Thread: New Asprotect??
View Single Post
  #7  
Old 02-04-2004, 15:46
hobgoblin hobgoblin is offline
Friend
  
Join Date: Jan 2002
Posts: 124
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 5 Times in 5 Posts
hobgoblin Reputation: 0
About IAT
Hi,
I haven't had the time to look any further at this. But try this: set a breakpoint at the api GetProcAddress (after loading the file onto Olly). After hitting F9 a couple of times (maybe 3, I don't remember), you will be right in the middle of where the program writes the IAT. As you will see the program stores the iat in the high memory. For me it was in the range 00B6000 to B6C0C8. The problem was that Imprec wasn't able to read it at this address. I didn't investigate it further.
Check it out and tell us what you find.:-) Also, go into the program itself after it's been unpacked, and check out how the program calls the api's. Seems kind of different that ordinary programs. I think britedream is right. There seems to be an encrypter of some kind that's used first, then the program is packed.

hobgoblin
Reply With Quote