#16
|
|||
|
|||
Re: offtopic
Quote:
http://www.k12.hi.us/~waianaeh/PolyVoyage/oral.html http://worldlingo.com/products_services/worldlingo_translator.html anywayz i just finished the Imprec part of the tut....hope i fixed it right .....now comes the most important part of the tut....yes JMI i know Inquiring minds....but let me finished atleast one tut on Aspr with some expert help....i have some questions on the access violation part....i'l be back when i return home from work....hope some1 will help me then...R@Dier hope u r there |
#17
|
|||
|
|||
Always happy to help
R@dier |
#18
|
|||
|
|||
Quote:
as also: Code:
`A`ohe `ulu e loa`a i ka pokole o ka lou No breadfruit can be reached when the picking stick is too short. <--- I think actually right now this is my problem of course there be other translations, but we won't go there and BTW Thanx so much for this Tidbit: By JMI: I seem to recall that ASPR changes certain address EACH TIME YOU RUN THE PROGRAM, as in "the jump to the OEP is always at a different location in memory" This I did not know, and it makes AsProtect very interesting EDIT well I see some characters don't display quite as expected, to which I'm not surprised, I tried to change with no sucess what I posted between code tags .... sort of like asprotect Last edited by lonewolf55; 02-27-2004 at 23:18. |
#19
|
|||
|
|||
Okay the version 1.54 is here
http://www.freewebs.com/think_digit/cdprot.rar ( some download managers wont work, just copy paste link in browser) Pompeyfan tell me when u reach the acess violation part of the tut. W'll do it together okay. R@dier thank u. I'l post my problem soon waiting for pompeyfan he wants to try the same version. Last edited by ferrari; 02-28-2004 at 17:30. |
#20
|
|||
|
|||
I might not get a chance to try it out till later today, I'll post soon as I get a chance though.
|
#21
|
|||
|
|||
Okay, I did the Imprec part, then I did the trace, changed the REP STOS BYTE PTR ES:[EDI] to JMP EDI, traced with F8, and get an access violation at:
00A55A11 FF50 28 CALL DWORD PTR DS:[EAX+28] I nop that call, then trace till the next access violation at: 00A54CAC E8 10994A01 CALL 01EFE5C1 I nop that, and try tracing with f8 from here, but getthe message: Don't know how to step, because memory at address 01EFE5C1 is not readable. Try to change EIP or pass exception to program. What do I do from here?, I thought I was going so well up until here. |
#22
|
|||
|
|||
Aah...u right pompeyfan...same here.
first access violation Code:
00C8635D FF50 28 CALL DWORD PTR DS:[EAX+28] 00C86360 E8 78C69001 CALL 025929DD 00C86365 0F58EB ADDPS XMM5,XMM3 00C86368 019A C1D8C5F2 ADD DWORD PTR DS:[EDX+F2C5D8C1],EBX Code:
00C8635D 90 NOP 00C8635E 90 NOP 00C8635F 90 NOP 00C86360 E8 78C69001 CALL 025929DD |
#23
|
|||
|
|||
HI,
Yes I and other had this problem as well, you need to keep noping the troublesome calls then all will be fine. there is a better way to get the stolen bytes which I will explain when I get home tomorrow. Kinda flat out at the moment. I have put together a tute which should help. I hope to post it tomorrow also Best Wishes R@dier |
#24
|
|||
|
|||
Nopping the second call doesn't succeed though, as we said, look forward to your alternative when you get a chance.
|
#25
|
|||
|
|||
you have to NOP quite a bit
all this must be nop-ed 00A5683D FF50 28 CALL DWORD PTR DS:[EAX+28] 00A56840 E8 4668A500 CALL 014AD08B 00A56845 0F58EB ADDPS XMM5,XMM3 00A56848 019A C1D8C5F2 ADD DWORD PTR DS:[EDX+F2C5D8C1],EBX so it becomes: 00A56824 F3: PREFIX REP: ; Superfluous prefix 00A56825 334424 38 XOR EAX,DWORD PTR SS:[ESP+38] 00A56829 3E:EB 01 JMP SHORT 00A5682D ; Superfluous prefix 00A5682C 6981 D0CE9277 8A>IMUL EAX,DWORD PTR DS:[ECX+7792CED0],1EB> 00A56836 6968 0B D04A0158 IMUL EBP,DWORD PTR DS:[EAX+B],58014AD0 00A5683D 90 NOP 00A5683E 90 NOP 00A5683F 90 NOP 00A56840 90 NOP 00A56841 90 NOP 00A56842 90 NOP 00A56843 90 NOP 00A56844 90 NOP 00A56845 90 NOP 00A56846 90 NOP 00A56847 90 NOP 00A56848 90 NOP 00A56849 90 NOP 00A5684A 90 NOP 00A5684B 90 NOP 00A5684C 90 NOP 00A5684D 90 NOP 00A5684E EB 01 JMP SHORT 00A56851 00A56850 F2: PREFIX REPNE: ; Superfluous prefix then continue the process, eventually you will find 00A565C5 55 PUSH EBP ; start of stolen bytes 00A565C6 EB 01 JMP SHORT 00A565C9 00A565C8 E8 8F442400 CALL 00C9AA5C 00A565CD 8BEC MOV EBP,ESP 00A565CF 81EC 0C000000 SUB ESP,0C |
#26
|
|||
|
|||
I'm working on a tutorial about this, but I'll put it on hold, if R@adier's method is better then I'll incorporate it into the tutorial if he doesn't mind.
|
#27
|
|||
|
|||
Hi The tut is finished although a bit rough in places,
I am just waiting on some feed back then i will post it here. Best Wishes R@dier Last edited by R@dier; 03-01-2004 at 21:32. |
#28
|
|||
|
|||
Ok, well I look forward to it R@dier. My method can be a bit 'sketchy' since it is quite possible to miss one here and there, anyways, hopefully yours is a better method.
|
#29
|
|||
|
|||
R@dier a problem. I followed the tut till end. But when i run the program i get error.
At POP EAX i note down the EAX value. In this case EAX = 0043809C But u have taken it as 00437478. Am I wrong? But i still followed ur steps.Plz clarify. Screenshots attached. |
#30
|
|||
|
|||
@ ferrari ,
you need to execute the POP EAX to get the correct value of EAX, from you Pic, you are sitting on it without running it, use F7 to step over then tell me what the result is, if you see in your stack frame(next to dump window) in your pic it is 0012FFA8 00437478 A.COPY.00437478 this is the value you need, also i would not bother with HIEW, just use OllyDbg assemble command and insert the stolen Bytes then do copy to executable I hope this helps Best Wishes R@dier |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
little question about manually unpacking | MaRKuS-DJM | General Discussion | 3 | 11-13-2003 00:43 |