#1
|
||||
|
||||
Asprotect 1.23 New Tutorial by LaBBa
i saw LaBBa wrote a new tutorial for Asprotect 1.23, but he didn't post it @exetools...
so i'll attach it here. many thanks to LaBBa!!!! original post by LaBBa: Quote:
Last edited by MaRKuS-DJM; 01-16-2004 at 21:05. |
#2
|
|||
|
|||
Hi Markus
asprotect dosn't need that long tut, eventhough we appreciate the effort now and always that labba is doing, I think long tut tend to be hard to follow at least for me,here is the way that britedream might do it: 1- stack hard breakpoint on the first push, takes you to pushad, do the same for the pushad takes you to the stolen bytes. 2- memory breakpiont on code section, look at the stack for the oep. 3- fix your iat- done. Last edited by britedream; 01-19-2004 at 00:54. |
#3
|
||||
|
||||
yes, you are right, but it's interesting how many ways takes you to the finish
some question. which hardware-breakpoint do you use? the second one @the pushad doesn't work for me. |
#4
|
||||
|
||||
no, got it handled already
thanks britedream but i see stack-breakpoints won't work on ASProtect 1.22 - 1.23 Beta 21 Last edited by MaRKuS-DJM; 01-16-2004 at 23:02. |
#5
|
|||
|
|||
may I ask which program?
|
#6
|
|||
|
|||
I was wondering if you guys could please expand on
Quote:
Best Wishes R@dier |
#7
|
|||
|
|||
f7 to pass the push, follow esp to dump,
right click on it in the dump, select : hardware on access dword. |
#8
|
||||
|
||||
it's advanced im password recovery by elcomsoft, protected by the old asprotect, and the stack hardware-bp doesn't work
correction: the first one works, the second one: no Last edited by MaRKuS-DJM; 01-16-2004 at 23:51. |
#9
|
|||
|
|||
@ britedream
Thanks :-) @ MaRKuS I have been playing with advanced im password recovery also, after you posted it this mornin, found it quite easy to unpack using the differnt methods. Best Wishes R@dier Last edited by R@dier; 01-17-2004 at 00:26. |
#10
|
||||
|
||||
and which method did you use R@dier?
|
#11
|
|||
|
|||
to find OEP used
2- memory breakpiont on code section, to find stolen bytes used kinda LaBBa's method I still have not got the hang of Quote:
but looking into it :-) R@dier |
#12
|
|||
|
|||
for the advance:
the method is correct, but somehow it didn't catch the bp, it erased the breakpoint, but eventhough I brought it back it still wouldn't catch it, you can work around it by the following: you will notice when you passed the pushad that esp = 12 ffa4 , it should have poped up when it has been accessed, but it did not , so once you are at the last exception, set trace condition esp== 12ffa4, then control+f11 it will stop on top of the stolen byte as it should have, f7 little bit you should be at the first one. Last edited by britedream; 01-17-2004 at 02:14. |
#13
|
|||
|
|||
to find the oep:
at the stolen bytes or the last exception, set memory breakpoint on the code section,once stoped, look at the stack (K on the tool bar), if you see two addresses take the second one, if one, take it, if no address then oep is just above where you are. |
#14
|
||||
|
||||
hm, i used trace, but the trace always hangs in an endless loop. i don't know why, but it happens only for this aspr-version (beta 21).
the code-bp is a method for OEP |
#15
|
||||
|
||||
but no problem, i got it handled with F8 & F7 to skip the unpacking-routine (which is for some reason endless with tracing) and after this i ran trace. All stolen bytes are plain-text *lol*
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Still need help with Asprotect | Pompeyfan | General Discussion | 98 | 03-22-2004 20:20 |