Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Team Project: PHP Processor v1.2???
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #15  
Old 02-23-2004, 07:29
padawan
 
Posts: n/a
Hello,

first of all a few generic questions on asprotect:

1) Does asprotect implement anti-debug, anti-tool or anti-dump code??? Does it remove memory and HW breakpoints???
2) Stolen bytes: when did asprotect (what version) introduce this further difficulty. What is the theory or rationale behind their "rescue"???

Now, from what I've read the following should be a reasonable approach to manually unpack the asprotected application:

Code:
1) Locate the OEP
2) when the application is completely decrypted (execution on the OEP) dump it 
3) Fix the PE
   a) correct the dump EP
   b) find stolen bytes
   c) reconstruct the IAT
      c1) correct sections characteristics
      c2) set PSIZE == VSIZE and OFFSET == RVA
I'd like to investigate each step at a time.

As the first step I started looking for the OEP.
BTW, I'm sorry but on my machine softice just can't run (video adapter driver problems) so I'm using OllyDbg.

To find the OEP I used a process that seems to be effective, the "exception counting approach" (I don't know if someone has given it a name but if not this is its new name).
1) I counted the number of exceptions to the application showing up. I rerun the application stopping one exception before and getting into the exception this time. I ended up into winnt.dll.
2) I set a memory breakpoint on access of the application code section and continued the application execution ending up at 00599600:

00599600 PUSH EBP
00599601 MOV EBP,ESP
00599603 ADD ESP,-2C

Since this seems the typical prolog to a function I believe this could very well be the OEP.

Questions:
1) is this the correct OEP?
2) to find the OEP, counted the 19 exceptions, before resorting to placing a memory breakpoint on the application code section I tried to use OllyDbg's trace feature setting a stop condition such as EIP<500000. Well, this condition never stops the tracing!!! OllyDbg just goes on running even if the OEP should indeed stop the tracing (OEP is < 900000). I repeated this step tens of times thinking I was doing something wrong and in the end, frustrated, I just tried a different approach. Still, I'd like to know WHY is this happening??? Why is tracing not working??? BTW, I'm using a window 2000 OS.


MaRKuS-DJM, when you talk of scrolling up from the dword-call you are refering to the call at 005996F0 to the function starting at 00598E28??? I have taken a look up from that memory location but I don't see anything "interesting" ... or at least no clue to code dealing with the application being registered or not expired.


padawan
Last edited by padawan; 02-23-2004 at 17:25.
Reply With Quote
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Intel Processor Tracing Computer_Angel General Discussion 3 12-04-2015 03:36
Full version of Project-52 and Project-AVR Yaumen General Discussion 0 08-10-2004 16:27


All times are GMT +8. The time now is 05:43.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )