splaj
March 12th, 2001, 06:52
To whom it may concern 
FREE! anti-reverser info, unlike the Asprotect support team
It appears that Tamosoft are declining, as most programmers appear to do, into bloating their recent releases to fat bastard proportions. I cannot believe ALL this extra codeis due to the RCE
.Putting in huge amounts of anti-reverser code beyond the 'proved useless' ASprotect seems to be also pointless. So why has CV 2.5 jumped an extra 25% in size since CV2.4????
Anyway, I digress, here is the info that Tamosoft need to change for their next release. As I said FREE! info
Using Revirgin }> I unpacked the latest release and have the following points for you all regarding the 'anti-patching' algorithm that Tamo have employed since 2.4 and as nowhere have I seen a tut on this anti-reversing code I'll point it out now :-
Unpack:-
========
OEiP : 565090
IAT : 5721F4 (rva 1721F4 to 172AB8)
New Section 1CE000 (name :- .SplAj 3000 bytes)
Patch (raw==rva):-
==================
@ 1CD000 :
A975747D0FC420EEC9D8BA48C5140560
(This is the CV2.5 Self-Check algo final value)
@ 1CD020 :
BE00D05C00 MOV ESI,005CD000
8D7B04 LEA EDI, [EBX+04]
B904000000 MOV ECX,00000004
F3A5 REPZ MOVSD
E99172F9FF JMP 5642C5
@16563F :
74 TO EB ;JMP THE SIZE CHECK (EAX == AC500 - NOT !)
@1642B8 :
E9638D0600 JMP 5CD020 ; JMP TO OUR NEW PATCH CODE !
909090909090 NOP'S ; 6 X NOP FILLERS
@160390 :
8BC3 TO 33C0 ; FIX EAX==0 SO OLD REG *.CWL OK
@1652EB :
8B00E88ABAF1FF TO 90909090909090 ; FIX FOR WIN2K ONLY (FIX MEM prob)
Here is a screendump of the new code inserted at 5CD020 :-
EAX=0125C720 EBX=0125C720 ECX=D5C888B4 EDX=0080FA34 ESI=0080FA34
EDI=00400000 EBP=0080FA18 ESP=0080F9C8 EIP=005CD020 o d I S z a P c
CS=0167 DS=016F SS=016F ES=016F FS=0FF7 GS=12FE
____CV2!.data+0028_______________________________byte____________PROT_____(0)___
016F:005CD000 A9 75 74 7D 0F C4 20 EE C9 D8 BA 48 C5 14 05 60 ................
This 16 char (4 DWORD) numbers is end result of 4 x 0x5000 loop
and is taken from the actual code so any byte changes will result
in a corrupted Form that causes an exception..... this is Cv2.5b94
_________________________________________________________________________PROT32Ä
~
0167:005CD020 BE00D05C00 MOV ESI,005CD000 ;new code to
0167:005CD025 8D7B04 LEA EDI,[EBX+04] ;replicate the correct
0167:005CD028 B904000000 MOV ECX,00000004 ;end algo result
0167:005CD02D F3A5 REPZ MOVSD
0167:005CD02F E99172F9FF JMP 005642C5 ;jmp back to real code
0167:005CD034 90 NOP ;called by 5642B8
So try it, unpack it and then change a byte, for example the size check at 56563F. Boom the exe corrupts itself. There are 4 seperate occasions where the programs code checks itself. There is a massive loop and it does it 0x5000 times !!!
Now put in my extra code at 5cd020 and the 16 byte algo result at 5cd00 and then try and patch whatever you want.
It works.
+SplAj
'patch+play'
Fresh from vacation and butt-f*cking goosey good as ever
(erm... actually I am an idiot cos i forgot how to use Revirgin after 1 week !! I kept putting in the VA for the IT address and Revirgin told me I was an idiot, I wasted 5 hours with this... and thought Tamo put some sort of 'protector thread' on the IAT. mmmmm ?)
