#31
|
||||
|
||||
mtw, how did you fix these two entries?
|
#32
|
|||
|
|||
Markus,
this is completely NEW target. Please read string "Target:" in MSDG.txt file. Problem with zup is resolved ! Z |
#33
|
||||
|
||||
oh i see... this is a program like aspack which works with Dword-calls... seems harder to fix... but your IAT should be correct. i came to the same
|
#34
|
||||
|
||||
ok, zlatko, i came to the following with your program.
your IAT is correct. now the parts to edit: 0056901C 55 PUSH EBP 0056901D 8BEC MOV EBP,ESP 0056901F 83C4 F0 ADD ESP,-10 00569022 B8 848B5600 MOV EAX,MsDataGe.00568B84 00569027 E8 00DFE9FF CALL MsDataGe.00406F2C 0056902C A1 B4C65600 MOV EAX,DWORD PTR DS:[56C6B4] 00569031 8B00 MOV EAX,DWORD PTR DS:[EAX] 00569033 E8 C0B2EFFF CALL MsDataGe.004642F8 00569038 FF15 E8C15600 CALL DWORD PTR DS:[56C1E8] 0056903E A1 B4C65600 MOV EAX,DWORD PTR DS:[56C6B4] 00569043 8B00 MOV EAX,DWORD PTR DS:[EAX] 00569045 E8 46B3EFFF CALL MsDataGe.00464390 0056904A E8 05B6E9FF CALL MsDataGe.00404654 Edit to: 0056901C > $ 55 PUSH EBP 0056901D . 8BEC MOV EBP,ESP 0056901F . 83C4 F0 ADD ESP,-10 00569022 . B8 848B5600 MOV EAX,dumped_.00568B84 00569027 . E8 00DFE9FF CALL dumped_.00406F2C 0056902C . A1 B4C65600 MOV EAX,DWORD PTR DS:[56C6B4] 00569031 . 8B00 MOV EAX,DWORD PTR DS:[EAX] 00569033 . E8 C0B2EFFF CALL dumped_.004642F8 00569038 . E8 8FFAFFFF CALL dumped_.00568ACC 0056903D . 90 NOP 0056903E . A1 B4C65600 MOV EAX,DWORD PTR DS:[56C6B4] 00569043 . 8B00 MOV EAX,DWORD PTR DS:[EAX] 00569045 . E8 46B3EFFF CALL dumped_.00464390 0056904A . E8 05B6E9FF CALL dumped_.00404654 and this: 00568AD4 68 378B5600 PUSH MsDataGe.00568B37 00568AD9 64:FF30 PUSH DWORD PTR FS:[EAX] 00568ADC 64:8920 MOV DWORD PTR FS:[EAX],ESP 00568ADF A1 5CE25600 MOV EAX,DWORD PTR DS:[56E25C] 00568AE4 50 PUSH EAX 00568AE5 E8 B6FFFFFF CALL MsDataGe.00568AA0 00568AEA 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4] 00568AED A1 5CE25600 MOV EAX,DWORD PTR DS:[56E25C] 00568AF2 E8 7D13EAFF CALL MsDataGe.00409E74 00568AF7 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 00568AFA A1 30C65600 MOV EAX,DWORD PTR DS:[56C630] 00568AFF E8 94BCE9FF CALL MsDataGe.00404798 00568B04 A1 30C65600 MOV EAX,DWORD PTR DS:[56C630] 00568B09 8B00 MOV EAX,DWORD PTR DS:[EAX] 00568B0B E8 FCBEE9FF CALL MsDataGe.00404A0C 00568B10 85C0 TEST EAX,EAX 00568B12 7E 08 JLE SHORT MsDataGe.00568B1C 00568B14 A1 44C35600 MOV EAX,DWORD PTR DS:[56C344] 00568B19 C600 01 MOV BYTE PTR DS:[EAX],1 00568B1C E8 4BFFFFFF CALL MsDataGe.00568A6C 00568B21 33C0 XOR EAX,EAX to: 00568AD4 |. 68 378B5600 PUSH dumped_.00568B37 00568AD9 |. 64:FF30 PUSH DWORD PTR FS:[EAX] 00568ADC |. 64:8920 MOV DWORD PTR FS:[EAX],ESP 00568ADF 90 NOP 00568AE0 90 NOP 00568AE1 90 NOP 00568AE2 90 NOP 00568AE3 90 NOP 00568AE4 |. 50 PUSH EAX ; /Arg1 => 00C23405 00568AE5 |. E8 B6FFFFFF CALL dumped_.00568AA0 ; \dumped_.00568AA0 00568AEA |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4] 00568AED |. A1 5CE25600 MOV EAX,DWORD PTR DS:[56E25C] 00568AF2 |. E8 7D13EAFF CALL dumped_.00409E74 00568AF7 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 00568AFA |. A1 30C65600 MOV EAX,DWORD PTR DS:[56C630] 00568AFF |. E8 94BCE9FF CALL dumped_.00404798 00568B04 |. A1 30C65600 MOV EAX,DWORD PTR DS:[56C630] 00568B09 |. 8B00 MOV EAX,DWORD PTR DS:[EAX] 00568B0B |. E8 FCBEE9FF CALL dumped_.00404A0C 00568B10 |. 85C0 TEST EAX,EAX 00568B12 |. 7E 08 JLE SHORT dumped_.00568B1C 00568B14 |. A1 44C35600 MOV EAX,DWORD PTR DS:[56C344] 00568B19 |. C600 01 MOV BYTE PTR DS:[EAX],1 00568B1C |> E8 4BFFFFFF CALL dumped_.00568A6C 00568B21 |. 33C0 XOR EAX,EAX |
#35
|
||||
|
||||
i think the rest isn't very hard.
registration flag is 56E24C or 16E24C (for hex-editor), change it to 1 and all is ok |
#36
|
||||
|
||||
these call & the mov aren't neccessary for the program to work. it's only advanced asprotect-protection and should crackers cost time.
|
#37
|
|||
|
|||
Thanks Markus,
I did same thing as you are in the first part but second part I misted ( at 00568ADC ) ! Regards , Z PS. Would you PM me your email address or if you wish I can PM you mine. It's much easier to work trough e-mail then on board. |
#38
|
||||
|
||||
i pm'ed you
|
#39
|
|||
|
|||
I'm STUPID !
All changes I've made with Hiew ( instead with HexEd ) and you know what's happens ! -> Access v... Z PS. Thanks for address |
#40
|
||||
|
||||
i only use winhex and hiew, don't know about HexEd
|
#41
|
|||
|
|||
@Markus
Just change the rva to 0014A0EC or even lower 0014A000 it takes more time to search but you will know you have a correct IAT. Impec does get this value wrong alot and increase the size a few hundred more. |
#42
|
||||
|
||||
yes, i've done that, but imprec can't find the function GetTimeFormatW, and the other api... it has resolved it as Shell32
|
#43
|
|||
|
|||
There is a plugin for imprec called AsProtection 1.22 use it
to resolve some entries you can seam to correct it does a good job finding them. And a hint on the unwrapped protection 415B40 and 4158B1 these 2 locations will save you some time looking for the reg check. |
#44
|
||||
|
||||
yes, the reg-check was easy to find
|
#45
|
||||
|
||||
mtw, is this the standard ImportRec 1.6 Plugin? if not, can you attach it? i can't find this plugin. and the standard-plugin can't resolve it
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Asprotect 2.1x SKE target | taos | General Discussion | 2 | 12-12-2005 17:04 |