Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 12-26-2003, 22:45
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
SpeedCommander 10 Beta 4

how does this Asprotect work??? if you are tracing to the oep... you are in the aspr code again... and if you dump at the real oep and you open the dump with debugger you are in the aspr code instead the OEP??????????????????????????????????????
Reply With Quote
  #2  
Old 12-27-2003, 02:46
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
here is the oep and stolen bytes:

00459876 55 PUSH EBP
00459877 8BEC MOV EBP,ESP
00459879 6A FF PUSH -1
0045987B 68 F8944700 PUSH SpeedCom.004794F8
00459880 68 969B4500 PUSH SpeedCom.00459B96 ; JMP to MSVCRT._except_handler3
00459885 50 PUSH EAX
00459886 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0045988C 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
00459893 83EC 68 SUB ESP,68
00459896 53 PUSH EBX
00459897 56 PUSH ESI
00459898 57 PUSH EDI
00459899 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0045989C 33DB XOR EBX,EBX
0045989E 895D FC MOV DWORD PTR SS:[EBP-4],EBX
004598A1 6A 02 PUSH 2


Last edited by britedream; 12-27-2003 at 22:16.
Reply With Quote
  #3  
Old 12-27-2003, 04:28
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
Stolen bytes worked perfect, but is IAT for Beta 4???

i have fixed iat in other way
Reply With Quote
  #4  
Old 12-27-2003, 04:34
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
Beta 4 has a Asprotected dll (i think for registration).
i can't unpack dlls... not enough knowledge
Reply With Quote
  #5  
Old 12-27-2003, 14:09
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
To Markus
the Iat u uploaded is the same one I
uploaded, I couldn't see the difference.
Reply With Quote
  #6  
Old 12-27-2003, 19:59
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
sorry, was my fault... here's my IAT
Reply With Quote
  #7  
Old 12-27-2003, 22:29
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
to Markus
Thanks markus my Iat is shorter than it should be, so I removed it, I didn't check it,
I was working on another program, and wanted to help you get started. I always
know that programs with mfc tend to be
larger than 1500 ,but that slipped my mind, so please accept my appology.

I will check the program once I finish the tough program that I am working on.
{Note}
your Iat isn't correct it is missing some .

Last edited by britedream; 12-27-2003 at 22:56.
Reply With Quote
  #8  
Old 12-29-2003, 05:29
mtw mtw is offline
Friend
 
Join Date: Feb 2003
Posts: 73
Rept. Given: 0
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
mtw Reputation: 2
Quote:
Originally posted by britedream
here is the oep and stolen bytes:

00459876 55 PUSH EBP
00459877 8BEC MOV EBP,ESP
00459879 6A FF PUSH -1
0045987B 68 F8944700 PUSH SpeedCom.004794F8
00459880 68 969B4500 PUSH SpeedCom.00459B96 ; JMP to MSVCRT._except_handler3
00459885 50 PUSH EAX
00459886 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0045988C 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
00459893 83EC 68 SUB ESP,68
00459896 53 PUSH EBX
00459897 56 PUSH ESI
00459898 57 PUSH EDI
00459899 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0045989C 33DB XOR EBX,EBX
0045989E 895D FC MOV DWORD PTR SS:[EBP-4],EBX
004598A1 6A 02 PUSH 2
seams odd i came up with

00459D2D 55 PUSH EBP
00459D2E 8BEC MOV EBP,ESP
00459D30 6A FF PUSH -1
00459D32 68 88474700 PUSH dumped_.00474788
00459D37 68 B69A4500 PUSH <JMP.&msvcrt._except_handler3> ; Entry address
00459D3C 50 PUSH EAX
00459D3D 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00459D43 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00459D4A 83EC 68 SUB ESP,68
00459D4D 53 PUSH EBX
00459D4E 56 PUSH ESI
00459D4F 57 PUSH EDI
00459D50 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00459D53 33DB XOR EBX,EBX
00459D55 895D FC MOV DWORD PTR SS:[EBP-4],EBX
00459D58 6A 02 PUSH 2

in the SpeedCommander.exe unless you were doing another
exe

as for the MxCmn50.dll the oep is 641521CB
to set a bp on that do a he 641B1001 then do your
normal tracing etc for aspr programs, after about the 25th
memory access violation ctrl-g to goto the oep set a bp
and your set

iat for SpeedCommander
Attached Files
File Type: txt iat-speedcommanderexe.txt (51.7 KB, 7 views)
Reply With Quote
  #9  
Old 12-29-2003, 08:37
JMI JMI is offline
Leader
 
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 96 Times in 94 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
mtw:

Unless I'm going blind in my old age, which is a distinct possibility, the only difference I see between your dissassembly and britedream's are the lines:

0045987B 68 F8944700 PUSH SpeedCom.004794F8
00459880 68 969B4500 PUSH SpeedCom.00459B96 ; JMP to MSVCRT._except_handler3

vs.

00459D32 68 88474700 PUSH dumped_.00474788
00459D37 68 B69A4500 PUSH <JMP.&msvcrt._except_handler3> ; Entry address

Which suggests the ordinal for the exception handler and the handler itself are at different locations in his version. Maybe you are working with different versions.

Regards,
__________________
JMI
Reply With Quote
  #10  
Old 12-29-2003, 10:05
mtw mtw is offline
Friend
 
Join Date: Feb 2003
Posts: 73
Rept. Given: 0
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
mtw Reputation: 2
Yes i know its the locations that are different its msvc6 code
with mfc so the starup is the same, just wondering if thats
10 beta 4 , which is what i down'd from there site why the locations and oep are different.. just wondering which one
the others are takin apart.
Reply With Quote
  #11  
Old 12-29-2003, 10:08
mtw mtw is offline
Friend
 
Join Date: Feb 2003
Posts: 73
Rept. Given: 0
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
mtw Reputation: 2
btw heres the iat for the dll
Attached Files
File Type: txt dlltree1.txt (48.1 KB, 10 views)
Reply With Quote
  #12  
Old 12-30-2003, 07:34
Ari Benta
 
Posts: n/a
sorry for my question, but what is the line "00459885 50 PUSH EAX" good for, if EAX hasn't been accessed before?

Last edited by Ari Benta; 12-30-2003 at 07:43.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IE 8 beta 1 duseng General Discussion 3 09-12-2008 07:14


All times are GMT +8. The time now is 18:12.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )