Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Still need help with Asprotect
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 03-06-2004, 17:32
Pompeyfan
 
Posts: n/a
Unhappy Still need help with Asprotect
Wondering if someone could help me with this target, I thought I'd learned a lot from the Wtm CD Protect V1.54 tut of LaBBas, but I cant seem to get the OEP for the following, PEid reports OEP at 00417338, but nothing leads me there by tracing:

Registry Defragmentation for Windows 95-XP
Version 5.0b
Authors: Nick Nifontov
Alexander Berezovsky
Copyright © Elcor Software 2001-2004
hxxp://www.elcor.net/

This is what I tried so far:

Shift & F9 26 times, breakpoint on RETN then shift & F9, trace TC EIP<900000, Ctrl & A (analyse), then here:

0040531C $-FF25 44B24100 JMP DWORD PTR DS:[41B244]
00405322 8BC0 MOV EAX,EAX
00405324 $-FF25 40B24100 JMP DWORD PTR DS:[41B240]
0040532A 8BC0 MOV EAX,EAX
0040532C $-FF25 3CB24100 JMP DWORD PTR DS:[41B23C]
00405332 8BC0 MOV EAX,EAX
00405334 $-FF25 38B24100 JMP DWORD PTR DS:[41B238]
0040533A 8BC0 MOV EAX,EAX
0040533C /$ 50 PUSH EAX
0040533D |. 6A 40 PUSH 40
0040533F |. E8 E0FFFFFF CALL RegDefra.00405324
00405344 \. C3 RETN

F8 one time, and you are here:

009A1C64 55 PUSH EBP
009A1C65 8BEC MOV EBP,ESP
009A1C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
009A1C6A 85C0 TEST EAX,EAX
009A1C6C 75 13 JNZ SHORT 009A1C81
009A1C6E 813D A47A9A00 00>CMP DWORD PTR DS:[9A7AA4],400000 ; ASCII "MZP"
009A1C78 75 07 JNZ SHORT 009A1C81
009A1C7A A1 A47A9A00 MOV EAX,DWORD PTR DS:[9A7AA4]
009A1C7F EB 06 JMP SHORT 009A1C87
009A1C81 50 PUSH EAX
009A1C82 E8 3135FFFF CALL 009951B8 ; JMP to kernel32.GetModuleHandleA
009A1C87 5D POP EBP
009A1C88 C2 0400 RETN 4

Press F8 to RET command and you are here:

004053F1 . A3 10A74100 MOV DWORD PTR DS:[41A710],EAX ; RegDefra.00400000
004053F6 . A1 10A74100 MOV EAX,DWORD PTR DS:[41A710]
004053FB . A3 8C904100 MOV DWORD PTR DS:[41908C],EAX
00405400 . 33C0 XOR EAX,EAX
00405402 . A3 90904100 MOV DWORD PTR DS:[419090],EAX
00405407 . 33C0 XOR EAX,EAX
00405409 . A3 94904100 MOV DWORD PTR DS:[419094],EAX
0040540E . E8 C1FFFFFF CALL RegDefra.004053D4
00405413 . BA 88904100 MOV EDX,RegDefra.00419088
00405418 . 8BC3 MOV EAX,EBX
0040541A . E8 9DE5FFFF CALL RegDefra.004039BC
0040541F . 5B POP EBX
00405420 . C3 RETN

Dump full with Loredpe, then F8 till after the RETN, and you are at the Fake OEP I thought:

00418E88 E8 DB E8

Tried fixing the Import table here without success, Imprec gives me message nothing good here, tried IAT autosearch, and also tried entering the OEP I thought I had found.

Brightdreams OEP finder script ends here:

0040531C FF DB FF

After Ctrl & A:

0040531C $-FF25 44B24100 JMP DWORD PTR DS:[41B244]
00405322 8BC0 MOV EAX,EAX
00405324 $-FF25 40B24100 JMP DWORD PTR DS:[41B240]
0040532A 8BC0 MOV EAX,EAX
0040532C $-FF25 3CB24100 JMP DWORD PTR DS:[41B23C]
00405332 8BC0 MOV EAX,EAX
00405334 $-FF25 38B24100 JMP DWORD PTR DS:[41B238]
0040533A 8BC0 MOV EAX,EAX
0040533C /$ 50 PUSH EAX
0040533D |. 6A 40 PUSH 40
0040533F |. E8 E0FFFFFF CALL RegDefra.00405324
00405344 \. C3 RETN

Has anyone else tried this target, and can they give me a few tips on where to go from here?
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
The new asprotect 1.31 britedream General Discussion 48 06-03-2004 17:12
Anyone can help me with this one?? ASProtect loman General Discussion 0 12-31-2003 16:37


All times are GMT +8. The time now is 03:57.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )