EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 12-30-2003, 19:44
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
my dump is from the Oep
Reply With Quote
  #17  
Old 12-30-2003, 19:50
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
I did name it as the same as the original program "zup", it works registered
Reply With Quote
  #18  
Old 12-30-2003, 20:02
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 9 Times in 3 Posts
MaRKuS-DJM Reputation: 6
finally, it doesn't matter if it is registered or not... for me it's only the unpacking-practice. but i wondered about the rename thing
Reply With Quote
  #19  
Old 12-30-2003, 20:06
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
in earlier version of asprotect I noticed that it create a text file in the program folder for each dump you run, if you delete this file ,or rename the dump, it will run unregistered, I didn't see these files here, but
it may be created some where else.

Last edited by britedream; 12-31-2003 at 00:14.
Reply With Quote
  #20  
Old 12-30-2003, 21:04
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 9 Times in 3 Posts
MaRKuS-DJM Reputation: 6
found the code. it's in the dump...

00594614 8BD0 MOV EDX,EAX
00594616 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00594619 8B80 A80A0000 MOV EAX,DWORD PTR DS:[EAX+AA8]
0059461F 8B08 MOV ECX,DWORD PTR DS:[EAX]
00594621 FF51 5C CALL DWORD PTR DS:[ECX+5C]
00594624 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00594627 8B80 000B0000 MOV EAX,DWORD PTR DS:[EAX+B00]
0059462D 33D2 XOR EDX,EDX
0059462F E8 2864FEFF CALL zupa.0057AA5C
00594634 A1 D0AC5B00 MOV EAX,DWORD PTR DS:[5BACD0] <<< checks the dword in 5BACD0 = RVA 5BACD2
00594639 E8 CA64E7FF CALL zupa.0040AB08
0059463E 85C0 TEST EAX,EAX
00594640 76 10 JBE SHORT zupa.00594652 <<< jump UNREGISTERED
00594642 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00594645 8B80 5C090000 MOV EAX,DWORD PTR DS:[EAX+95C]
0059464B 33D2 XOR EDX,EDX
0059464D E8 CE23EBFF CALL zupa.00446A20
00594652 33C0 XOR EAX,EAX


the dword 5BACD0 begins in my dump with B8, in your dump with B7.
the solution is to nop the JBE @RVA 00594640


@59A5C3 is another JBE, this must also be nopped.

Last edited by MaRKuS-DJM; 12-30-2003 at 21:33.
Reply With Quote
  #21  
Old 12-30-2003, 22:18
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 9 Times in 3 Posts
MaRKuS-DJM Reputation: 6
new target: CloneCD 4.3.1.9

i came to the following:
stolen bytes: none
OEP: 40154C

but there's still a read/write error if clone-cd analyses a CD. i think it's a problem with IAT, but all invalid pointers are fixed
IAT:
Reply With Quote
  #22  
Old 12-30-2003, 23:34
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
your "zup" isn't fully registered, if you
want to make it registered do the following:
1- at address 5be7dc=3d ( this will make us as if we were registered)

2-nop

52a2f6 (will prevent it from change our status in step 1)

52a356 (this will make it think we have a valid lic )

you will no longer have the registration
entry. and will be fully registered.

Last edited by britedream; 12-31-2003 at 14:55.
Reply With Quote
  #23  
Old 12-31-2003, 01:48
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 9 Times in 3 Posts
MaRKuS-DJM Reputation: 6
hm... makes it so much difference?
how did you find that value? only tracing?
powerstrip is the harder target...

Last edited by MaRKuS-DJM; 12-31-2003 at 01:59.
Reply With Quote
  #24  
Old 12-31-2003, 03:17
zlatko zlatko is offline
Friend
 
Join Date: Jan 2002
Posts: 35
Rept. Given: 2
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
zlatko Reputation: 4
Z-Up v4.3.1

MaRKuS-DJM,

Would you be kind to attach tree.txt for Z-Up Maker last version. I'm working on it but I have error . ( wrong OEP ? ).
Regards,

Zlatko
Reply With Quote
  #25  
Old 12-31-2003, 03:21
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 9 Times in 3 Posts
MaRKuS-DJM Reputation: 6
it's on page one the second post (by britedream)
Reply With Quote
  #26  
Old 12-31-2003, 08:14
zlatko zlatko is offline
Friend
 
Join Date: Jan 2002
Posts: 35
Rept. Given: 2
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
zlatko Reputation: 4
britedream or Marcus ,

Would you, please, check what is incorrect with this tree.txt .
How to decide should will be ADD ESP, -010 or SUB ESP, -0C ?

Regards,

Zlatko
Attached Files
File Type: txt tree.txt (25.5 KB, 6 views)
Reply With Quote
  #27  
Old 12-31-2003, 13:05
mtw mtw is offline
Friend
 
Join Date: Feb 2003
Posts: 73
Rept. Given: 0
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
mtw Reputation: 2
Quote:
Originally posted by MaRKuS-DJM
new target: CloneCD 4.3.1.9

but there's still a read/write error if clone-cd analyses a CD. i think it's a problem with IAT, but all invalid pointers are fixed
IAT:
might be these iat values

at the begging
0014A0EC kernel32.dll 018D GetTimeFormatW

at the end
0014B67C crypt32.dll 0085 CryptExportPKCS8

your iat list dont have em
Reply With Quote
  #28  
Old 12-31-2003, 19:07
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 9 Times in 3 Posts
MaRKuS-DJM Reputation: 6
@zlatko the esp-value in the dump must match to the esp-value in the original-file @OEP
Reply With Quote
  #29  
Old 12-31-2003, 23:31
zlatko zlatko is offline
Friend
 
Join Date: Jan 2002
Posts: 35
Rept. Given: 2
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
zlatko Reputation: 4
Markus,

If you have time would you try to work with me on
new target ? Pgm. is dumped and IAT is resolved but there is some call ( unresolved ) outside of dump. It is not
point to any dll call, just simple compare and jump. It is possible that I didn't resolve Iat correctly. Tree is attached !

Regards,
Zlatko
Attached Files
File Type: txt msdg.txt (21.6 KB, 9 views)
Reply With Quote
  #30  
Old 01-01-2004, 00:58
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 9 Times in 3 Posts
MaRKuS-DJM Reputation: 6
it seems there are many pointers which aren't fixed... have you checked britedream's IAT?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Asprotect 2.1x SKE target taos General Discussion 2 12-12-2005 17:04


All times are GMT +8. The time now is 09:30.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX