Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #31  
Old 01-01-2004, 01:45
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
mtw, how did you fix these two entries?
Reply With Quote
  #32  
Old 01-01-2004, 01:48
zlatko zlatko is offline
Friend
 
Join Date: Jan 2002
Posts: 35
Rept. Given: 2
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
zlatko Reputation: 4
Markus,

this is completely NEW target. Please read string
"Target:" in MSDG.txt file.
Problem with zup is resolved !

Z
Reply With Quote
  #33  
Old 01-01-2004, 02:01
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
oh i see... this is a program like aspack which works with Dword-calls... seems harder to fix... but your IAT should be correct. i came to the same
Reply With Quote
  #34  
Old 01-01-2004, 02:14
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
ok, zlatko, i came to the following with your program.

your IAT is correct. now the parts to edit:

0056901C 55 PUSH EBP
0056901D 8BEC MOV EBP,ESP
0056901F 83C4 F0 ADD ESP,-10
00569022 B8 848B5600 MOV EAX,MsDataGe.00568B84
00569027 E8 00DFE9FF CALL MsDataGe.00406F2C
0056902C A1 B4C65600 MOV EAX,DWORD PTR DS:[56C6B4]
00569031 8B00 MOV EAX,DWORD PTR DS:[EAX]
00569033 E8 C0B2EFFF CALL MsDataGe.004642F8
00569038 FF15 E8C15600 CALL DWORD PTR DS:[56C1E8]
0056903E A1 B4C65600 MOV EAX,DWORD PTR DS:[56C6B4]
00569043 8B00 MOV EAX,DWORD PTR DS:[EAX]
00569045 E8 46B3EFFF CALL MsDataGe.00464390
0056904A E8 05B6E9FF CALL MsDataGe.00404654

Edit to:

0056901C > $ 55 PUSH EBP
0056901D . 8BEC MOV EBP,ESP
0056901F . 83C4 F0 ADD ESP,-10
00569022 . B8 848B5600 MOV EAX,dumped_.00568B84
00569027 . E8 00DFE9FF CALL dumped_.00406F2C
0056902C . A1 B4C65600 MOV EAX,DWORD PTR DS:[56C6B4]
00569031 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00569033 . E8 C0B2EFFF CALL dumped_.004642F8
00569038 . E8 8FFAFFFF CALL dumped_.00568ACC
0056903D . 90 NOP

0056903E . A1 B4C65600 MOV EAX,DWORD PTR DS:[56C6B4]
00569043 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00569045 . E8 46B3EFFF CALL dumped_.00464390
0056904A . E8 05B6E9FF CALL dumped_.00404654

and this:

00568AD4 68 378B5600 PUSH MsDataGe.00568B37
00568AD9 64:FF30 PUSH DWORD PTR FS:[EAX]
00568ADC 64:8920 MOV DWORD PTR FS:[EAX],ESP
00568ADF A1 5CE25600 MOV EAX,DWORD PTR DS:[56E25C]
00568AE4 50 PUSH EAX
00568AE5 E8 B6FFFFFF CALL MsDataGe.00568AA0
00568AEA 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00568AED A1 5CE25600 MOV EAX,DWORD PTR DS:[56E25C]
00568AF2 E8 7D13EAFF CALL MsDataGe.00409E74
00568AF7 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00568AFA A1 30C65600 MOV EAX,DWORD PTR DS:[56C630]
00568AFF E8 94BCE9FF CALL MsDataGe.00404798
00568B04 A1 30C65600 MOV EAX,DWORD PTR DS:[56C630]
00568B09 8B00 MOV EAX,DWORD PTR DS:[EAX]
00568B0B E8 FCBEE9FF CALL MsDataGe.00404A0C
00568B10 85C0 TEST EAX,EAX
00568B12 7E 08 JLE SHORT MsDataGe.00568B1C
00568B14 A1 44C35600 MOV EAX,DWORD PTR DS:[56C344]
00568B19 C600 01 MOV BYTE PTR DS:[EAX],1
00568B1C E8 4BFFFFFF CALL MsDataGe.00568A6C
00568B21 33C0 XOR EAX,EAX

to:

00568AD4 |. 68 378B5600 PUSH dumped_.00568B37
00568AD9 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00568ADC |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00568ADF 90 NOP
00568AE0 90 NOP
00568AE1 90 NOP
00568AE2 90 NOP
00568AE3 90 NOP

