TO Svensk


"[insert the stolen bytes and change the origin to PUSH EBP at 41EFE6 and then dump the exe with OllyDump, unchecking Rebuild Import. I load your tree in ImpRec and press Fix Dump. I load the exe in LordPE and change OEP to 1EFE6. Problem is the exe still wont run. :(

It crashes at: 0041F115 |. E8 F6020000 CALL dumpLord.0041F410]"


Please Note:
1- if you have changed origin to push ebp, there is no need to use lordpe.
2- please don't load my iat, fix yours according to mine.

Arrrgghh....

Britedream, thank you for the tutorials and I can confirm your version is working... at least the greet screen comes up.

Mine always has an exception error. Looking at your tree file your size is 918..mine turns out to be 91C

either way no luck.

I confirmed the bytes you entered as stolen are entered in right where the trace dumps at. (just above 45 bytes).

I noticed that Olly reports at least one different register upon initial load (no stepping) between our versions. The first time I compared the ESI turned out to be different.

In you tutorial you mention the stolen bytes.... thanks to you and lownoise we have that. I am starting to think that I am doing something wrong with Imprec. When I compared our startup code..it looked dead on.

Are there any different settings on Olly or Imprec that you think would make a difference?

Is it the way I am dumping it with ollydump? I used your script of asprbp. to help eliminate any possible errors by me.

Here is a pic of the stolen bytes entered.... the EIP (which is now the origin) and the dump window as I prepare to dump the DVDidle Code.

-Malt

Well for me it's a little bit early, and it seems i'm missing the link in the thread that the app crashes.
I dumped the app the same way as Malt.
The iat has been fixed with asprdbg from manko. It's a little tool which dumps asprotect targets from previous versions. When the asprdbg paused after he cleans the iat open imprec enther the values given by asprdbg en press fix dump.
After that open your dumped exe in olly and fix the check in dvdidle pro for the present of asprotect.
my quick and dirty fix is online 4043AA Mov eax, dword ptr ds:[eax] if you change this to xor eax,eax your app will run fine.

lownoise

To maltese:

default options for importrec work fine. now when you select the first line of your stolen , you should right click on it and choose origin here then dump.

Thanks lownoice, that actually made my program load.

Is "Import all by Ordinal", "Rebuild Original FT" and "Create New IAT" supposed to be checked in ImpRec's Options?

Fell free to take a screen shot of your settings, so we all know how it "should" look :)

To lonoise:

Yes this is the first error I mentioned, if you fix the address to points to an address where you coded your name then this will show that it is registered to you.

To svensk and maltese,

please discard the dump file I sent you , olly didn't write the patch as it should you will notice that to goes to an empty space.

some strange things happen with this program , I will check them and let you know.

To britedream: Yes, I noticed that. But still the program is registered in your name. Weird :)

And btw the code where you entered the PUSH, is executed after the splash screen is shown.
I'm talking about the code at 401779.

Britedream,

Looks like i'm still learning everyday.
app works registered now :)

lownoise

these are the errors area I had, if you fix them it will run:

1-
004043AE /74 0F JE SHORT dvd_.004043BF
004043B0 |50 PUSH EAX
004043B1 |E8 90AB0100 CALL <JMP.&msvcrt.strlen>
004043B6 |. |85C0 TEST EAX,EAX
004043B8 |. |59 POP ECX ; dvd_.0040352D
004043B9 |. |76 04 JBE SHORT dvd_.004043BF
004043BB |. |33C0 XOR EAX,EAX
004043BD |. |40 INC EAX
004043BE |. |C3 RETN
004043BF |> \33C0 XOR EAX,EAX
004043C1 \. C3 RETN

2-
00401770 . 8975 FC MOV DWORD PTR SS:[EBP-4],ESI ; dvd_.0042C0F0
00401773 . FF35 28214200 PUSH DWORD PTR DS:[<&kernel32.CreateThre>; kernel32.CreateThread
00401779 . B8 D8A44200 MOV EAX,dvd_.0042A4D8
0040177E . FFD0 CALL NEAR EAX
00401780 . EB 0F JMP SHORT dvd_.00401791

this is what I had and fixed.

now the strange thing I found , in fixed dump at the oep which working with no problem so far, I did check the iat to see if it is well, I found out that around four addresses has been over written, so I changed importrec option from create new iat, to rebuild original, that corrected the problem. so please check the iat made by asprotect unpacker I am curious to see.

To svensk

registeration is in error # 1 in my above post while the missed patch is in error 2, which is after splash.

Britedream,

I don't had to make any modifactions other then error 1 you specified. why do you have to make any changes on error 2 :confused:

To lownoise
I don't know if it is truely registered or not , but try to keep your dump target name slightly different from the original name.

edit by britedream
To lownoise:
target will run outside olly with fixing only the first error, and will run in olly if you checked to ignore memory access voilation.
it uses asprotect region 990000, which is no longer there

Where's the push in your exe to read the name at 444600 ?