#1
|
||||
|
||||
where's the error in this asprotect-target?
the program i tried to unpack is Z-Up Maker 4.3.0
these are my infos stolen bytes: push ebp mov ebp,esp add esp,-10 mov eax, 5B64BC and my iat is attached but it doesn't work. i don't know where's the error... i think it's all correct?!?!?!?!?! |
#2
|
|||
|
|||
Hi Markus,
the stolen bytes and Iat are not correct, your program is working on the following info.: 005B6CCC > $ 55 PUSH EBP 005B6CCD . 8BEC MOV EBP,ESP 005B6CCF . 83EC 0C SUB ESP,0C 005B6CD2 . 53 PUSH EBX 005B6CD3 . B8 BC645B00 MOV EAX,dd_.005B64BC here is the iat: Last edited by britedream; 12-29-2003 at 12:38. |
#3
|
|||
|
|||
Thanks Markus, You always come up with
unique programs. |
#4
|
||||
|
||||
oh yes, i forgot the push ebx
but how did you get the sub esp,0c? i thought it was -10? maybe i'm confused *lol* |
#5
|
||||
|
||||
britedream, i've tried your infos... but it still cames up with the same error
my dump is correct, i think |
#6
|
|||
|
|||
Hi,
the program is working on the info I gave you. also check your iat against mine |
#7
|
||||
|
||||
i understood why sub esp,0c was my fault. i pm'ed you
|
#8
|
|||
|
|||
to Markus,
please check your pm |
#9
|
||||
|
||||
PowerStrip 3.47 Build 425
Britedream, i want to ask you if these infos are correct for powerstrip (the program worked for me):
OEP: 555DE7 Stolen Bytes: push ebp mov ebp,esp sub esp,0c push ebx mov eax,4032A0 nop the calls (call eax): 522BC1 52487D IAT: |
#10
|
||||
|
||||
i think, for powerstrip this is enough:
push ebp mov ebp,esp sub esp,10 |
#11
|
|||
|
|||
Well done Markus,your iat is correct, and your stolen bytes are correct if not for the extra command you put: mov eax,xxxxxx, now your oep should shift little bit down,
After eliminating the extra command, to 555dec. Regards. Last edited by britedream; 12-30-2003 at 15:39. |
#12
|
||||
|
||||
your dump works perfect for Z-Up Maker. I saw you have newer version, so i downloaded this one... i've dumped it again and it doesn't work. so i made a differences report.
in my dump are many extra bytes where in your dump are only 00. i've looked at the offsets, and these "extra bytes" are error messages like "runtime error" or anything else. but where do they came from??? |
#13
|
||||
|
||||
hey, i got it work!!!!
where did you dump, britedream? i dumped always here: 005B6CD8 E8 6B0DE5FF CALL dumped_.00407A48 005B6CDD 8B1D CCB05B00 MOV EBX,DWORD PTR DS:[5BB0CC] ; dumped_.005BC7D8 005B6CE3 8B03 MOV EAX,DWORD PTR DS:[EBX] 005B6CE5 E8 12E0E9FF CALL dumped_.00454CFC 005B6CEA 8B03 MOV EAX,DWORD PTR DS:[EBX] 005B6CEC BA 086E5B00 MOV EDX,dumped_.005B6E08 ; ASCII "Z-Up Maker" 005B6CF1 E8 0ADCE9FF CALL dumped_.00454900 005B6CF6 8B0D 60AE5B00 MOV ECX,DWORD PTR DS:[5BAE60] ; dumped_.005BEC84 005B6CFC 8B03 MOV EAX,DWORD PTR DS:[EBX] 005B6CFE 8B15 54D85800 MOV EDX,DWORD PTR DS:[58D854] ; dumped_.0058D8A0 005B6D04 E8 0BE0E9FF CALL dumped_.00454D14 the dump hasn't worked!!! now i've dumped here: 00407948 -FF25 20035C00 JMP DWORD PTR DS:[5C0320] 0040794E 8BC0 MOV EAX,EAX 00407950 -FF25 1C035C00 JMP DWORD PTR DS:[5C031C] 00407956 8BC0 MOV EAX,EAX 00407958 -FF25 18035C00 JMP DWORD PTR DS:[5C0318] 0040795E 8BC0 MOV EAX,EAX and it works!!! there are still some differences, your program runs registered, mine unregistered. have you cracked it? |
#14
|
|||
|
|||
no I didn't crack it . I just removed the
asprotect. and it is protect by it. |
#15
|
||||
|
||||
i noticed a very strange thing... if my dump has the name "dumped_.exe" it is unregistered. if i rename it to "aaaaaaaaaaaaaaaaaaaaaaaaaaaa.exe" it's suddenly registered!? why that?
britedream, it's the same with your dump... it works registered as "dd_.exe" and unregistered as "dda_.exe" |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Asprotect 2.1x SKE target | taos | General Discussion | 2 | 12-12-2005 17:04 |