New Asprotect?

well, i managed to do it, but the solution doesn't seem to fit every situation so i'll not post any real specifics yet. just wanted everyone to know that it is possible. it took a lot of rebuilding. rebuilding an iat, fixing jumps/calls, etc.

i do have one question, maybe someone can help me out. is there an api that acts the opposite of GetModuleHandleA? in other words, an api that can be feed in a number that is the modules handle, like 77000000, and it will spit out the module name? just curious, cuz something like that could help somewhat.

Quote:

Originally Posted by bollygud

i do have one question, maybe someone can help me out. is there an api that acts the opposite of GetModuleHandleA? in other words, an api that can be feed in a number that is the modules handle, like 77000000, and it will spit out the module name? just curious, cuz something like that could help somewhat.

GetModuleFileNameA ???

hehe, duh!

thanks. my brain is a little fried

Hi all,

On the last exception you will see anti softice sice too .
hmm still need time to find why the iat is not able to resolve using revirgin or imprec....

Regards

[Darren]

because an IAT isnt used, aspr engine patches calls/jumps in the user code directly

i managed to make a working dump and found OEP for whereisit? 3.60 ... but can't fix IAT ..has anyone been able to find a solution for this?

@Crk: britedream just posted that he unpacked latest whereisit. I'm sure he'll tell you how.

Hmm, is the OEP at 006FB5EC ?

since i couldn't fix IAT i deleted all files... i forgot which one is but manually you will be able to find it ... look with W32Dasm for the string : WHEREISIT.CHM

a little up is OEP where that piece of code start (558BEC......)

there are not stolen bytes!

i'm waiting for britedream tut about fixing IAT
it looks new asprotect and armadillo are using almost same technique to protect IAT this time .. for how long?

Regards.

@Crk: Ok, then at least I had found the OEP and dumped the exe.

[britedream]

in the new asprotect just use peid oep finder when checking the protection, it will give you the correct oep if not protected , in the two I checked it gave the correct oep.

Since no one has posted a solution for fixing IAT of new asprotect, i post here a simple solution. I do not know it works in any situation since i did not try it on commercial software but u can check it out. I think that my solution is just an application of different suggestions i find in this forum.

I took the Unpackmenow as an example.

Regards
deviljin