i've got a question concerning asprotect, as so many have..:-)

after retrieving the location of the popad, jmp eax using the
getversion/61,ff,e0 trick aswell as conferming it with winhex, i need to break on that location. using the breakpoint that is in the tuts all over such as: BPR xxx xxx+3 R IF EIP==xxx

problem is that sice wont break on it. i tried several targets, but i cannot get it to break. if anyone out there could give me a push in the right direction i'd be very thankfull.

Use ElicZ's SuperBPM... However, it works on Win98 only. Also, put a BPM on the JMP EAX instruction and not on POPAD. *Sometimes* POPAD BPM does not work but JMP EAX works

Signed,
-- FoxThree

thanx for the help, it's highly appreciated!

Nevertherless, it was not successfull.. i tried superbmp already (i use win98 2nd ed.) and also setting the breakpoint on the JMP EAX did not give the disired result. I have no clue what else i can come up with next...

Hi

Just try to find the following "call [ebp+18]" in Win9x(not tested in WinME). Probably this is where KERNEL32 calls the SEH handler of ring 3 applications.
Set a *conditional* breakpoint there, then you can watch how the exception handlers of ASPR are called. Right after the *last* SEH structure of ASPR, there is a "JMP [EBP-14]" or "PUSH [EBP-14]; RET". When you are at this JMP, you can set a BPM/BPR on "JMP EAX" to stop at OEP.
I always use this method to find the OEP of ASPRed progs in Win9x(but I formated Win9x long time ago). Please refer to my previous post on IRETD/NtContinue in Win2K. good luck

hello solomon..

many thanx for your effort in helping me out. but i'm afraid i must
be a little bit of a dissapointment to you. i simply cannot get
myself to find that CALL [EBP+18)] you mentioned. Shame on me,
i know.. :-)

so once again i would like to cry out for help, if it's not too
much trouble. thanx!

I don't think it's a shame coz everyone starts from newbie.

Here is how I find the *LAST* SEH of ASPR:
1. find ANY of the SEH structures in ASPR. In most cases, it contains a "XOR [EAX], EAX" instruction.
2. press F8 to step over "XOR [EAX], EAX" where EAX is 0. In Win2K, this will lead you into KiUserExceptionDispatcher(), but in Win9x, you will land in the ASPR exception handlers. Just trace till the exception handler returns, then you will see the "call [ebp+18]". This is the case in Win98. I don't know what it looks like in Win98SE/WinME.
3. put a BPX on "call [ebp+18]", e.g "BPX XXXXXXXX if *(ebp+18)< 1000000" and keep pressing F5.
Each time when this breakpoint is hit, type "u *(ebp+18)" to see whether it's the last SEH structure.

hi solomon...

many thanx for your help once again.

All went fine and i was able to reach the JMP [EBP-14]. But from there i dont seem to be able to find the popad,jmp eax anymore!

most likely i'm doing something not quite right, but perhaps you could shine your light over it once more...?! thanx in advance.

What I have found is that Win98 is kinda "stupid" with SoftICE.

For example, if you just CNTRL+D into SI, and then switch address contexts to see the memory of a program you want to spy on (use the "addr" command) , try telling SI to unassemble an address and it won't. In Win98 it will say "invalid address". You have to type the SELECTOR in the address to make it work right.

For example:

Instead of u 00456432

I have to put:

u 0167:00456432

Note that I only need to do this when I get into the program's space with the context switch command. But I noticed you also seem to need it when trying to set BPM's sometimes in Win98.

In Win98 you have to "force" SI to the right address space in this way. In Win2K you don't, everything works correct.

So Run your packed app, and then CNTRL+D into SI, switch into its address space ( "addr <process name>", and do the search for the popad, jmp eax.

s 30 L FFFFFFFF 61 FF E0

When the address pops up, put in your break range but don't forget the address selector.

bpr 0167:<address of popad> 0167:<address of popad +3> R IF eip==<address of popad>

Now, the 0167 is arbitrary. It might be different for you, just do a bpx GetVersion, and when you land in your app, write down the selector of where the code is. That is the selector you want to use later for this BPR.

This should work then. I just did this last night to break into commview 3.3. I use WIndows 98 at home.

Just as a side note, Yes Win98 is 32 bits and so memory is flat, but for some reason SI doesn't see it correct like I said, you have to make sure it sets the bpm's correct by using the selector if you have to , to force it. Win2K doesn't have this weirdo operation - for example I can unassemble even if I just switch contexts in Win2K.

-nt20

There are ONLY several decrypt loops(many more in latest ver of ASPR) between "JMP [EBP-14]" and "POPAD/JMP EAX". So I often manualy bypass these loops by setting a breakpoint at the end of each loop and press F5. Sure we can also search for the address of "61 FF E0 " first(assume it's xxxxxxxx), then type "g xxxxxxxx" at JMP [EBP-14].

thanx nikolatesla20: i tried your trick, but was not successfull with it. i suspect something not to be quite ok with the location of the popad, even if i verified it with winhex.
thanx anyway, i'll keep trying.

Solomon: thanx once again, but the problem is that when i am at the jmp [ebp-14], the popad cannot be found anymore. searching for 61,ff,e0 gives not the desired result. seems strange to me, or am i mistaken..?

thanx anyway, to all that is out there giving me a hand in this
problem.

sorry I have not express it clearly. I mean using WinHEX or any other tools to search 61,FF,E0 in the process memory first.