EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #31  
Old 08-31-2003, 22:47
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
To Satyric0n
by no means I am more competent than you in
anyway, however I did download the program,
with few nops and it is running.if you see the program
starting, then goes away,you are almost there.
just make sure that you nop the call at 5735f7
from push ebx to pop ebx inclusively,also make
sure that your Iat is correct ,imporRec failed to detect
freeresource in this program.this is my Iat to compare to:
Attached Files
File Type: txt iat.txt (23.8 KB, 34 views)

Last edited by britedream; 08-31-2003 at 22:52.
Reply With Quote
  #32  
Old 09-01-2003, 01:05
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
to staryic0n:
I just noticed that your oep isn't correct, and your
stolen bytes is missing one byte, here is the working
info:
oep=55 8B EC 83 C4 F0 53 B8 DC 4D 58 00

IAT is attached above.
addresses to patch:
are almost the same so start nopping
from: xor eax,eax to mov xxxxxx,edx
5789d9
5735eb ;check my post above
578a1a
578a5b
578a9c
57d8c3
57d904
the last is jnz :
578ae4 nop
----------------------------------------------------------
Thanks to Hotpepper , it is a nice program!

Last edited by britedream; 09-01-2003 at 01:24.
Reply With Quote
  #33  
Old 09-01-2003, 03:40
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
to Hotpepper
for you to practice ,try the new recordius 1.04,protection
is the same as above ,it will take you no more than
five min. , here some info to help you
oep=11f674
Iatrva=777230 size~900
stolen bytes are the same as above.except eax value .

good luck.

britedream

Last edited by britedream; 09-01-2003 at 04:37.
Reply With Quote
  #34  
Old 09-01-2003, 04:49
Satyric0n
 
Posts: n/a
britedream,

I had the exact same IAT as you, so I guess I did at least that much correctly . But, you are absolutely correct on the OEP and stolen bytes; I missed the PUSH EBX, but at least had the correct distance between EBP and ESP...

I am reviewing the rest of the information you posted, of the addresses to patch. Thank you very much for looking into this , it is nice to see the solution to this after as much time as I spent trying to figure it out, unsuccessfully.

Last edited by Satyric0n; 09-01-2003 at 04:51.
Reply With Quote
  #35  
Old 09-01-2003, 05:58
Satyric0n
 
Posts: n/a
britedream,

I looked over the addresses you said to NOP, and NOPing those did work perfectly. But I have found a different solution that has considerably less NOPing, and appears to work correctly.

I agree with you on NOPing the procedure at 5735EC (PUSH EBX through POP EBX), but I think all the others you listed are unnecessary. Simply NOP the CALLs at 573782 and 57389B, and everything seems to work just fine.

Again, thanks for your help. I would not have found any solution, yours or mine, without your input.
Reply With Quote
  #36  
Old 09-01-2003, 08:49
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
it may very well be, I didnot test it ,so nopping some of those may prevent going to the others.,I think I did
try to nop the 573782,but had some errors.so check
it in the original program, and see if it works.

Last edited by britedream; 09-01-2003 at 09:19.
Reply With Quote
  #37  
Old 09-01-2003, 11:45
Satyric0n
 
Posts: n/a
NOPing 573782 definately works as long as you also NOP 57389B. Doing one or the other but not both does not work properly, but NOPing both seems to work great.

I know I have thanked you already for your help, but thank you again . It made me very happy to finally get this working, after so much frustration at being unsuccessful. I spent a pathetically long time trying to get it to work, when I knew it had to be a simple solution, and in the end it was. But, I learned a lot (about SEH especially) from working on it. From what I learned from this, I was able to get Recordius 1.04 unpacked and working without even thinking about it, so it was worth it. Maybe one day I can return you the favor.
Reply With Quote
  #38  
Old 09-01-2003, 15:34
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
My pleasure , and I am glad that my info was any benefit
to you.

regards

Last edited by britedream; 09-01-2003 at 15:42.
Reply With Quote
  #39  
Old 09-01-2003, 21:51
HotPepper
 
Posts: n/a
Thanks for all of you helping solve the problem.

Currently I am on the biz trip to out of my country. When I back to home, I will try that.

Thanks, again

HotPepper

PS] I believe DropToCD and Recordius are really nice program. That is really small and have almost functionality that I want.
Reply With Quote
  #40  
Old 09-02-2003, 01:05
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 9 Times in 3 Posts
MaRKuS-DJM Reputation: 6
anyone knows oep and stolen bytes of anydvd? can't find it...

TIA
Reply With Quote
  #41  
Old 09-02-2003, 05:33
Satyric0n
 
Posts: n/a
Quote:
Originally posted by MaRKuS-DJM
anyone knows oep and stolen bytes of anydvd? can't find it...
I got the following for AnyDVD 1.6.2.3:
OEP = 419CA4
stolen bytes = 55 B0 60 89 04 24 55
IAT RVA = 25000
IAT size = 2C8

The number of stolen bytes, ITA location, and ITA entries all seem very strange to me, so it is likely that this information is not 100% correct. It appears to work correctly, but I only tested the GUI, not the actual functionality. So, even if it's not totally correct, it's a good starting point.
Reply With Quote
  #42  
Old 09-02-2003, 07:48
GlObAl
 
Posts: n/a
generic ways

Hello all,
nice to read this thread and btw good work LaBBa.
unpacking is an good way to defeat Aspr but for this kind of most used protectors i try allways to get more generic solutions.
this is why i start ASload with NTSC.
if you use ASload on DropToCD or other asprotected apps you will see what i mean.

hxxp://www.cstn.cjb.net/

my problem is that i havent that time this days and iam a really bad and slow coder, if i can call my self so :~)
if anyone want to help me or share some new tricks to handle the crypted part thing in aspr so message me plz...

best regards.
Reply With Quote
  #43  
Old 09-05-2003, 14:09
HotPepper
 
Posts: n/a
Hi Satyric0n, britedream,

Thanks again for help those kind of procedure.

For NOPing, I found new and simple method for that.

Just 10 byte... at 0058547B(5 bytes) and 00585564(5bytes) these are located at some byte after from OEP.

These 10 bytes NOPing remove the Trial Message dialog box also.

Thanks,

HotPepper
Reply With Quote
  #44  
Old 09-06-2003, 00:33
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
glad to see you tackling the program !
Reply With Quote
  #45  
Old 05-10-2004, 05:07
CRACKSARABICz
 
Posts: n/a
Britedream
شكراً لك من القلب يرجى مراسلتي لتعرف والمواصلة معنا
أخوك
أبو عبد الله
السعودية
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
More Aspr 1.31 SvensK General Discussion 0 06-09-2004 22:52


All times are GMT +8. The time now is 16:21.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX