ASPR 1.2 question

[britedream]

Thanks R@der, but the trick isn't mine , I have read it some where long time ago

I don't really remember , then I did create a signature for it , but the later signature I just posted is more relialble.
Regards.

[JMI]

Can anyone confirm my observation of the difference between the last exception routine code when there are stolen bytes and when there are none? I've only seen this one target without stolen bytes. Just to recap, those I've had time to play with or have read tuts about with stolen bytes seem to have the last part of the last exception routine in the form:

00D23D38 FF30 PUSH DWORD PTR DS:[EAX]
00D23D3A FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00D23D3D FF75 EC PUSH DWORD PTR SS:[EBP-14]
00D23D40 C3 RETN
00D23D41 5F POP EDI
00D23D42 5E POP ESI
00D23D43 5B POP EBX
00D23D44 8BE5 MOV ESP,EBP
00D23D46 5D POP EBP
00D23D47 C3 RETN

and this one without stolen bytes ends with:

00A10050 FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00A10053 FF65 EC JMP DWORD PTR SS:[EBP-14]
00A10056 5F POP EDI
00A10057 5E POP ESI
00A10058 5B POP EBX
00A10059 8BE5 MOV ESP,EBP
00A1005B 5D POP EBP
00A1005C C3 RETN

Regards,

Quote:

Originally Posted by JMI

Can anyone confirm my observation of the difference between the last exception routine code when there are stolen bytes and when there are none? I've only seen this one target without stolen bytes.

There is another target which I think or I'm sure whcih does not have stolen bytes
Target: VCD cutter. (Since it's "ASPR" too I'm posting it here. Sorry for going off topic.)

I'm free now and I'll try this "recall pro" too. Interesting discussion with JMI involved

Regards,
ferrari

[JMI]

ferrari:

Did you install VCD Cutter on XP? XP put up a warning that it was not approved for XP and cautioned against installing it.

Regards,

VCD cutter v4.1.3
It's a single "Exe" with no setup required. I see no warning when I run it on XP. Even though My "Driver Signing option" in Mycomputer-->properties-->Hardware is enabled.
One strange finding. When I unpacked it I get that "Warning" and the program will not run(possible wrong unpacking).

Regards,

[JMI]

ferrari:

You are correct it is a single "exe" with no setup. Being in a hurry to check the last exception routine, I didn't pay any attention to what my eyes observed and simply clicked on it to "install" and got the warning.

But, that temporary insanity aside, I did run the exe in OllyDbg and found it's last exception routine, which certainly appears to indicate my speculation of an easy difference between the last exception routines of those with and those without stolen bytes is not the case.

VCD Cutter's last exception routine ends as do the other routines with stolen bytes:

00B32D08 FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00B32D0B FF75 EC PUSH DWORD PTR SS:[EBP-14]
00B32D0E C3 RETN

so there must be some other reason for RecAllPro's last exception ending with:

00A10050 FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00A10053 FF65 EC JMP DWORD PTR SS:[EBP-14]
00A10056 5F POP EDI
00A10057 5E POP ESI
00A10058 5B POP EBX
00A10059 8BE5 MOV ESP,EBP
00A1005B 5D POP EBP
00A1005C C3 RETN


Thanks for the quick reply with a target to check.

Regards,

[Jay]

you will run into some anti-dump checks with that version after unpacking including a Getfilesize call but something more of a problem a bit later that causes it to crash, couldn't nail it with olly on win2000 and don't have softice option plus it doesn't run on win98se so I got bored.

Quote:

VCD Cutter's last exception routine ends as do the other routines with stolen bytes

you sure?, the 4.1.3 version I d/l a couple of days ago had no stolen bytes just the old style jmp eax to oep.

[britedream]

Quote:

Originally Posted by ferrari

VCD cutter v4.1.3
It's a single "Exe" with no setup required. I see no warning when I run it on XP. Even though My "Driver Signing option" in Mycomputer-->properties-->Hardware is enabled.
One strange finding. When I unpacked it I get that "Warning" and the program will not run(possible wrong unpacking).

Regards,

I did run it without unpacking it and got the warning, so it must be your system.

Regards to all at exetools forum,

peid say asprotect 1.22-1.23 beta 21,load app in olly patch debuger check,go to last exception put breakpoint at ret,olly break,but when i run trace or put breakpoint at code section nothing is happen,olly start tracing and never end. anyone have this problem?

[britedream]

some asprotected targets have antitrace loop, once it does that , F12 and set bp after jnz, F9, then control+F11 to trace again.