Hi,
I'm having a problem with PowerStrip 3.15, and maybe someone out there could help me out. The thing is that PS3.15 seems to be packed with ASProtect. I'm not quite sure, since is the first time I face this protection scheme, but based in what I've read it seems to be ASProtected. It has CRC check and an anti-loader routine (which can be fixed with a .dll I found on the net).
At the moment I can only patch it on the fly using any process patcher. But I would like to learn how to unpack this for good.
The other problem I have is that I'm running Windows XP, and some programs like Revirgin I read don't work under XP. But I could install a 9x in one of my HDDs if necessary.
I've tried to unpack it with procdump (crashes) and guw32 (didn't work either).
If there's a tutorial someone could point me to, I'll read it. Or if someone wants to help me somehow, even better.
TIA

Fede

hi fedev,

click the search button and type AsProtect, you will have AsProtect at your feet :>>>

cheers,

Thanks, I'll do that!.

Fede

I installed Windows 98 and put a copy of softice, RV, and LordPE on it (I read Spl/\j's ASProtect tutorial). The problem is that Softice doesn't stop automatically when PowerStrip loads (yes, I'm using the loader, and yes I have that option active). There must be some kind of protection I'm not aware of. Could some one help me?.
TIA

Fede

erm...

why do you need sice to break automatically anyway?? do a bpx getversion and then runs the app...

sice will breaks where u need to :>>

cheers,

But after that, and after you get the the API cluster address, you must run a search "S EIP L FFFFFFFF 61,FF,E0" and later restart the program and set a BPR or a BPM. Well, I can't set this BP from the start since the Symbol Loader doesn't break when the program loads. Am I right?. Or should I break to GetVersion and then continue from there?. Plus, I have the strange feeling there's another protection going around and I'm missing it.

Fede

It should be ok to bpx on getversion first, in SI when you press F12 to return to the code, look at the little line across the bottom that usually shows you the name of the process you are in. If the line lists no name, then you are probably inside the asprotect code. You may also see several API functions right near where you broke in if it is asprotect.

Now you can set your bpm's etc. This API is called very early in asprotect.

-nt20

IceDump solved my previous problem, it seems it wasn't loading automatically as I thought.
The API cluster has some differences when compared to the structure I read on the Tuts., maybe it's a newer version(?). Of course it could be all my fault .

015F:00D6CE6A MOV EAX,EAX
015F:00D6CE6C CALL Kernel32!Getversion
015F:00D6CE71 MOV EAX,[00D7464C]
015F:00D6CE76 RET (should this be here?)
015F:00D6CE77 NOP
015F:00D6CE78 PUSH 00
015F:00D6CE7A CALL Kernel32!GetModuleHandleA
015F:00D6CE7F PUSH DWORD PTR[00D74650]
015F:00D6CE85 PUSH EAX
015F:00D6CE86 RET (should this be here?)
015f:XXXXXXXX And it goes on and on...

I ran the search for POPAD and JMP EAX, and now, I got to the BPR part. It should be (or that's what I think) "BPR D840FD D840FD+1 R IF (EIP==D840FD)". When I press F5 everything hangs, so I'm still working around this.
Any thoughts?

Fede

Hi Fedev:

Here is a tip. Search the board on using WinHex for finding 61,FF,E0 or if you can wait for a couple of days, I'm working on a tool that does just that ....

Also, the above API table is correct! There is nothing new about it. This protection is there to fool RV's trace. Again, search previous forum postings on this one.

Signed,
-- FoxThree

I'll wait for that tool, thanks FoxThree, but I'll keep on trying. Don't know why Softice is hanging everything.

Fede

I think I know what's wrong. I don't know exactly why, but it seems that Softice crashes whenever I set a BPR. I tried BPM, but it doesn't work. I know these breakpoints were working before (since is not the firt time I use softice). I hate Windows 98!!!!.


Fedev

Hi Fedev:

I can feel your frustration . Relax however, help is on its way

Let me take a wild guess, you have set a BPR based on +SplAj tutorial of finding 61,FF,E0? Under Win98, *sometimes* this BPR crashes. I've been down that road my friend. *SOMETIMES* it does work. I don't know why though! May be binh or +SplAj itself might answer but binh switched to Win2K and +SplAj is now allergic to ASPR

That is why I pointed you to WinHex technique which works - UNCONDITIONALLY !!!

Did you try it? Forget the BPR technique. There is a better one

Search the board for WinHex technique else PM me.

Signed,
-- FoxThree

grinz...

yeah.. have nothing to say actually... fox, when is ur tools coming out? betta finish it up fast b4 Alexey comes out iwth new version and make ur tool obsolete...

I remeber when i first started on AsProtect with you, i told you "AsProtect is a bitch really" and Alexey replied
*******************************************
hehe.. It's just the beginning... soon you will forget RV and Imprec...
*******************************************

hic hic.. just a reminder for u to speed up frd :>...

Meanwhile, i shall wait for alexey to come up with new stuff and start mugging for exams... sux i hate exams...

till then,
binh

Where can I get the latest version of winhex?

Fedev

Hi Fedev,

NO request here!!!!!.. search, learn and use

I didn't ask for a crack, nor a cracked program, I asked for the location of the original WinHex (it comes in a demo version, you know). You could just point me to the developer's website. Anyway, I got it now.

Fedev