EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 02-27-2004, 11:30
ferrari
 
Posts: n/a
Re: offtopic

Quote:
Originally posted by dj-siba
Huli ka malau, ka 'iako a ka lawai'a.
Work is done :P

http://www.k12.hi.us/~waianaeh/PolyVoyage/oral.html

http://worldlingo.com/products_services/worldlingo_translator.html


anywayz i just finished the Imprec part of the tut....hope i fixed it right .....now comes the most important part of the tut....yes JMI i know Inquiring minds....but let me finished atleast one tut on Aspr with some expert help....i have some questions on the access violation part....i'l be back when i return home from work....hope some1 will help me then...R@Dier hope u r there
Reply With Quote
  #17  
Old 02-27-2004, 12:17
R@dier
 
Posts: n/a
Always happy to help




R@dier
Reply With Quote
  #18  
Old 02-27-2004, 23:04
lonewolf55
 
Posts: n/a
Quote:
Originally posted by JMI


The only appropriate thing to add to:

Aia a kau ka i`a i ka wa`a, mana`o ke ola.

loosly translated as:

One can think of life after the fish is in the canoe. <---this was my meaning, I just couldn't help myself, after the Russian translation thing



is:

`A`ohe hua o ka mai`a i ka la ho`okahi.

Regards,
and I must say you be quite correct bananas don't fruit in a day

as also:
Code:
`A`ohe `ulu e loa`a i ka pokole o ka lou
which means:

No breadfruit can be reached
when the picking stick is too short. <--- I think actually right now this is my problem

of course there be other translations, but we won't go there

and BTW Thanx so much for this Tidbit:

By JMI: I seem to recall that ASPR changes certain address EACH TIME YOU RUN THE PROGRAM, as in "the jump to the OEP is always at a different location in memory"

This I did not know, and it makes AsProtect very interesting

EDIT well I see some characters don't display quite as expected, to which I'm not surprised, I tried to change with no sucess what I posted between code tags .... sort of like asprotect


Last edited by lonewolf55; 02-27-2004 at 23:18.
Reply With Quote
  #19  
Old 02-28-2004, 17:27
ferrari
 
Posts: n/a
Okay the version 1.54 is here

http://www.freewebs.com/think_digit/cdprot.rar

( some download managers wont work, just copy paste link in browser)

Pompeyfan tell me when u reach the acess violation part of the tut. W'll do it together okay.

R@dier thank u. I'l post my problem soon waiting for pompeyfan
he wants to try the same version.

Last edited by ferrari; 02-28-2004 at 17:30.
Reply With Quote
  #20  
Old 02-29-2004, 03:50
Pompeyfan
 
Posts: n/a
I might not get a chance to try it out till later today, I'll post soon as I get a chance though.
Reply With Quote
  #21  
Old 02-29-2004, 13:23
Pompeyfan
 
Posts: n/a
Okay, I did the Imprec part, then I did the trace, changed the REP STOS BYTE PTR ES:[EDI] to JMP EDI, traced with F8, and get an access violation at:

00A55A11 FF50 28 CALL DWORD PTR DS:[EAX+28]

I nop that call, then trace till the next access violation at:

00A54CAC E8 10994A01 CALL 01EFE5C1

I nop that, and try tracing with f8 from here, but getthe message:

Don't know how to step, because memory at address 01EFE5C1 is not readable. Try to change EIP or pass exception to program.

What do I do from here?, I thought I was going so well up until here.
Reply With Quote
  #22  
Old 02-29-2004, 17:27
ferrari
 
Posts: n/a
Aah...u right pompeyfan...same here.


first access violation
Code:
00C8635D   FF50 28          CALL DWORD PTR DS:[EAX+28]
00C86360   E8 78C69001      CALL 025929DD
00C86365   0F58EB           ADDPS XMM5,XMM3
00C86368   019A C1D8C5F2    ADD DWORD PTR DS:[EDX+F2C5D8C1],EBX
Changed to

Code:
00C8635D   90               NOP
00C8635E   90               NOP
00C8635F   90               NOP
00C86360   E8 78C69001      CALL 025929DD
When i F8 till--> 00C86360 I get this message. Here is a screenshot attached.
Attached Files
File Type: zip prob1.zip (64.4 KB, 19 views)
Reply With Quote
  #23  
Old 02-29-2004, 19:53
R@dier
 
Posts: n/a
HI,
Yes I and other had this problem as well,
you need to keep noping the troublesome calls then all will be fine.

