#1
|
||||
|
||||
SpeedCommander 10 Beta 4
how does this Asprotect work??? if you are tracing to the oep... you are in the aspr code again... and if you dump at the real oep and you open the dump with debugger you are in the aspr code instead the OEP??????????????????????????????????????
|
#2
|
|||
|
|||
here is the oep and stolen bytes:
00459876 55 PUSH EBP 00459877 8BEC MOV EBP,ESP 00459879 6A FF PUSH -1 0045987B 68 F8944700 PUSH SpeedCom.004794F8 00459880 68 969B4500 PUSH SpeedCom.00459B96 ; JMP to MSVCRT._except_handler3 00459885 50 PUSH EAX 00459886 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 0045988C 64:8925 0000000>MOV DWORD PTR FS:[0],ESP 00459893 83EC 68 SUB ESP,68 00459896 53 PUSH EBX 00459897 56 PUSH ESI 00459898 57 PUSH EDI 00459899 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP 0045989C 33DB XOR EBX,EBX 0045989E 895D FC MOV DWORD PTR SS:[EBP-4],EBX 004598A1 6A 02 PUSH 2 Last edited by britedream; 12-27-2003 at 22:16. |
#3
|
||||
|
||||
Stolen bytes worked perfect, but is IAT for Beta 4???
i have fixed iat in other way |
#4
|
||||
|
||||
Beta 4 has a Asprotected dll (i think for registration).
i can't unpack dlls... not enough knowledge |
#5
|
|||
|
|||
To Markus
the Iat u uploaded is the same one I uploaded, I couldn't see the difference. |
#6
|
||||
|
||||
sorry, was my fault... here's my IAT
|
#7
|
|||
|
|||
to Markus
Thanks markus my Iat is shorter than it should be, so I removed it, I didn't check it, I was working on another program, and wanted to help you get started. I always know that programs with mfc tend to be larger than 1500 ,but that slipped my mind, so please accept my appology. I will check the program once I finish the tough program that I am working on. {Note} your Iat isn't correct it is missing some . Last edited by britedream; 12-27-2003 at 22:56. |
#8
|
|||
|
|||
Quote:
00459D2D 55 PUSH EBP 00459D2E 8BEC MOV EBP,ESP 00459D30 6A FF PUSH -1 00459D32 68 88474700 PUSH dumped_.00474788 00459D37 68 B69A4500 PUSH <JMP.&msvcrt._except_handler3> ; Entry address 00459D3C 50 PUSH EAX 00459D3D 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 00459D43 64:8925 000000>MOV DWORD PTR FS:[0],ESP 00459D4A 83EC 68 SUB ESP,68 00459D4D 53 PUSH EBX 00459D4E 56 PUSH ESI 00459D4F 57 PUSH EDI 00459D50 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP 00459D53 33DB XOR EBX,EBX 00459D55 895D FC MOV DWORD PTR SS:[EBP-4],EBX 00459D58 6A 02 PUSH 2 in the SpeedCommander.exe unless you were doing another exe as for the MxCmn50.dll the oep is 641521CB to set a bp on that do a he 641B1001 then do your normal tracing etc for aspr programs, after about the 25th memory access violation ctrl-g to goto the oep set a bp and your set iat for SpeedCommander |
#9
|
|||
|
|||
mtw:
Unless I'm going blind in my old age, which is a distinct possibility, the only difference I see between your dissassembly and britedream's are the lines: 0045987B 68 F8944700 PUSH SpeedCom.004794F8 00459880 68 969B4500 PUSH SpeedCom.00459B96 ; JMP to MSVCRT._except_handler3 vs. 00459D32 68 88474700 PUSH dumped_.00474788 00459D37 68 B69A4500 PUSH <JMP.&msvcrt._except_handler3> ; Entry address Which suggests the ordinal for the exception handler and the handler itself are at different locations in his version. Maybe you are working with different versions. Regards,
__________________
JMI |
#10
|
|||
|
|||
Yes i know its the locations that are different its msvc6 code
with mfc so the starup is the same, just wondering if thats 10 beta 4 , which is what i down'd from there site why the locations and oep are different.. just wondering which one the others are takin apart. |
#11
|
|||
|
|||
btw heres the iat for the dll
|
#12
|
|||
|
|||
sorry for my question, but what is the line "00459885 50 PUSH EAX" good for, if EAX hasn't been accessed before?
Last edited by Ari Benta; 12-30-2003 at 07:43. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
IE 8 beta 1 | duseng | General Discussion | 3 | 09-12-2008 07:14 |