00568AE4 |. 50 PUSH EAX ; /Arg1 => 00C23405
00568AE5 |. E8 B6FFFFFF CALL dumped_.00568AA0 ; \dumped_.00568AA0
00568AEA |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00568AED |. A1 5CE25600 MOV EAX,DWORD PTR DS:[56E25C]
00568AF2 |. E8 7D13EAFF CALL dumped_.00409E74
00568AF7 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00568AFA |. A1 30C65600 MOV EAX,DWORD PTR DS:[56C630]
00568AFF |. E8 94BCE9FF CALL dumped_.00404798
00568B04 |. A1 30C65600 MOV EAX,DWORD PTR DS:[56C630]
00568B09 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00568B0B |. E8 FCBEE9FF CALL dumped_.00404A0C
00568B10 |. 85C0 TEST EAX,EAX
00568B12 |. 7E 08 JLE SHORT dumped_.00568B1C
00568B14 |. A1 44C35600 MOV EAX,DWORD PTR DS:[56C344]
00568B19 |. C600 01 MOV BYTE PTR DS:[EAX],1
00568B1C |> E8 4BFFFFFF CALL dumped_.00568A6C
00568B21 |. 33C0 XOR EAX,EAX
Reply With Quote
  #35  
Old 01-01-2004, 02:18
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
i think the rest isn't very hard.
registration flag is

56E24C
or 16E24C (for hex-editor), change it to 1 and all is ok
Reply With Quote
  #36  
Old 01-01-2004, 02:49
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
these call & the mov aren't neccessary for the program to work. it's only advanced asprotect-protection and should crackers cost time.
Reply With Quote
  #37  
Old 01-01-2004, 03:26
zlatko zlatko is offline
Friend
 
Join Date: Jan 2002
Posts: 35
Rept. Given: 2
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
zlatko Reputation: 4
Thanks Markus,

I did same thing as you are in the first part but second part I misted ( at 00568ADC ) !

Regards ,

Z

PS. Would you PM me your email address or if you wish I can PM you mine.
It's much easier to work trough e-mail then on board.
Reply With Quote
  #38  
Old 01-01-2004, 03:38
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
i pm'ed you
Reply With Quote
  #39  
Old 01-01-2004, 04:09
zlatko zlatko is offline
Friend
 
Join Date: Jan 2002
Posts: 35
Rept. Given: 2
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
zlatko Reputation: 4
I'm STUPID !

All changes I've made with Hiew ( instead with HexEd ) and you know what's happens ! -> Access v...

Z

PS. Thanks for address
Reply With Quote
  #40  
Old 01-01-2004, 04:23
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
i only use winhex and hiew, don't know about HexEd
Reply With Quote
  #41  
Old 01-01-2004, 05:30
mtw mtw is offline
Friend
 
Join Date: Feb 2003
Posts: 73
Rept. Given: 0
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
mtw Reputation: 2
@Markus

Just change the rva to 0014A0EC or even lower 0014A000
it takes more time to search but you will know you have
a correct IAT. Impec does get this value wrong alot and
increase the size a few hundred more.
Reply With Quote
  #42  
Old 01-01-2004, 05:44
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
yes, i've done that, but imprec can't find the function GetTimeFormatW, and the other api... it has resolved it as Shell32
Reply With Quote
  #43  
Old 01-01-2004, 07:43
mtw mtw is offline
Friend
 
Join Date: Feb 2003
Posts: 73
Rept. Given: 0
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
mtw Reputation: 2
There is a plugin for imprec called AsProtection 1.22 use it
to resolve some entries you can seam to correct it does
a good job finding them.

And a hint on the unwrapped protection
415B40 and 4158B1 these 2 locations will save you some
time looking for the reg check.
Reply With Quote
  #44  
Old 01-01-2004, 19:43
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
yes, the reg-check was easy to find
Reply With Quote
  #45  
Old 01-01-2004, 20:10
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
mtw, is this the standard ImportRec 1.6 Plugin? if not, can you attach it? i can't find this plugin. and the standard-plugin can't resolve it
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Asprotect 2.1x SKE target taos General Discussion 2 12-12-2005 17:04


All times are GMT +8. The time now is 16:01.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )