Exetools
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   New Asprotect? (https://forum.exetools.com/showthread.php?t=4294)

bollygud 05-22-2004 14:10
well, i managed to do it, but the solution doesn't seem to fit every situation so i'll not post any real specifics yet. just wanted everyone to know that it is possible. it took a lot of rebuilding. rebuilding an iat, fixing jumps/calls, etc.

i do have one question, maybe someone can help me out. is there an api that acts the opposite of GetModuleHandleA? in other words, an api that can be feed in a number that is the modules handle, like 77000000, and it will spit out the module name? just curious, cuz something like that could help somewhat.

nerst 05-22-2004 14:40
Quote:
Originally Posted by bollygud
i do have one question, maybe someone can help me out. is there an api that acts the opposite of GetModuleHandleA? in other words, an api that can be feed in a number that is the modules handle, like 77000000, and it will spit out the module name? just curious, cuz something like that could help somewhat.
GetModuleFileNameA ??? :confused:

bollygud 05-23-2004 00:44
hehe, duh! :)

thanks. my brain is a little fried ;)

santa_kewl 05-29-2004 14:48
Hi all,

On the last exception you will see anti softice sice too :).
hmm still need time to find why the iat is not able to resolve using revirgin or imprec....

Regards

Darren 05-29-2004 19:10
because an IAT isnt used, aspr engine patches calls/jumps in the user code directly

Crk 05-29-2004 22:31
i managed to make a working dump and found OEP for whereisit? 3.60 ... but can't fix IAT ..has anyone been able to find a solution for this?

SvensK 05-30-2004 02:13
@Crk: britedream just posted that he unpacked latest whereisit. I'm sure he'll tell you how.

Hmm, is the OEP at 006FB5EC ?

Crk 05-30-2004 05:36
since i couldn't fix IAT i deleted all files... i forgot which one is but manually you will be able to find it ... look with W32Dasm for the string : WHEREISIT.CHM

a little up is OEP where that piece of code start (558BEC......)

there are not stolen bytes! :)

i'm waiting for britedream tut about fixing IAT
it looks new asprotect and armadillo are using almost same technique to protect IAT this time .. for how long? ;)

Regards.

SvensK 05-30-2004 15:35
@Crk: Ok, then at least I had found the OEP and dumped the exe.

britedream 06-01-2004 17:01
in the new asprotect just use peid oep finder when checking the protection, it will give you the correct oep if not protected , in the two I checked it gave the correct oep.

deviljin 07-20-2004 20:15
Proposed solution for fixing IAT
 
1 Attachment(s)
Since no one has posted a solution for fixing IAT of new asprotect, i post here a simple solution. I do not know it works in any situation since i did not try it on commercial software but u can check it out. I think that my solution is just an application of different suggestions i find in this forum.

I took the Unpackmenow as an example.

Regards
deviljin


All times are GMT +8. The time now is 14:37.
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX