hi artha,
I finally followed your advices concerning the iat rebuilder, managed to
encapsulate and use the nasm library.
I'm very happy to advice that the tool now allows me to almost reconstruct the virgin target, and this time it's not depending on the asprotect version. I just managed to resolve 99 % of obfuscated/encrypted/redirected import,and spending 5 minutes on the others, your idea was just a really serious stab to such protection schemes
If you're interested (and everybody asking me), I'll be able to send you
the beta version.

Best regards,

+Tsehp

Yes you're right, integrating a good disassembler seems to be the future for certain things to be automated, like my app's task, resolving imports. The tool will be sent to you maybe sunday/monday.

To use nasm, I didn't encapsulated it inside c++ classes, I'm simply at the first level, working on c++ builder, I included disasm.h and disasm.c, I had to fix some bad references to the itable containing all the possible instructions, the set seems complete and it's easy to add some if there are missing ones. I'm sure you did much more work than me, but the disasm function is working well and actually just enough for what I did at this point. I'll send you my sources when I'll be finished, but they're not well documented.

The next very interesting step is to be able to avoid the tracer for serious encrypted functions, I surely have to take some heuristic search programming lessons to be able to do that, it's not an impossible limit anyway.

The method I used could be defeated later by more and more obfusctation techniques, I just hope that you'll provide a reusable dll to fix some annoying code parts, just like g-rom did with his several plugin's.

Thanks again, I'll send you (el caracol I don't forget you !) the first beta pretty soon.

take care,

+Tsehp

Yes, this could be very usefull in case we could have some obfuscation inside iat redirectors for example, making an auto disassembly harder for nasm.
Artha, did you check your mail at xerxes@altern.org have you tried
my beta already ?
Actually I managed to unprotect commview 2.3 and laster version of
azpr, the both in 15 minutes

later,

tsehp

yes,
if it's a problem I made a first version working with psapi.dll, but nt4
is going to disappear and toolhelp is implemented in win2000.
I could also synchronize the nt4 version but don't really think this will be asked by reverser's.
I'm actually starting the tracer, following owl's advices that are finally very usefull.
best regards,

tsehp