Exetools
Page 3 of 4 12 3 4
Show 40 post(s) from this thread on one page

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   The new asprotect 1.31 (https://forum.exetools.com/showthread.php?t=4259)

britedream 06-02-2004 11:21
To Ferrari
 
1 Attachment(s)
This target is much easier than whereIsIt, just fix the iat and it will run fine,

here is the iat to compare to: (don't use it on yours, it will not work,just compare it to your iat.)

note: i have the target unpacked , if you want, I will be glad to send it to you.

britedream 06-02-2004 11:30
To Ferrari
 
Quote:
Originally Posted by ferrari

Error: Access violation while reading [1181B34]

00407294 $- FF25 C841C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleFileNameA
0040729A 8BC0 MOV EAX,EAX
0040729C $- FF25 CC41C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleHandleA
004072A2 8BC0 MOV EAX,EAX
004072A4 $ FF25 341B1801 JMP DWORD PTR DS:[1181B34]
004072AA 8BC0 MOV EAX,EAX
004072AC $- FF25 D041C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetProfileStringA
004072B2 8BC0 MOV EAX,EAX
004072B4 $- FF25 D441C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetStdHandle

How to fix this plz help.

Regards,

here is the same code in my unpacked target:

00407294 - FF25 C041C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetMod>; kernel32.GetModuleFileNameA
0040729A 8BC0 MOV EAX,EAX
0040729C - FF25 C441C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetMod>; kernel32.GetModuleHandleA
004072A2 8BC0 MOV EAX,EAX
004072A4 - FF25 7C47C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetPro>; kernel32.GetProcAddress
004072AA 8BC0 MOV EAX,EAX
004072AC - FF25 C841C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetPro>; kernel32.GetProfileStringA
004072B2 8BC0 MOV EAX,EAX
004072B4 - FF25 CC41C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetStd>; kernel32.GetStdHandle
004072BA 8BC0 MOV EAX,EAX
004072BC - FF25 D041C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetStr>; kernel32.GetStringTypeExA

Crk 06-02-2004 12:13
i don't get any knowledge getting an unpacked exe from someone .. i don't have fun like that.. i need some papel/notes about unpacking this latest Aspr. specially fixing IAT

el-kiwi 06-02-2004 19:46
1 Attachment(s)
Quote:
Originally Posted by ferrari
TARGET: http://www.jufsoft.com/badcopy

Protection: Latest ASProtect

Used Britedream's Olly script for "ASPR 1.3b" and got to OEP

Without using Ollyscript I did this to get to the OEP.

Hit Shift+F9 26 times and here:
0115E56E 0156 00 ADD DWORD PTR DS:[ESI],EDX

Put BP here:
0115E588 833D 6C3B1601 00 CMP DWORD PTR DS:[1163B6C],0

And hit Shift+F9 and Olly breaks. Then Alt+M and put BP on memory access on code. Then Set the debugging options and hit F9 once and you are at the OEP(Remove analysis) with no stolen bytes.

00501184 55 PUSH EBP
00501185 8BEC MOV EBP,ESP
00501187 83C4 F0 ADD ESP,-10
0050118A B8 240E5000 MOV EAX,BadCopy.00500E24
0050118F E8 105EF0FF CALL BadCopy.00406FA4


Dumped the target and there were no unresolved pointers and fixed IAT and then dump file.

But target wont run

Error: Access violation while reading [1181B34]

00407294 $- FF25 C841C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleFileNameA
0040729A 8BC0 MOV EAX,EAX
0040729C $- FF25 CC41C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleHandleA
004072A2 8BC0 MOV EAX,EAX
004072A4 $ FF25 341B1801 JMP DWORD PTR DS:[1181B34]
004072AA 8BC0 MOV EAX,EAX
004072AC $- FF25 D041C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetProfileStringA
004072B2 8BC0 MOV EAX,EAX
004072B4 $- FF25 D441C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetStdHandle

How to fix this plz help.

Regards,
regards
ferrari maybe your oep is wrong,i found oep on different way,fix iat and program is working,i m under xp. I attach file,and maybe can help you.
with best wishes

britedream 06-02-2004 20:37
To el-kiwi
 
Hi

are you sure it is the same verion BadCopy pro 3.74 build 403.

el-kiwi 06-02-2004 21:24
Quote:
Originally Posted by britedream
Hi

are you sure it is the same verion BadCopy pro 3.74 build 403.
Hi britedream

no it is not,now i see its 3.74 build 0531,but i download it yesterday,and now peid say aspack 1.07b! i dont get it. I apologize for misunderstanding.

britedream 06-02-2004 21:58
To el-kiwi
 
1 Attachment(s)
Here is the unpacked Badcopy if you wish to tackle asprotect:

el-kiwi 06-02-2004 23:15
its working,I just delete this old one,and programs works fine on my machine.is there any chance to write tutorial about unpacking this version britedream?

ferrari 06-03-2004 00:51
@el-kiwi

OEP is right mate but from britedreams post I see where the problem is.

@britedream
Btw britedream I 'll check ur input and let you know :)..I want to know how u did it rather than downloading the unpacked exe ;)

Regards,

SvensK 06-03-2004 01:36
I just grabbed the latest (3.74 0531) version of BadCopy Pro from hxxp://www.jufsoft.com/badcopy/ and that's most definitely not asprotected.
Author must have given up on asprotect.

Edit: Build 0403 couldn't have been Asprotect 1.31, it was way more like 1.23 RC4. Lemme know if I'm mistaken.
Hence, easy to unpack.

Regards
SvensK

britedream 06-03-2004 02:22
it is 131 to me .

SvensK 06-03-2004 02:24
My file version is 3.7.4.0 and filesize is 587 KB (601 600 bytes).
Are yours different?

britedream 06-03-2004 02:30
size on disk 640kb, and version 3.74 build 403

SvensK 06-03-2004 02:41
Right-click the .exe and check Properties, then Version tab.
What does it say at the top?

hobgoblin 06-03-2004 03:43
Hmm
 
I just downloaded and unpacked the latest version myself. It is an old Aspack version (Aspack 1.07).

hobgoblin


All times are GMT +8. The time now is 17:37.
Page 3 of 4 12 3 4
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX