Still need help with Asprotect

[britedream]

Ok, I will put your mind at ease. at the first exception search for "8b178902eb", right above that, are two calls bp on the last one, go on with shif+f9 till you reach it, nope it this will almost fix your table, and you should see the instruction right below you, moving the first item to the iat, which confirm what I told you and the stripper finding as you posted.

Quote:

Originally posted by britedream
Ok, I will put your mind at ease. at the first exception search for "8b178902eb", right above that, are two calls bp on the last one, go on with shif+f9 till you reach it, nope it this will almost fix your table, and you should see the instruction right below you, moving the first item to the iat, which confirm what I told you and the stripper finding as you posted.

I am afraid Britedream but my brain fail to process this one
This may be a dumb ? but i wud rather dare ask it then remain one.
Okay i start it fresh in olly. At first exception i hit Ctrl B
and enter 8b178902eb. I land here

009A32B4 E8 47FCFFFF CALL 009A2F00
009A32B9 E8 7EFEFFFF CALL 009A313C
009A32BE 8B17 MOV EDX,DWORD PTR DS:[EDI]
009A32C0 8902 MOV DWORD PTR DS:[EDX],EAX
009A32C2 EB 7E JMP SHORT 009A3342
009A32C4 83FB 06 CMP EBX,6
009A32C7 74 05 JE SHORT 009A32CE
009A32C9 83FB 03 CMP EBX,3
009A32CC 75 37 JNZ SHORT 009A3305

Quote:

Originally posted by britedream
nope it this will almost fix your table,

I put BP at 009A32B9 and hit shift+f9 until i reach there. Then m i supposed to NOP it. And if yes then what should i do next. Plz can u elaborate as why u do all this. i mean how got this-->"8b178902eb" and why put bp and why nop it.
Plz if possible

[britedream]

write down the address you see the instruction below where you are moving to edx,nope the call ,f9,you will get an exception, hit "-" key to go back, undo changes, then go on to oep , once there,click on the dump pane , go to the address that you wrote , you should see the start of your iat=1b168. this is to explain to you my respond to popeyfan for the address 41b168 I posted. I hope I am clear on this .
note:
as for why to nope this : this call is the one messes up your iat.

regards.

Okay, I've dumped it, and fixed the IAT table okay now, I must still be a dumb ass though, because I couldn't see what you said, that being "once there,click on the dump pane , go to the address that you wrote , you should see the start of your iat=1b168", nevertheless at least I was able to fix the IAT with Imprec, thanks for that.

[britedream]

you were wondering about 1b168 which is the rva of the iat , and posted the stripper finding of the iat which is va 41b168, so I did show you how I got the va 41b168.

This is part of what you posted:
1-
"One interesting thing, if you unpack with Stripper, you get this info on import table:

16:31:08 - processing import table..
ImportAddressTable RVA :0001b168 - kernel32.dll

2-
Whereas when I manually upack it, I get the same result as Ferrari, noting that Brightdream states that IAT starts at 0001b168, rather than 0001b238."

I hope someone can explain this better than I did, so you can understand it.

Not to worry mate, it is probably just me, probably hard to teach an old dog new tricks, at least you got through to me how to fix the import table, I just coudn't see the instruction that moved the first item to the iat.
Here is the error message generated by the unpacked .exe:

00410994 /$ 68 30100000 PUSH 1030 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_SYSTEMMODAL
00410999 |. 68 AC094100 PUSH RegDefra.004109AC ; |Title = "Warning"
0041099E |. 68 B4094100 PUSH RegDefra.004109B4 ; |Text = "File corrupted ! Please run a virus-check, then re-install the application."
004109A3 |. 6A 00 PUSH 0 ; |hOwner = NULL
004109A5 |. E8 D24FFFFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
004109AA \. C3 RETN

And references to this command:

References in RegDefra: to 00410994
Address Disassembly Comment
00410994 PUSH 1030 (Initial CPU selection)
00412D68 CALL RegDefra.00410994
00413C3E CALL RegDefra.00410994
00414569 CALL RegDefra.00410994
00415DD1 CALL RegDefra.00410994
0041680B CALL RegDefra.00410994
00416AD1 CALL RegDefra.00410994
00416FD0 CALL RegDefra.00410994
004176B6 CALL RegDefra.00410994
004176EA CALL RegDefra.00410994
004181C3 CALL RegDefra.00410994
00418A3B CALL RegDefra.00410994
00418C70 CALL RegDefra.00410994
00418CA6 CALL RegDefra.00410994
00418CDC CALL RegDefra.00410994
00418D0F CALL RegDefra.00410994
00418D42 CALL RegDefra.00410994

Is getting rid of this error message more complicated than just nopping all these calls?

[britedream]

Hi,
My harddisk is dead now , i am using an old computer,so i don't have the file or the info, but i remember this error msg occurring after a call to MapViewOfFile, if I remembered correctly, so bp on this api in your dump, and trace from the last call to this api that the error msg poped up after, do the same in the original target, you should be able to see the difference that made the msg to appear. this is just an idea see if it works.

[JMI]

Pompeyfan:

Another piece of good advice (besides that ball bouncing in off the corner post) is that you get in the practice of keeping notes of the process "as you go." This gives you two advantages. Taking the time to make notes tends to make one more careful, instead of just crashing along, and it gives you something to check against when you have a problem like you are experiencing.

I believe you will find that if YOU write out the steps you understand you should be taking and write down the results of what happens when you take those steps, you will become somewhat more methodical and careful and can cross check your results with what you were expecting, without totally trusting to tired eyes and sleep deprived brain.

One additional advantage of proceeding by this method, is that the next time you are working with the same protection and it takes a strange turn, you will be aware it has happed differently than in the past and have a new path down which to wander.

Sometimes it is benificial just to take a step back and look at the code and try to figure out what the hell it appears to be trying to do. You know it is moving stuff around and getting and placing things in various places, but the more you come to UNDERSTAND what the code is ACTUALLY doing, the better chance you have to work your way through the dark codewoods. This is real learning. Then you will not only be following the path, you will be reading the trail markers. That's when it becomes really fun and you actually begin to search for that something different, which signals that a new varient has arrived on the scene. Then you are not following someone else's trail, but blazing your own.

If you are only trying to "follow" someone else's path (as from a tut) without actually trying to understand what the code is doing, you eventually will miss a step when the trail forks just when a cloud passed in front of the moon and you don't see the side trail.

Regards,

Thanks Britedream, I'll try that tommorow, getting to late tonight, and thanks to JMI for usual words of wisdom, makes a lot of sense, I'll take that advice on board.

[Kyrios]

Hi,
Satyricon (hi buddy) has made a nice tut about TweakRam from elcor as well. The tut and the file can be downloaded via ftp. Check it out.
Once you finish this baby, you will be easely defeating this registry defragmentation as well. because the trick is the same.


kyrios

Quote:

Originally posted by Pompeyfan
Thanks to JMI for usual words of wisdom, makes a lot of sense, I'll take that advice on board.

yep fully agree with u pompeyfan...thats why m his superfan

Pompeyfan see if u find this interesting
http://codebreakers.anticrack.de/viewarticle.php?id=27&layout=abstract

Thanks Ferrari, I'll read through that, how do I access the site ftp?, I've never used it before, I'd like to get the TweakRam tut.
I just tried ftp.exetools.com and put my forum username and password, but that doesn't let me in.

[JMI]

If you are trying to access the ftp here you should be suitably embarassed that you haven't already reviewed the "Announcements and News" Forum. If you had done that you would already "know" what to do. Remember that part of ferrari signature and make use of your most important "tools."

You will find discussion of the tut here:

http://www.exetools.com/forum/showthread.php?s=&threadid=2847

and the TUT is located in: "/incoming/Elcor TweakRAM 3.31.0.3404"

Regards,

Okay, found it now, sorry guys, thanks for your patience, scored a bit of an own goal there I think.

I seem to be having trouble with the trace part with TweakRAM when trying to unpack it, I've struck this with some other Asprotected programs, it just seems to hang, am I alone with this problem?, it doesn't happen on all of them, just some.