Hi fellow reversers,

We all know very well the redirected API trick that ASprotect employs to deter dumping and rebuilding protected exe's.

Well last nite I played with Rot8 target 'TagRename' from softpointer.com. When I had unpacked it with Revirgins help, the program still did not run. Further analysis showed the following call very early on :-

EAX=00000000 EBX=00710000 ECX=00000000 EDX=00000000 ESI=818AD11C
EDI=00000000 EBP=0081FE38 ESP=0081FE28 EIP=0127C784 o d I s Z a P c
CS=0167 DS=016F SS=016F ES=016F FS=1B57 GS=3356 DS:012835A8=00536778
ÄÄÄÄÄTAGRENAME!+0C44ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄbyteÄÄÄÄÄÄÄÄÄÄÄÄÄÄPROTÄÄÄ(0)ÄÄ
0030:0053BC44 84 C7 27 01 00 00 00 00-00 00 00 00 00 00 00 00 ..'.............
0030:0053BC54 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0030:0053BC64 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0030:0053BC74 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0030:0053BC84 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0030:0053BC94 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0030:0053BCA4 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0030:0053BCB4 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0030:0053BCC4 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0030:0053BCD4 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄPROT32Ä
0167:0127C783 90 NOP 
0167:0127C784 833DA835280100 CMP DWORD PTR [012835A8],00 
0167:0127C78B 7406 JZ 0127C793
0167:0127C78D FF15A8352801 CALL [012835A8]
0167:0127C793 C3 RET

The CALL [012835A8] is really CALL 536778.

i.e. there is now REDIRECTED 'CODE' as well. In this case just 1 call to manually fix to point to the real 'call 536778' instead of the 0127C784 .Replacing the bytes 84C72701 at 53BC44 with 78675300 (reverse bytes) . Then the program ran sweet. BUT in the future maybe many of these with a twist of bitter lemon for us ???

So what else can he do ?

SplAj

he can do a lot of things, using registers , or making the calls bounce
in mem 1000 times :
1- the tracer can be used to detect this if the redirections became too complicated
2- considering asprotect, this will stay (unfortunatly) a private discussion, the guy takes too much info from this site

regards,

+Tsehp

Hi,

Tag&Rename used this method since version 1.6 or 1.7 (it was protected by Asprotect 1.1x then).
It used a ASProtect API to do this.

p/s: SoftPointer had learned a bad habit from that guy. They updated and changed the program files without changing the date and updating news on their WebSite 8-) (Just for a smile...)
So, the call value and redirect value what u saw might not same with +SplAj ...

*ehem*

What did I post on this messageboard concerning Asprotect-discussion, some months ago? Yes, to keep it private.....nobody agreed with my opinion......what a sudden change of thought now :P

I think it's a good idea to keep in mind that we're the BAD guys, and he (Alexey) is the GOOD guy. He protects, we try to deprotect and thus also taking away money for him.
So be careful with the so-called reverser/author friendship.
And you know, if I was a protector, I'd infiltrate the crackingscene and try to set 'em all up. Yeah, I'm evil too, but luckely a cracker

greets

BlackB

Now I agree with you blackB, at a certain level, we must keep things private, but we also could infiltrate some protector's msgboards and
set them up also, the bad news is that I don't know about some
existing ones, it must be too private for me to know.