FREE! anti-reverser info, unlike the Asprotect support team
It appears that Tamosoft are declining, as most programmers appear to do, into bloating their recent releases to fat bastard proportions. I cannot believe ALL this extra codeis due to the RCE
.Putting in huge amounts of anti-reverser code beyond the 'proved useless' ASprotect seems to be also pointless. So why has CV 2.5 jumped an extra 25% in size since CV2.4????Anyway, I digress, here is the info that Tamosoft need to change for their next release. As I said FREE! info
Using Revirgin }> I unpacked the latest release and have the following points for you all regarding the 'anti-patching' algorithm that Tamo have employed since 2.4 and as nowhere have I seen a tut on this anti-reversing code I'll point it out now :-
Unpack:-
========
OEiP : 565090
IAT : 5721F4 (rva 1721F4 to 172AB8)
New Section 1CE000 (name :- .SplAj 3000 bytes)
Patch (raw==rva):-
==================
@ 1CD000 :
A975747D0FC420EEC9D8BA48C5140560
(This is the CV2.5 Self-Check algo final value)
@ 1CD020 :
BE00D05C00 MOV ESI,005CD000
8D7B04 LEA EDI, [EBX+04]
B904000000 MOV ECX,00000004
F3A5 REPZ MOVSD
E99172F9FF JMP 5642C5
@16563F :
74 TO EB ;JMP THE SIZE CHECK (EAX == AC500 - NOT !)
@1642B8 :
E9638D0600 JMP 5CD020 ; JMP TO OUR NEW PATCH CODE !
909090909090 NOP'S ; 6 X NOP FILLERS
@160390 :
8BC3 TO 33C0 ; FIX EAX==0 SO OLD REG *.CWL OK
@1652EB :
8B00E88ABAF1FF TO 90909090909090 ; FIX FOR WIN2K ONLY (FIX MEM prob)
Here is a screendump of the new code inserted at 5CD020 :-
EAX=0125C720 EBX=0125C720 ECX=D5C888B4 EDX=0080FA34 ESI=0080FA34
EDI=00400000 EBP=0080FA18 ESP=0080F9C8 EIP=005CD020 o d I S z a P c
CS=0167 DS=016F SS=016F ES=016F FS=0FF7 GS=12FE
____CV2!.data+0028_______________________________byte____________PROT_____(0)___
016F:005CD000 A9 75 74 7D 0F C4 20 EE C9 D8 BA 48 C5 14 05 60 ................
This 16 char (4 DWORD) numbers is end result of 4 x 0x5000 loop
and is taken from the actual code so any byte changes will result
in a corrupted Form that causes an exception..... this is Cv2.5b94
_________________________________________________________________________PROT32Ä
~
0167:005CD020 BE00D05C00 MOV ESI,005CD000 ;new code to
0167:005CD025 8D7B04 LEA EDI,[EBX+04] ;replicate the correct
0167:005CD028 B904000000 MOV ECX,00000004 ;end algo result
0167:005CD02D F3A5 REPZ MOVSD
0167:005CD02F E99172F9FF JMP 005642C5 ;jmp back to real code
0167:005CD034 90 NOP ;called by 5642B8
So try it, unpack it and then change a byte, for example the size check at 56563F. Boom the exe corrupts itself. There are 4 seperate occasions where the programs code checks itself. There is a massive loop and it does it 0x5000 times !!!
Now put in my extra code at 5cd020 and the 16 byte algo result at 5cd00 and then try and patch whatever you want.
It works.
+SplAj
'patch+play'
Fresh from vacation and butt-f*cking goosey good as ever
(erm... actually I am an idiot cos i forgot how to use Revirgin after 1 week !! I kept putting in the VA for the IT address and Revirgin told me I was an idiot, I wasted 5 hours with this... and thought Tamo put some sort of 'protector thread' on the IAT. mmmmm ?)