Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Aspack 2.11c- Inline Problem
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-26-2004, 20:32
ferrari
 
Posts: n/a
Oh I completely forgot about this thread For the past few days I'm facing problems connecting to exetools with my actual IP. Anyways I'll try out your suggestions guys. But can you explain one thing guys. Before cracking "Runtime's GetDataBack" I cracked "Runtime's Captain Nemo" which is packed with the same Aspack 2.11c. Here is my crack:

http://grinders.withernsea.com/patches/captain_nemo3.31_crk.rar

And I didn't face this problem while inline patching Captain Nemo. Why?

Thnx Markus, Brite, hob

Regards,
ferrari
Reply With Quote
  #2  
Old 04-26-2004, 22:28
hobgoblin hobgoblin is offline
Friend
  
Join Date: Jan 2002
Posts: 124
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 5 Times in 5 Posts
hobgoblin Reputation: 0
Hi ferrari
I just took a brief look at Captain Nemo (hmm, seems like a nice little proggie),and from what I saw both program have some encryption going on at the beginning. The difference is that when it comes to Nemo, the encryption doesn't cover the jumping code to the unpacked code. I don't really know what this is, but it may very well be some modified kind of Aspack. Maybe the programs are packed with Aspack, and then later on the opening code is encrypted in some way. Don't really know whether this is caused by Aspack itself or some 3rd party program. The encryption method used is very simple though.I have every now and then seen programs modified after being packed, but usuallu they don't cause too much trouble. I'll have to take a deeper look at this to come up with some more info...

regards,
hobgoblin
Reply With Quote
  #3  
Old 04-27-2004, 21:51
coolfires
 
Posts: n/a
Smile
When the program run, the code from 6354F7 to 635590 will XOR the content from 635017 to 63546B with A9.

So, to make the prog to jump to our injected code (e.g. jmp to 635741),in your unpacked file

006353B6 75 08 JNZ SHORT gdbnt.006353C0
006353B8 B8 01000000 MOV EAX,1
006353BD C2 0C00 RETN 0C

change to

006353B6 E9 86030000 JMP gdbnt1.00635741
006353BB 90 NOP
006353BC 90 NOP
006353BD C2 0C00 RETN 0C

So, we know 7 bytes need to be changed. XORing E9860300009090 (each byte) with A9 will get 402FAAA9A93939. Now, replace DCA111A8A9A9 with 402FAAA9A93939 at offset 6353B6 in the original file. Then you
may inject your code later (e.g. at 635741). The code we inject need not to be XOR with A9 because they are not in the affected range (635017 to 63546B).

Hope this help. Sorry for the poor english.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help-Inline Patching ASPACK 2.12(System Mechanic 4.0h) ferrari General Discussion 9 04-03-2004 04:29
AsPack ferrari General Discussion 1 01-16-2004 01:52


All times are GMT +8. The time now is 09:25.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )