tsehp
September 16th, 2001, 18:32
hiya,
just tried my new tracer (from revirgin beta) on fusion v2, from www.bit-arts.com
traced until 401000 , dumpd with procdump on win2k (I'll add the dump feature pretty soon, promised) , rebuilded iats without problems
begin 24b108 len e0c , you'll have to correct a little what the auto finder gave
rv inserted the new it into the dump, changed the oep to 401000,then problems :
I just think that like aspr, fearing the iat's protection system annihilation, they are forcing more and more apps to rely on tests for protection shell present or not, we already saw a lot of bunch of mem allocated by aspr and tested later by the target, with the consequences you can imagine if you don't "fix" this into your dump.
But bi-tarts found another trick , checking the pe with encrypted values (xored
) into the protection section of your dump, here are some addresses just for you to play and discover :
all in va's :
6d1002 : 0d (not encrypted) designed to check for num of sections, but if you make rv work, the dump will contain 0e sections, so change this value
4ee55f (xored with e5) contains old oep rva = 2d1000 change to 001000 to have the normal 401000 oep check
the others if you're lazy: 64a04f (xored a0) ; 6bcf2c (xored ce) ;
6cd041 (xored d0) ; 6cd38e (xored d3) and 6cd45c (xored d4),
finally check at 6d1004 change to ed5f1 , this value is tested with the ed5f1 contained into pe.
So more and more checks for protection shell into the main programs, I would be very interested how in aspr and in other schemes, they provide some sdk or guidelines for programmers to include such checks into their code, anyone have the sources ?
(very indirect warez requests from me again, soon to be auto banned of my forum, I promise
hey, look at what's provided on their site, concerning their protection system :
***
After spending three days attempting to bypass the copy-protection features, we were unable to use the evaluation application in an unauthorized manner".
E-testing labs (ZD Labs)
***
pray for them, be a nice guy
just tried my new tracer (from revirgin beta) on fusion v2, from www.bit-arts.com
traced until 401000 , dumpd with procdump on win2k (I'll add the dump feature pretty soon, promised) , rebuilded iats without problems
begin 24b108 len e0c , you'll have to correct a little what the auto finder gave
rv inserted the new it into the dump, changed the oep to 401000,then problems :
I just think that like aspr, fearing the iat's protection system annihilation, they are forcing more and more apps to rely on tests for protection shell present or not, we already saw a lot of bunch of mem allocated by aspr and tested later by the target, with the consequences you can imagine if you don't "fix" this into your dump.
But bi-tarts found another trick , checking the pe with encrypted values (xored
) into the protection section of your dump, here are some addresses just for you to play and discover :all in va's :
6d1002 : 0d (not encrypted) designed to check for num of sections, but if you make rv work, the dump will contain 0e sections, so change this value
4ee55f (xored with e5) contains old oep rva = 2d1000 change to 001000 to have the normal 401000 oep check
the others if you're lazy: 64a04f (xored a0) ; 6bcf2c (xored ce) ;
6cd041 (xored d0) ; 6cd38e (xored d3) and 6cd45c (xored d4),
finally check at 6d1004 change to ed5f1 , this value is tested with the ed5f1 contained into pe.
So more and more checks for protection shell into the main programs, I would be very interested how in aspr and in other schemes, they provide some sdk or guidelines for programmers to include such checks into their code, anyone have the sources ?
(very indirect warez requests from me again, soon to be auto banned of my forum, I promise
hey, look at what's provided on their site, concerning their protection system :
***
After spending three days attempting to bypass the copy-protection features, we were unable to use the evaluation application in an unauthorized manner".
E-testing labs (ZD Labs)
***
pray for them, be a nice guy