there is a better way to get the stolen bytes which I will explain when I get home tomorrow. Kinda flat out at the moment.
I have put together a tute which should help. I hope to post it tomorrow also

Best Wishes

R@dier
Reply With Quote
  #24  
Old 03-01-2004, 00:28
Pompeyfan
 
Posts: n/a
Nopping the second call doesn't succeed though, as we said, look forward to your alternative when you get a chance.
Reply With Quote
  #25  
Old 03-01-2004, 14:13
R@dier
 
Posts: n/a
you have to NOP quite a bit


all this must be nop-ed

00A5683D FF50 28 CALL DWORD PTR DS:[EAX+28]
00A56840 E8 4668A500 CALL 014AD08B
00A56845 0F58EB ADDPS XMM5,XMM3
00A56848 019A C1D8C5F2 ADD DWORD PTR DS:[EDX+F2C5D8C1],EBX
so it becomes:



00A56824 F3: PREFIX REP: ; Superfluous prefix
00A56825 334424 38 XOR EAX,DWORD PTR SS:[ESP+38]
00A56829 3E:EB 01 JMP SHORT 00A5682D ; Superfluous prefix
00A5682C 6981 D0CE9277 8A>IMUL EAX,DWORD PTR DS:[ECX+7792CED0],1EB>
00A56836 6968 0B D04A0158 IMUL EBP,DWORD PTR DS:[EAX+B],58014AD0
00A5683D 90 NOP
00A5683E 90 NOP
00A5683F 90 NOP
00A56840 90 NOP
00A56841 90 NOP
00A56842 90 NOP
00A56843 90 NOP
00A56844 90 NOP
00A56845 90 NOP
00A56846 90 NOP
00A56847 90 NOP
00A56848 90 NOP
00A56849 90 NOP
00A5684A 90 NOP
00A5684B 90 NOP
00A5684C 90 NOP
00A5684D 90 NOP
00A5684E EB 01 JMP SHORT 00A56851
00A56850 F2: PREFIX REPNE: ; Superfluous prefix

then continue the process,
eventually you will find

00A565C5 55 PUSH EBP ; start of stolen bytes
00A565C6 EB 01 JMP SHORT 00A565C9
00A565C8 E8 8F442400 CALL 00C9AA5C
00A565CD 8BEC MOV EBP,ESP
00A565CF 81EC 0C000000 SUB ESP,0C
Reply With Quote
  #26  
Old 03-01-2004, 17:33
Nilrem
 
Posts: n/a
I'm working on a tutorial about this, but I'll put it on hold, if R@adier's method is better then I'll incorporate it into the tutorial if he doesn't mind.
Reply With Quote
  #27  
Old 03-01-2004, 20:16
R@dier
 
Posts: n/a
Hi The tut is finished although a bit rough in places,
I am just waiting on some feed back then i will post it here.



Best Wishes
R@dier

Last edited by R@dier; 03-01-2004 at 21:32.
Reply With Quote
  #28  
Old 03-02-2004, 00:22
Nilrem
 
Posts: n/a
Ok, well I look forward to it R@dier. My method can be a bit 'sketchy' since it is quite possible to miss one here and there, anyways, hopefully yours is a better method.
Reply With Quote
  #29  
Old 03-02-2004, 00:35
ferrari
 
Posts: n/a
R@dier a problem. I followed the tut till end. But when i run the program i get error.
At POP EAX i note down the EAX value. In this case EAX = 0043809C But u have taken it as 00437478. Am I wrong? But i still followed ur steps.Plz clarify.

Screenshots attached.
Attached Files
File Type: rar prob2.rar (173.4 KB, 10 views)
Reply With Quote
  #30  
Old 03-02-2004, 08:27
R@dier
 
Posts: n/a
@ ferrari ,

you need to execute the POP EAX to get the correct value of EAX,
from you Pic, you are sitting on it without running it,
use F7 to step over then tell me what the result is,
if you see in your stack frame(next to dump window)
in your pic
it is

0012FFA8 00437478 A.COPY.00437478

this is the value you need,

also i would not bother with HIEW, just use OllyDbg assemble command and insert the stolen Bytes

then do copy to executable

I hope this helps

Best Wishes

R@dier
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
little question about manually unpacking MaRKuS-DJM General Discussion 3 11-13-2003 00:43


All times are GMT +8. The time now is 05:08.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX