find the address for the IAT?

regards,
hobgoblin

err. spank me, I did not save the tree. I started Imprec, attached to the process and just hit IAT auto search (did not enter the OEP) and got the message found something, get imports, size was something around 7xx and there were no unresolved pointers, all import functions were valid. But now again when I do the same Imprec displays could not find anythng
I have the "dump_.exe" Shall I upload?

Regards,

[hobgoblin]

Thanks for the reply. How to find the place in aspr code where the iat table is created/written to memory somehow eludes me. Usually I use a bp GetProcAddress to find it, but this time I don't. I do find a place where this api is called to find the addresses to an iat, but I'm not sure whether this is the correct one.
Well, well. I have to dig deeper I guess.

regards,
hobgoblin

[britedream]

Quote:

Originally Posted by ferrari

Error: Access violation while reading [1181B34]

00407294 $- FF25 C841C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleFileNameA
0040729A 8BC0 MOV EAX,EAX
0040729C $- FF25 CC41C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleHandleA
004072A2 8BC0 MOV EAX,EAX
004072A4 $ FF25 341B1801 JMP DWORD PTR DS:[1181B34]
004072AA 8BC0 MOV EAX,EAX
004072AC $- FF25 D041C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetProfileStringA
004072B2 8BC0 MOV EAX,EAX
004072B4 $- FF25 D441C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetStdHandle

How to fix this plz help.

Regards,

here is the same code in my unpacked target:

00407294 - FF25 C041C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetMod>; kernel32.GetModuleFileNameA
0040729A 8BC0 MOV EAX,EAX
0040729C - FF25 C441C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetMod>; kernel32.GetModuleHandleA
004072A2 8BC0 MOV EAX,EAX
004072A4 - FF25 7C47C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetPro>; kernel32.GetProcAddress
004072AA 8BC0 MOV EAX,EAX
004072AC - FF25 C841C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetPro>; kernel32.GetProfileStringA
004072B2 8BC0 MOV EAX,EAX
004072B4 - FF25 CC41C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetStd>; kernel32.GetStdHandle
004072BA 8BC0 MOV EAX,EAX
004072BC - FF25 D041C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetStr>; kernel32.GetStringTypeExA

i don't get any knowledge getting an unpacked exe from someone .. i don't have fun like that.. i need some papel/notes about unpacking this latest Aspr. specially fixing IAT

Quote:

Originally Posted by ferrari

TARGET: http://www.jufsoft.com/badcopy

Protection: Latest ASProtect

Used Britedream's Olly script for "ASPR 1.3b" and got to OEP

Without using Ollyscript I did this to get to the OEP.

Hit Shift+F9 26 times and here:
0115E56E 0156 00 ADD DWORD PTR DS:[ESI],EDX

Put BP here:
0115E588 833D 6C3B1601 00 CMP DWORD PTR DS:[1163B6C],0

And hit Shift+F9 and Olly breaks. Then Alt+M and put BP on memory access on code. Then Set the debugging options and hit F9 once and you are at the OEP(Remove analysis) with no stolen bytes.

00501184 55 PUSH EBP
00501185 8BEC MOV EBP,ESP
00501187 83C4 F0 ADD ESP,-10
0050118A B8 240E5000 MOV EAX,BadCopy.00500E24
0050118F E8 105EF0FF CALL BadCopy.00406FA4


Dumped the target and there were no unresolved pointers and fixed IAT and then dump file.

But target wont run

Error: Access violation while reading [1181B34]

00407294 $- FF25 C841C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleFileNameA
0040729A 8BC0 MOV EAX,EAX
0040729C $- FF25 CC41C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleHandleA
004072A2 8BC0 MOV EAX,EAX
004072A4 $ FF25 341B1801 JMP DWORD PTR DS:[1181B34]
004072AA 8BC0 MOV EAX,EAX
004072AC $- FF25 D041C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetProfileStringA
004072B2 8BC0 MOV EAX,EAX
004072B4 $- FF25 D441C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetStdHandle

How to fix this plz help.

Regards,

regards
ferrari maybe your oep is wrong,i found oep on different way,fix iat and program is working,i m under xp. I attach file,and maybe can help you.
with best wishes

[britedream]

Hi

are you sure it is the same verion BadCopy pro 3.74 build 403.

Quote:

Originally Posted by britedream

Hi

are you sure it is the same verion BadCopy pro 3.74 build 403.

Hi britedream

no it is not,now i see its 3.74 build 0531,but i download it yesterday,and now peid say aspack 1.07b! i dont get it. I apologize for misunderstanding.