Log in

View Full Version : To make a point on latest asprotect 1.2, applied to aoepr.exe

tsehp
June 29th, 2001, 16:55
with this elcomsoft prog, you can recover your encrypted m$ outlook passwords
here's what to do with revirgin when you have dumped the exe.
I've included my iat table as attachment...


after examining iat's
4d1460->push ebp mov esp,ebp pop ebp pointed to code loc 45299c with 4d1564, this code loc does the same
you have to hard code the 45299c (dumped target's code loc that does the same) value into IT of your exe,
if realigned, just go to rva offsets d1460 and d1564 off course.

4d1474 returns ffe5f60b in eax, but looking at the var it's just the same as [11d35dc], so just put
the right api address by hand into revirgin

same technique for 4d14fc (getversion) 4d1478 (getcurrentprocessId)

aoepr checks for asprotect api presence at
seg000:0040251C push 4 ; lpProcName
seg000:0040251E push 0FFFFFFFFh ; hModule
seg000:00402520 call GetProcAddress
seg000:00402525 mov ds:dword_4C8A08, eax
seg000:0040252A test eax, eax
seg000:0040252C jnz short locret_40254C <-naughty

also, a test for registration is at 40276e

seg000:0040276E test eax, eax <-change this please ;-)
seg000:00402770 jnz short loc_402774
seg000:00402772 xor eax, eax
seg000:00402774
seg000:00402774 loc_402774: ; CODE XREF: sub_4026CC+A4j
seg000:00402774 pop edi
seg000:00402775 pop esi
seg000:00402776 mov esp, ebp
seg000:00402778 pop ebp
seg000:00402779 retn
seg000:00402779 sub_4026CC endp
seg000:00402779

I included the small code that alexey used to initialize the pointers.



0177:011CC7D8 PUSH 00
0177:011CC7DA CALL KERNEL32!GetModuleHandleA
0177:011CC7DF MOV [011D35D4],EAX
0177:011CC7E4 CALL KERNEL32!GetVersion
0177:011CC7E9 MOV [011D35D8],EAX
0177:011CC7EE PUSH 011D35E4
0177:011CC7F3 CALL KERNEL32!GetVersionExA
0177:011CC7F8 CALL KERNEL32!GetCurrentProcess
0177:011CC7FD MOV [011D35DC],EAX
0177:011CC802 CALL KERNEL32!GetCurrentProcessId
0177:011CC807 MOV [011D35E0],EAX
0177:011CC80C CALL KERNEL32!GetCommandLineA
0177:011CC811 MOV [011D3678],EAX
0177:011CC816 RET


So with those init's, he can avoid redirecting tha iat entries to the api wrapper, he just emulates the result.
Well as long as he limits to simple iat's, it's not a real problem...Otherwise he's forced to emulate all of them,
then we'll see a new os rise : asprotect winbloze...

cia,

tsehp