Still need help with Asprotect - Page 6

britedream · #1 03-22-2004, 02:33

please do the changes as I noted, save them, run the program out side olly, if the program dosn't run , then you may have a problem with your dump.

britedream · #2 03-22-2004, 02:37

To satyricon:
I have the program running fine on the info I posted.

#3 03-22-2004, 02:38

I have all these references to the call for this message box:

References in RegDefra: to 00410994
Address Disassembly Comment
00410994 PUSH 1030 (Initial CPU selection)
00412D68 CALL RegDefra.00410994
00413C3E CALL RegDefra.00410994
00414569 CALL RegDefra.00410994
00415DD1 CALL RegDefra.00410994
0041680B CALL RegDefra.00410994
00416AD1 CALL RegDefra.00410994
00416FD0 CALL RegDefra.00410994
004176B6 CALL RegDefra.00410994
004176EA CALL RegDefra.00410994
004181C3 CALL RegDefra.00410994
00418A3B CALL RegDefra.00410994
00418C70 CALL RegDefra.00410994
00418CA6 CALL RegDefra.00410994
00418CDC CALL RegDefra.00410994
00418D0F CALL RegDefra.00410994
00418D42 CALL RegDefra.00410994

And a lot of the code where the calls are made look like this, with unconditional jumps above the call, but the one just above the call usually calls up 00410094 anyway, I've traced them earlier in trying to figure it out.

00418A34 . EB 0F JMP SHORT RegDefra.00418A45
00418A36 .^E9 11ABFEFF JMP RegDefra.0040354C
00418A3B . E8 547FFFFF CALL RegDefra.00410994
00418A40 . E8 E7ACFEFF CALL RegDefra.0040372C

britedream · #4 03-22-2004, 02:49

00410454 $ C3 RETN <-------- This the byte I did changed from 55 to c3.
00410455 . 8BEC MOV EBP,ESP
00410457 . 51 PUSH ECX
00410458 . 53 PUSH EBX
00410459 . 8B05 0E564000 MOV EAX,DWORD PTR DS:[40560E] ; <&kernel32.GetModuleHandleA>
0041045F . 8B18 MOV EBX,DWORD PTR DS:[EAX]
00410461 . FF33 PUSH DWORD PTR DS:[EBX]
00410463 . 895D FC MOV DWORD PTR SS:[EBP-4],EBX
00410466 . 8F03 POP DWORD PTR DS:[EBX] ; 0012FFB4
00410468 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0041046B . 5B POP EBX ; 0012FFB4
0041046C . 59 POP ECX ; 0012FFB4
0041046D . 5D POP EBP ; 0012FFB4
0041046E . C3 RETN

Please look at the comment at first line.

#5 03-22-2004, 02:29

Quote:

Originally Posted by britedream

my address is slightly different due to my pc setup, but codes look right , so change 55 "push ebp", to c3 " retn"

I am sorry, but I disagree with this advice. It seems to me that if you do this, you will corrupt the stack, as the POP EBX, POP ECX, and (most importantly) POP EBP at the end of the procedure will not be executed.

My suggestion here is to NOP two instructions:

The PUSH at 410419
The POP at 41041E

@Pompeyfan: As to understanding what this procedure is doing (this is just as important, if not more important, than merely fixing it), I describe this in my TweakRAM mini-tut. I also describe exactly how to fix this procedure in the mini-tut, which you claim to have read... So have you read it or not??

Regards,
Satyric0n

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Help with ASProtect 1.23 RC4	Perdition	General Discussion	7	06-09-2004 01:48
New Asprotect??	loman	General Discussion	7	02-04-2004 20:34