Go Back   Exetools > General > General Discussion


Thread Tools Display Modes
Old 02-27-2004, 11:30
Posts: n/a
Re: offtopic

Originally posted by dj-siba
Huli ka malau, ka 'iako a ka lawai'a.
Work is done :P



anywayz i just finished the Imprec part of the tut....hope i fixed it right .....now comes the most important part of the tut....yes JMI i know Inquiring minds....but let me finished atleast one tut on Aspr with some expert help....i have some questions on the access violation part....i'l be back when i return home from work....hope some1 will help me [email protected] hope u r there
Reply With Quote
Old 02-27-2004, 12:17
Posts: n/a
Always happy to help

[email protected]
Reply With Quote
Old 02-27-2004, 23:04
Posts: n/a
Originally posted by JMI

The only appropriate thing to add to:

Aia a kau ka i`a i ka wa`a, mana`o ke ola.

loosly translated as:

One can think of life after the fish is in the canoe. <---this was my meaning, I just couldn't help myself, after the Russian translation thing


`A`ohe hua o ka mai`a i ka la ho`okahi.

and I must say you be quite correct bananas don't fruit in a day

as also:
`A`ohe `ulu e loa`a i ka pokole o ka lou
which means:

No breadfruit can be reached
when the picking stick is too short. <--- I think actually right now this is my problem

of course there be other translations, but we won't go there

and BTW Thanx so much for this Tidbit:

By JMI: I seem to recall that ASPR changes certain address EACH TIME YOU RUN THE PROGRAM, as in "the jump to the OEP is always at a different location in memory"

This I did not know, and it makes AsProtect very interesting

EDIT well I see some characters don't display quite as expected, to which I'm not surprised, I tried to change with no sucess what I posted between code tags .... sort of like asprotect

Last edited by lonewolf55; 02-27-2004 at 23:18.
Reply With Quote
Old 02-28-2004, 17:27
Posts: n/a
Okay the version 1.54 is here


( some download managers wont work, just copy paste link in browser)

Pompeyfan tell me when u reach the acess violation part of the tut. W'll do it together okay.

[email protected] thank u. I'l post my problem soon waiting for pompeyfan
he wants to try the same version.

Last edited by ferrari; 02-28-2004 at 17:30.
Reply With Quote
Old 02-29-2004, 03:50
Posts: n/a
I might not get a chance to try it out till later today, I'll post soon as I get a chance though.
Reply With Quote
Old 02-29-2004, 13:23
Posts: n/a
Okay, I did the Imprec part, then I did the trace, changed the REP STOS BYTE PTR ES:[EDI] to JMP EDI, traced with F8, and get an access violation at:

00A55A11 FF50 28 CALL DWORD PTR DS:[EAX+28]

I nop that call, then trace till the next access violation at:

00A54CAC E8 10994A01 CALL 01EFE5C1

I nop that, and try tracing with f8 from here, but getthe message:

Don't know how to step, because memory at address 01EFE5C1 is not readable. Try to change EIP or pass exception to program.

What do I do from here?, I thought I was going so well up until here.
Reply With Quote
Old 02-29-2004, 17:27
Posts: n/a
Aah...u right pompeyfan...same here.

first access violation
00C8635D   FF50 28          CALL DWORD PTR DS:[EAX+28]
00C86360   E8 78C69001      CALL 025929DD
00C86365   0F58EB           ADDPS XMM5,XMM3
00C86368   019A C1D8C5F2    ADD DWORD PTR DS:[EDX+F2C5D8C1],EBX
Changed to

00C8635D   90               NOP
00C8635E   90               NOP
00C8635F   90               NOP
00C86360   E8 78C69001      CALL 025929DD
When i F8 till--> 00C86360 I get this message. Here is a screenshot attached.
Attached Files
File Type: zip prob1.zip (64.4 KB, 19 views)
Reply With Quote
Old 02-29-2004, 19:53
Posts: n/a
Yes I and other had this problem as well,
you need to keep noping the troublesome calls then all will be fine.

there is a better way to get the stolen bytes which I will explain when I get home tomorrow. Kinda flat out at the moment.
I have put together a tute which should help. I hope to post it tomorrow also

Best Wishes

[email protected]
Reply With Quote
Old 03-01-2004, 00:28
Posts: n/a
Nopping the second call doesn't succeed though, as we said, look forward to your alternative when you get a chance.
Reply With Quote
Old 03-01-2004, 14:13
Posts: n/a
you have to NOP quite a bit

all this must be nop-ed

00A5683D FF50 28 CALL DWORD PTR DS:[EAX+28]
00A56840 E8 4668A500 CALL 014AD08B
00A56845 0F58EB ADDPS XMM5,XMM3
00A56848 019A C1D8C5F2 ADD DWORD PTR DS:[EDX+F2C5D8C1],EBX
so it becomes:

00A56824 F3: PREFIX REP: ; Superfluous prefix
00A56825 334424 38 XOR EAX,DWORD PTR SS:[ESP+38]
00A56829 3E:EB 01 JMP SHORT 00A5682D ; Superfluous prefix
00A5682C 6981 D0CE9277 8A>IMUL EAX,DWORD PTR DS:[ECX+7792CED0],1EB>
00A56836 6968 0B D04A0158 IMUL EBP,DWORD PTR DS:[EAX+B],58014AD0
00A5683D 90 NOP
00A5683E 90 NOP
00A5683F 90 NOP
00A56840 90 NOP
00A56841 90 NOP
00A56842 90 NOP
00A56843 90 NOP
00A56844 90 NOP
00A56845 90 NOP
00A56846 90 NOP
00A56847 90 NOP
00A56848 90 NOP
00A56849 90 NOP
00A5684A 90 NOP
00A5684B 90 NOP
00A5684C 90 NOP
00A5684D 90 NOP
00A5684E EB 01 JMP SHORT 00A56851
00A56850 F2: PREFIX REPNE: ; Superfluous prefix

then continue the process,
eventually you will find

00A565C5 55 PUSH EBP ; start of stolen bytes
00A565C6 EB 01 JMP SHORT 00A565C9
00A565C8 E8 8F442400 CALL 00C9AA5C
00A565CF 81EC 0C000000 SUB ESP,0C
Reply With Quote
Old 03-01-2004, 17:33
Posts: n/a
I'm working on a tutorial about this, but I'll put it on hold, if [email protected]'s method is better then I'll incorporate it into the tutorial if he doesn't mind.
Reply With Quote
Old 03-01-2004, 20:16
Posts: n/a
Hi The tut is finished although a bit rough in places,
I am just waiting on some feed back then i will post it here.

Best Wishes
[email protected]

Last edited by [email protected]; 03-01-2004 at 21:32.
Reply With Quote
Old 03-02-2004, 00:22
Posts: n/a
Ok, well I look forward to it [email protected] My method can be a bit 'sketchy' since it is quite possible to miss one here and there, anyways, hopefully yours is a better method.
Reply With Quote
Old 03-02-2004, 00:35
Posts: n/a
[email protected] a problem. I followed the tut till end. But when i run the program i get error.
At POP EAX i note down the EAX value. In this case EAX = 0043809C But u have taken it as 00437478. Am I wrong? But i still followed ur steps.Plz clarify.

Screenshots attached.
Attached Files
File Type: rar prob2.rar (173.4 KB, 10 views)
Reply With Quote
Old 03-02-2004, 08:27
Posts: n/a
@ ferrari ,

you need to execute the POP EAX to get the correct value of EAX,
from you Pic, you are sitting on it without running it,
use F7 to step over then tell me what the result is,
if you see in your stack frame(next to dump window)
in your pic
it is

0012FFA8 00437478 A.COPY.00437478

this is the value you need,

also i would not bother with HIEW, just use OllyDbg assemble command and insert the stolen Bytes

then do copy to executable

I hope this helps

Best Wishes

[email protected]
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
little question about manually unpacking MaRKuS-DJM General Discussion 3 11-13-2003 00:43

All times are GMT +8. The time now is 07:14.

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )