Hacking Asprotect 1.31

[britedream]

the version has changed to 5.0.2.6, two versions changed in one day, they must be reading this forum. our patch will not work on the new version.

it is no longer protected with new asprotect 1.31, it went back to the old one

just so you know, i was using 5.0.1.6. but here's a little crash report:

Quote:

Access violation when executing [77E7D961]

stack:
0012FF74 00476FE1 RETURN to 00476FE1 from 77E7D961
0012FF78 00476FC8 ASCII "DvdIdlePro"
0012FF7C 0090D818
0012FF80 7FFD7BF8
0012FF84 0045C013 RETURN to 0045C013 from 0045C014
0012FF88 0012FF9C
0012FF8C 00400000 00400000

00476FD7 PUSH 00476FC8 ; ASCII "DvdIdlePro"
00476FDC CALL 77E7D961 ; offending caller
00476FE1 MOV ESI,EAX
00476FE3 PUSH 1
00476FE5 PUSH EAX
00476FE6 CALL 77E7B332
00476FEB CALL EAX
00476FED POPAD
00476FEE PUSH DWORD PTR SS:[EBP+9D5]
00476FF4 PUSH 0045C03F
00476FF9 RETN

00476FC8 44 76 64 49 64 6C 65 50 72 6F 00 00 00 00 60 68 DvdIdlePro....`h
00476FD8 C8 6F 47 00 E8 80 69 A0 77 8B F0 6A 01 50 E8 47 萶G.鑰i爓嬸j
P鐶
00476FE8 43 A0 77 FF D0 61 FF B5 D5 09 00 00 68 3F C0 45 C爓衋嫡...h?繣
00476FF8 00 C3 00 00 00 00 00 00 62 72 69 74 65 64 72 65 .?.....britedre
00477008 61 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 am..............

the way to fix this would be to call a pointer address to whatever api you're trying to use, instead of a direct call. this would fix the issue i'm sure. and, yes, this is still on my win2k system

if they went back to the older aspr, that's a good thing for them and their customers. i don't like the way the new aspr runs (which is too slow). programmers who use these protections should always opt for speed cuz even when they use these 'advanced' options it doesn't make it unbreakable for those of us who know the ways around this stuff. if they opt for a slower more heavily protected app you should expect complaints from your customers about sluggish performance. just my 2 cents.

[britedream]

But the call you refer to at address 476fdc is call LoadLibraryA, and it is called the way it should be but I don't know why isnot working on w2k.please try to change it to Call LoadLibraryA, and at address 476fe6 is call GetProcAddress, change these two, and see if it works for you.

luckily this app incorporates both of those api into its starting imports.
here is some fixed code for this routine:

Quote:

00476FD6 60 PUSHAD
00476FD7 68 C86F4700 PUSH 00476FC8 ; ASCII "DvdIdlePro"
00476FDC FF15 ECC94500 CALL DWORD PTR DS:[<&kernel32.LoadLibraryA>] ; kernel32.LoadLibraryA
00476FE2 8BF0 MOV ESI,EAX
00476FE4 6A 01 PUSH 1
00476FE6 50 PUSH EAX
00476FE7 FF15 E4C94500 CALL DWORD PTR DS:[<&kernel32.GetProcAddress>] ; kernel32.GetProcAddress
00476FED FFD0 CALL EAX
00476FEF 61 POPAD
00476FF0 FFB5 D5090000 PUSH DWORD PTR SS:[EBP+9D5]
00476FF6 68 3FC04500 PUSH 0045C03F
00476FFB C3 RETN

and this now works
nice approach

[britedream]

I did code it on the xp as call LoadLibraryA and call GetProcAddress, I don't understand why it isnot working on w2k. it is working on my xp. I think mapping these calls are different on w2k.

[britedream]

Quote:

Originally Posted by bollygud

luckily this app incorporates both of those api into its starting imports.
nice approach

If you follow asprotect, it always uses GetprocAddress,LoadlibraryA and GetModuleHandleA to set up iat. so these are always present.

yes, i realise that these are standard api's incorporated into aspr'd apps

the reason that your call isn't working is cuz it's pointing directly to an address that simply doesn't exist in win2k. perhaps your kernel32 (or all xp kernel32) is based at 77000000. where mine is based at 7C000000. this isn't a new concept and is the entire reason for the need of an import table and iat. cuz with each system or OS, the api simply do not reside in the same exact address. it seems that since you have the grasp of all these things, and i doubt i need to tell you this. but just in case you didn't know...

perhaps the fact that i copy/pasted from olly in haste that is shows the api names is confusing. but if you look what i really did was change the direct calls to indirect calls like so:

Quote:

00476FD6 PUSHAD
00476FD7 PUSH 00476FC8
00476FDC CALL DWORD PTR DS:[45C9EC]
00476FE2 MOV ESI,EAX
00476FE4 PUSH 1
00476FE6 PUSH EAX
00476FE7 CALL DWORD PTR DS:[45C9E4]
00476FED CALL EAX
00476FEF POPAD
00476FF0 PUSH DWORD PTR SS:[EBP+9D5]
00476FF6 PUSH 0045C03F
00476FFB RETN

anyway, just letting you know that this works this way and would work on any win platform and not just xp.

well... it was working, now i get a crc error (aspr virus error) coming from your hack file. strange cuz it was working. o well.

[britedream]

sorry, but you didnot understand my point , I didnot call the address directly I used call LoadLibraryA, and patched through ollydbg, I understand where the kernel base is,but my point is that calling LoadLibraryA should be resolved by w2k, and it didn't.(thanks for your clarification).

[britedream]

Quote:

Originally Posted by bollygud

well... it was working, now i get a crc error (aspr virus error) coming from your hack file. strange cuz it was working. o well.

you are exiting and restarting the target faster than it should be , please give it few sconds to unload.