#1
|
|||
|
|||
New Asprotect??
Hi,
I found this program searching randomly for a Image Resizer, this one is Asprotected and it's different from other aspr, anyone can take a look? Labba tutes won't work with this one.... hxxp://www.ShowYourPhotos.com Photo Resizer Pro thanks loman |
#2
|
|||
|
|||
there are no stolen bytes in this target,
here is the new ajusted script to stop on the last exception. set bp on code section, shift+f9, you will be at the oep. ( it needs further testing to make sure it is the right oep) Last edited by britedream; 02-02-2004 at 16:48. |
#3
|
|||
|
|||
scripts: (tested using olly 1.10)
Last edited by britedream; 02-02-2004 at 17:04. |
#4
|
|||
|
|||
hi britedream
I just got a short look at this one this morning. Seems to be a change in how the iat table is written during unpacking, and how the program actually uses the iat table. Check it out. Looks interesting.:-)
hobgoblin |
#5
|
|||
|
|||
I doubt this is a new one, for two reasons:
1- I checked asprotect homepage and they still have no new vserion. 2- the outer shell which is asprotect is the same. so I think it is protected first by some protecter, then asprotect applied. regards. Last edited by britedream; 02-03-2004 at 13:46. |
#6
|
|||
|
|||
Can you tell me the address of IAT? I can't find any function
thanks! Last edited by loman; 02-04-2004 at 15:11. |
#7
|
|||
|
|||
About IAT
Hi,
I haven't had the time to look any further at this. But try this: set a breakpoint at the api GetProcAddress (after loading the file onto Olly). After hitting F9 a couple of times (maybe 3, I don't remember), you will be right in the middle of where the program writes the IAT. As you will see the program stores the iat in the high memory. For me it was in the range 00B6000 to B6C0C8. The problem was that Imprec wasn't able to read it at this address. I didn't investigate it further. Check it out and tell us what you find.:-) Also, go into the program itself after it's been unpacked, and check out how the program calls the api's. Seems kind of different that ordinary programs. I think britedream is right. There seems to be an encrypter of some kind that's used first, then the program is packed. hobgoblin |
#8
|
|||
|
|||
this is to confirm my earlier post , and the oep is the true oep,if you download the free version it is protected by asprotect,
but not with lower layer protection, you will see that the startup oep is the same and if you search for ff25(while on oep), you will land on the same address of the jmp to iat 401264, and the layout of the code is similar, my believe is that the two iat is so similar if not identical to each other, and you should be able to solve the iat problem. Last edited by britedream; 02-04-2004 at 21:14. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
The new asprotect 1.31 | britedream | General Discussion | 48 | 06-03-2004 17:12 |
Anyone can help me with this one?? ASProtect | loman | General Discussion | 0 | 12-31-2003 16:37 |