|
#1
|
|||
|
|||
Tried unpacking DVDIdle Pro - AsProtect
I'm pretty new to cracking on Intel machines...
I went thru Tag & Rename tutorial and everything worked perfectly. However, I tried to apply the same concept with DVDIdle Pro. Running Ollydbg, I loaded in DVDIdle Pro 3.38 and answered NO to analyzing. Hit F9 and received an exception. Pressed SHITF+F9 - 26 times until I reached the following: see pic: dvdi_olly2.jpg I set a bp at the RETN Pressed SHIFT+F9 one more time. Pressed ALT+M and right clicked DVDIdle code -> Break on memory access. Hit CTRL+F11 to run a trace I ended up here (see pic): dvdi_olly1.jpg From here nothing looked the same...nothing was on the stack. I tried VIEW->TRACE, HIGHLIGHT EPB (show ESP enabled with log command on) This is what I saw (missing bytes?) see pic: dvdi_olly.jpg If these are the missing bytes...where do I put them? There are quite a bit of "00" above the address shown in pic: dvdi_olly1.jpg Any help would be appreciated... -Malt |
#2
|
|||
|
|||
Great Job
Hi Maltese,
Well first i want to congratz you with your first post which is way above the first post of other members on this forum you have indeed found the right stolen bytes which you showed in dvdi_olly.jpg. Again you are right you have to put the stolen bytes on the zero's in picture dvdi_olly1.jpg. I took a quick look at the 3.39 version and that have 45 stolen bytes. I assume that the 3.38 version regarding your trace will have 38 stolen bytes (you'll have to count the zero bytes) PUSH EBP MOV EBP,ESP PUSH -1 PUSH 425FA0 PUSH 41EF10 MOV EAX,DWORD PTR FS:[0] PUSH EAX MOV DWORD PTR FS:[0],ESP SUB ESP,58 PUSH EBX PUSH ESI PUSH EDI MOV DWORD PTR SS:[EBP-18],ESP Regards, Lownoise |
#3
|
|||
|
|||
Thank you lownoise for the kind response.
I installed version 3.39 DVDIdle Pro and followed the same steps as the original post. When I performed View-Trace (SHOW ESP & LOG COMMAND) This is what I saw (see pic): dvdi_olly3.jpg Unfortunately the AsProtect tutorial does not go indepth as to how many bytes and which exact ones are the stolen ones. ***EDITED*** removed reference to picture #4 since it was incorrect...to not hog up space on server If this was a mistake, how do I make sense of what is stolen and what is not? Thanks, -Malt Last edited by Maltese; 03-24-2004 at 13:02. |
#4
|
|||
|
|||
Quote:
Did u read britedreams tutorial on stolen bytes. One of them is here. http://www.exetools.com/forum/showthread.php?t=3654&page=1 Very nice tuts Regards, |
#5
|
|||
|
|||
Thanks,
I dl'd the tut by Britedream. Please let me try to figure this one out first. If I need help I hope I can ask. But I need to learn this...just giving the answer won't help me in the future... Looking at the tut now. Thanks again! -Malt |
#6
|
|||
|
|||
Alright,
I looked through the Tutorial from BriteDream regarding ASProtect and understanding stolen bytes and trying to apply it to DVDIdle Pro 3.39 I noticed right off the bat that 3.38 is different than 3.39. PEiD .7b reports the same protection for both versions. After the CTRL+11 trace in Ollydbg, I can see that I need to fill 45 bytes (above the bp from trace). Confirmed by lownoise. In my post above is a picture of VIEW->RUN TRACE (dvdi_olly3.jpg). Everytime I see stolen bytes (in RUN TRACE) tutorials, it seems that PUSH EBX is first. In this case it does not appear to be PUSH EBX, but MOV EBP,ESP I tried to continue figuring the rest of the code to fill 45 bytes exactly, I ended up with 1 byte left at 00 which needs filled. I did this starting at location: 41EFE6 0041EFE6 8BEC MOV EBP,ESP 0041EFE8 6A FF PUSH -1 0041EFEA 68 A05F4200 PUSH DVDIdleP.00425FA0 0041EFEF 68 40EF4100 PUSH DVDIdleP.0041EF40 0041EFF4 2BE2 SUB ESP,EDX 0041EFF6 890424 MOV DWORD PTR SS:[ESP],EAX 0041EFF9 64:8925 00000000 MOV DWORD PTR FS:[0],ESP 0041F000 83EC 68 SUB ESP,68 0041F003 2BE2 SUB ESP,EDX 0041F005 891C24 MOV DWORD PTR SS:[ESP],EBX 0041F008 2BE2 SUB ESP,EDX 0041F00A 893424 MOV DWORD PTR SS:[ESP],ESI 0041F00D 2BE2 SUB ESP,EDX 0041F00F 893C24 MOV DWORD PTR SS:[ESP],EDI 0041F012 00 <=== Basically I started with MOV EBP,ESP ommited JMP, LEA, ADD, XOR How do you determine where the stolen bytes end? Any ideas lownoise? I wanted to try this on my own before the answer was provided. Thanks for taking the time to help me! -Malt |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
ASProtect SKE unpacking | TempoMat | General Discussion | 10 | 08-24-2016 17:48 |
need help unpacking ASProtect | Fade | General Discussion | 8 | 05-25-2011 22:12 |
Unpacking asprotect | britedream | General Discussion | 7 | 09-01-2004 01:46 |