uhm sorry about this, but I must ask something about tcetorpsa
I try to unpack an app like this:
bpx GetVolumeInformationA, then tracex 400000 500000...here I get some procedures
(only fake entrypoints??) like this one:


0177:00497C2A 8BC0 MOV EAX,EAX
0177:00497C2C 55 PUSH EBP
0177:00497C2D 8BEC MOV EBP,ESP
0177:00497C2F A1F40F4B00 MOV EAX,[004B0FF4] ; eax contains pointer to an assspr loader procedure

0177:00497C34 A3F00F4B00 MOV [004B0FF0],EAX ; overwrite another procedure?
0177:00497C39 8B4508 MOV EAX, [ EBP+08]
0177:00497C3C A3F40F4B00 MOV [004B0FF4],EAX
0177:00497C41 5D POP EBP
0177:00497C42 C20400 RET 0004

It's really weird because there are about 10-12 such procedures in this app and if I bypass
every such procedure (using for example R EIP 497c41 at 497c2d or by jumping..) the app
still runs normaly..even tho I rebuilded the import table with tool(s) u know and found oep
the app is corrupted
and F8ing into it didnt work too well because there are alot of bad portions of code and even
corrupted stack(
I read previous posts about this protection and those didnt cleared me too much=/ maybe im
just dumb?
pls anyone so kind to tell me what could i do wrong and what r the odd procedures actually doing????

tcetorpsa , huh? Nice one

Looks like good ol' DD in action again. Try using the "search" facility Hwoarang, and you'll see DD is just a "myth"

Signed,
-- FoxThree

hi

I'm a complete newboid at this protection scheme

However, it looks very similar to me, to Yexela trick with LockResource and FreeResource API. Just look at the alphabetic list of resolved API and you will see which Lock/FreeResource api fits

Spl/\j

Hi +SplAj guru:

This is way 2 much... hee haw ...

How's it going? Long time, no post!!! Anything new cooking in ur labs

Signed,
-- FoxThree

splaj do u mean that trick with

Call dummy_api (eg GetModuleHandleA)
Call real api (FreeResource or whatever/?)

thanks, might be, il check it out probably thats why the stack is corrupted anyway, the target was memory patched by this time, but still I want to try to unpack it)

Foxthree

Ur PM is full ......(grrr tsehp) .....

Hwoarang... tegrat fo LRU eht em dnes

Spl/\j

Hello +SplAj guru:

I've cleared my PM and await your msg eagerly. Yep, I think +Tsehp set the limit to too small a value Cool, anyways...

BTW, +SplAj, do I have to write a small _strrev program to read your posts ...

Signed,
-- FoxThree

Splaj,
rehe si hte RUL:
6d 6f 63 2e 73 69 78 65 6c 65 68

(its the second prog in there have fun
methinks contains some latest yelxa tricks

You about:
Version 3.1 (build 352) 15-Apr-2002

Hmmm time to move this thread to the RCE Cryptographics forum

BTW, is it just me or is it that all tcetorpsa'ed apps web sites look a lot-like tcetorpsa website itself? yexelA is rubbing off his influence on everyone eh?

Signed,
-- FoxThree

Congratz, SPLAJ!

seems thiz guy found newest (c)aspr!
As gift for you and othErz, I present thiz DLL

Ahhh, you guys aren't gniloof anyone!

LOL...

I guess from now on, i must also learn to search the board for desrever gnireenigne :>>... no wonder there never seem to be enough information :>.. must be more creative when i search next time...

Anyway, eval... that dll looks different, is this a new version of AsProtect? <--- this is to help ppl searching the board in the future :>>> (hope you dont mind kayaker...)

regards

Eval:

A DLL with no exports What gives?

Signed,
-- FoxThree

LOL...

looks like AsProtect discussion is back into full business now that Kayaker has approved of it :>>

hey fox3, search and thou shall find :>>... (hint : fravia site)...

Hwoarang!

OEP is 4AF2D8
When you use "/tracex", ICEDUMP (with default settings) prints previous address!
So each time, when tracer stops, tape:
u (previous address)
If then you will see instruction
JMP EAX
and POPAD before this, then you are on OEP.
Else no.

There is nothing new in protection scheme.
You must look at 2nd section. On OEP set this breakpoint:
BPR 4B0FE0 4B1008 R

and you can catch tricky code. Then simulate it in dump..

binh1881!

I'm sure, "thiz was" newest cASPR dll, at least for mE
1. every new cASPR.dll become bigger.
2. poor ASS seems upgraded his "Burland Delphinarium Outprise"!

I also finally managed to unalexey the target=)

Hmmm... unpaxed it in 7+ mins... So whatz new about this protection guys?

At first I thought new version of ASPR with improved DD tricks. Ummm, i'm disappointed There are not even "ASPR" checks...

Found 3000 icons in 2 mins.... seriously, u guys must buy this one... it is good

Binh:

What can I say? WOW!!!! U ROCK!!!! Now the DLL without .exports makes sense

Eval:

Cool "bloated" ASPR.dll. But I guess, binh beat you to it this time, eh

And one more thing, does ASPR mutate the SEH generation code or is it just the xor [eax], eax only???

Until next version of "RPSA" ...

Signed,
-- FoxThree

PS: Publicity time

People, you can do what eval says or use OEPFinder (the W**H**) clone to find the OEP in 2 secs... Look for it in the ToT section

Hey fox3,

This one is only $10!!!! I never tried using it but it looks really cheap... wonder why they bother buying AsProtect to protect it??? I bet the programmer must be affiliated with Alexey.... considering the similiarity of the website...

+++++++++++++++++++++++++++++++++++
Cool "bloated" ASPR.dll. But I guess, binh beat you to it this time, eh
+++++++++++++++++++++++++++++++++++

Nah.. i bet Eval has been keeping those gory details of us newbies :>>>...
/me slaps eval with a large trout....