Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   The new asprotect 1.31 (https://forum.exetools.com/showthread.php?t=4259)

britedream 05-12-2004 14:02

The new asprotect 1.31
 
I did download this beta, it is getting closer to acprotect approach, the new beta and the older asprotect both almost have the same concept.I wrote script to find the oep and the last exception, the true oep is directed by jmp to the asprotect area , where the stolen reside,this is done within the few exceptions (2-3, I don't remember now) before the last exception reached, for the iat , the apies are emulated inside the asprotect area, this is my initial observation, I believe this observation won't be new to most of you, but I thought I should share it with others who may not have it. please share your input if you can. thanks.

el-kiwi 05-13-2004 02:21

I can find oep,about stolen bytes i use same compiler stubb approach and its working,but when i try to use imprec,imprec crash,can not fix iat.

britedream 05-15-2004 23:20

To: el-KiWi

in this weekend I did look at the beta , and I did unpack it ,but I used non traditional way for speed due to lack of time, I will look into the normal way
used to unpack asprotect once I have the time,so play with it , I am sure you will unpack it.

bollygud 05-16-2004 11:08

this version makes it's a very difficult task to make a clean dump that you can use on any computer. however, it is extremely easy (but time consuming) to unpack the apps and have them run on your own machine (and possibly even the same OS on another machine). I may write a tutorial on the entire process and post it here, but the basic idea behind it is to dump and attach the aspr envelope to the dumped.exe file. This involves realigning dumped sections and playing with import functions. The biggest obstacle to overcome would be rebuilding an import table and IAT, since aspr now doesn't simply use redirection from withing the IAT.

And, if Alexey ever peers this forum (who knows) here's a little msg to him:

Quote:

While this implementation is a better protection (in that it requires more time and effort to crack it), it is not better for the end user. Your new system will protect better, but waste more cpu cycles and ultimately slow down the application in boot time and in execution. This is in stark contrast to your previous protector which was very fast. One of the biggest problems I have with protectors like Armadillo and others is the speed and stability issues. And now, it seems, you're moving to that direction as well. You're finding yourself in bad company. This is a real shame considering you had the best protector out there if programmers would simply use the tools available to them and encrypt pieces of code unless a valid key is present. Anyway to summarize, while I understand the need to offer this type of protection it is still very breakable and you will not be keeping products out of the hands of those who seek to acquire them illegally. Rather you will end up giving the legitimate user a headache from a frustratingly slow starting and slow running, unstable app. Same story as always, good old Joe Shmo gets screwed for no real good reason all in the name of stopping piracy and that, my friend, will never happen.

britedream 05-16-2004 12:16

Quote:

Originally Posted by bollygud
it is extremely easy (but time consuming) to unpack the apps

Just reconstruct the crime scene,the target will run in no time.

britedream 05-25-2004 21:59

this time I did unpack the test target in the traditional way , just I patched three locations, and fixed the iat using importrec, the target ran , now I will test this on commercial target protected with registered version, as soon as time permit.

hobgoblin 05-25-2004 22:08

Hmm
 
Interesting.:-)
Try the newest version of WhereIsIt...

regards,
hobgoblin

britedream 05-29-2004 23:09

To hobgoblin
Today I tried your target "whereisit" protected by the latest asprotect, I did unpack it ,it is running on my pc, I will up load it to you tomorrow.

hobgoblin 05-30-2004 03:21

Cool.
 
That's cool. I'm looking foreward to see how you resolved this. I have made a dump that I think will work. I just don't haven't figured out how to fix the iat trouble.

regards,
hobgoblin

britedream 05-30-2004 14:36

To hobgoblin:

Sorry I couldn't upload it to the exetools, please pm with your email.

It is an asprotect beta,so I am not going to put detailed steps for unpacking it in the open forum, for the obvious reason,but there aren't that many steps anyway, just find where asprotect is directing the iat , force it to make the table for you, use ImportRec to fix the table.second , overcome the antidump.done.

in my unpacking I concentrated on the iat , so for time limitation, I didn't redirect the antidumps, I just used the same high memory as asprotect, and code small dll as finger saving for that purpose,Also I didn't redo the process for fixing the iat for the five or so left apies, I just code them directly, you will distinguish my direct adding form ImportRec adding.

since I am using a high memory, it may not work if your configuration is different than mine, I will try to redirect the antidumps in the future, to avoid that.
here is an image of some jumps to iat to show the ones I directly added and the imortRec adding:

britedream 05-30-2004 14:54

1 Attachment(s)
no need for the image, the whole iat now is fixed by importrec: here itis:
this one should works on all xp now.{don't use it , just compare to}

britedream 05-30-2004 16:44

hobgoblin, please check your email, target has been sent.

SvensK 05-30-2004 18:47

I wouldn't mind a copy of that as well :)

R@dier 05-30-2004 20:33

Hi britedream,
Please could you send a copy to me as well :D
Many Thanks
R@dier

britedream 05-31-2004 12:11

To R@der and svensk:

please wait ,I am waiting for a feed back. regarding the unpacked to see how it works on other pc.


All times are GMT +8. The time now is 13:49.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX