The new asprotect 1.31
I did download this beta, it is getting closer to acprotect approach, the new beta and the older asprotect both almost have the same concept.I wrote script to find the oep and the last exception, the true oep is directed by jmp to the asprotect area , where the stolen reside,this is done within the few exceptions (2-3, I don't remember now) before the last exception reached, for the iat , the apies are emulated inside the asprotect area, this is my initial observation, I believe this observation won't be new to most of you, but I thought I should share it with others who may not have it. please share your input if you can. thanks.
|
I can find oep,about stolen bytes i use same compiler stubb approach and its working,but when i try to use imprec,imprec crash,can not fix iat.
|
To: el-KiWi
in this weekend I did look at the beta , and I did unpack it ,but I used non traditional way for speed due to lack of time, I will look into the normal way used to unpack asprotect once I have the time,so play with it , I am sure you will unpack it. |
this version makes it's a very difficult task to make a clean dump that you can use on any computer. however, it is extremely easy (but time consuming) to unpack the apps and have them run on your own machine (and possibly even the same OS on another machine). I may write a tutorial on the entire process and post it here, but the basic idea behind it is to dump and attach the aspr envelope to the dumped.exe file. This involves realigning dumped sections and playing with import functions. The biggest obstacle to overcome would be rebuilding an import table and IAT, since aspr now doesn't simply use redirection from withing the IAT.
And, if Alexey ever peers this forum (who knows) here's a little msg to him: Quote:
|
Quote:
|
this time I did unpack the test target in the traditional way , just I patched three locations, and fixed the iat using importrec, the target ran , now I will test this on commercial target protected with registered version, as soon as time permit.
|
Hmm
Interesting.:-)
Try the newest version of WhereIsIt... regards, hobgoblin |
To hobgoblin
Today I tried your target "whereisit" protected by the latest asprotect, I did unpack it ,it is running on my pc, I will up load it to you tomorrow. |
Cool.
That's cool. I'm looking foreward to see how you resolved this. I have made a dump that I think will work. I just don't haven't figured out how to fix the iat trouble.
regards, hobgoblin |
To hobgoblin:
Sorry I couldn't upload it to the exetools, please pm with your email. It is an asprotect beta,so I am not going to put detailed steps for unpacking it in the open forum, for the obvious reason,but there aren't that many steps anyway, just find where asprotect is directing the iat , force it to make the table for you, use ImportRec to fix the table.second , overcome the antidump.done. in my unpacking I concentrated on the iat , so for time limitation, I didn't redirect the antidumps, I just used the same high memory as asprotect, and code small dll as finger saving for that purpose,Also I didn't redo the process for fixing the iat for the five or so left apies, I just code them directly, you will distinguish my direct adding form ImportRec adding. since I am using a high memory, it may not work if your configuration is different than mine, I will try to redirect the antidumps in the future, to avoid that. here is an image of some jumps to iat to show the ones I directly added and the imortRec adding: |
1 Attachment(s)
no need for the image, the whole iat now is fixed by importrec: here itis:
this one should works on all xp now.{don't use it , just compare to} |
hobgoblin, please check your email, target has been sent.
|
I wouldn't mind a copy of that as well :)
|
Hi britedream,
Please could you send a copy to me as well :D Many Thanks R@dier |
To R@der and svensk:
please wait ,I am waiting for a feed back. regarding the unpacked to see how it works on other pc. |
All times are GMT +8. The time now is 13:49. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX