nikolatesla20
April 8th, 2002, 12:56
Hey tsehp, RV kicks butt, especially on Win2k, the program tracer OWNS ! -
<Just a quick note to some beginners out there, if you trace a program and it doesn't seem to land on the OEP as the first instruction, remember asprotect has an API, and it calls into the target before executing it, you are on one of those API's. WRITE IT DOWN! You can use it to your advantage
>
I ran into a problem over the last 2 weeks tho, RV would not resolve all the entries for Bullet Proof FTP Server. When I wrote down the RVA's to the functions, and went in manually with softice, this is what I saw:
At the RVA called from the IAT address:
mov eax, [012054A]
ret
NOtice that this does not call ANY api whatsoever, it just moves a value into eax as tho it DID call an api, and then returns. So where does this value come from you ask? Well fortunately if you scroll up in the code window in SoftIce you could find the answer (heh heh !
)
Scroll up some from the code you see listed above, and you would find:
call Kernel32!GetCurrentProcessId
mov [012054A],eax
WOw great fun eh? ASProtect basically takes over calling the conventional startup code in the app, and stores the values away for later. Not a big deal, but it pretty much screws any tracer completely. OH well.
Yes you can still fix it up by hand, I was just bringing out I don't know if any tracer could ever find this. It is a good technique I think. I also think this must be a newer version of asprotect because I haven't seen it before (Note on asprotect website it says new update for registered users - HEY a new one just came out again TODAY! - but I can't download it of course ?)
By the way I still can't get this damn BPFTP server fixed out of asprotect, oh well, more practice is needed. (I had no such troubles with BPFTP client). Apparently I still have some calls into ASprotect. (The thing to note is of yet asprotect has not API which gets called INTO. However, it does pass a pointer to the registration information when it calls GetRegistrationInformation. The app accesses this pointer, which is what screws you I think.)
-nt20
<Just a quick note to some beginners out there, if you trace a program and it doesn't seem to land on the OEP as the first instruction, remember asprotect has an API, and it calls into the target before executing it, you are on one of those API's. WRITE IT DOWN! You can use it to your advantage
>I ran into a problem over the last 2 weeks tho, RV would not resolve all the entries for Bullet Proof FTP Server. When I wrote down the RVA's to the functions, and went in manually with softice, this is what I saw:
At the RVA called from the IAT address:
mov eax, [012054A]
ret
NOtice that this does not call ANY api whatsoever, it just moves a value into eax as tho it DID call an api, and then returns. So where does this value come from you ask? Well fortunately if you scroll up in the code window in SoftIce you could find the answer (heh heh !
)Scroll up some from the code you see listed above, and you would find:
call Kernel32!GetCurrentProcessId
mov [012054A],eax
WOw great fun eh? ASProtect basically takes over calling the conventional startup code in the app, and stores the values away for later. Not a big deal, but it pretty much screws any tracer completely. OH well.
Yes you can still fix it up by hand, I was just bringing out I don't know if any tracer could ever find this. It is a good technique I think. I also think this must be a newer version of asprotect because I haven't seen it before (Note on asprotect website it says new update for registered users - HEY a new one just came out again TODAY! -
but I can't download it of course ?)By the way I still can't get this damn BPFTP server fixed out of asprotect, oh well, more practice is needed. (I had no such troubles with BPFTP client). Apparently I still have some calls into ASprotect. (The thing to note is of yet asprotect has not API which gets called INTO. However, it does pass a pointer to the registration information when it calls GetRegistrationInformation. The app accesses this pointer, which is what screws you I think.)
-nt20
I could only do it manually, but it is not such a big deal