foxthree
June 14th, 2002, 21:34
Hello Fellow RCEs:
I'm excited as I type this 'coz I *think* this may be a long awaited new ASPR strain. Look at this app.
Hide Folders v.2.3.5
hxxp://yyy.fspro.net
Hmmm okay It is ASProtect all right.
Find OEiP. Piece o' cake. Now run ImpREC. WTF? IAT Size == 24???
Hmmm something is wrong. Okie! Run RV. "IAT is corrupt..." Enter OeiP and press "Find IAT". What!?? "Found Nothing" 
Hmm... Open in SoftICE and find the IAT Decryption loop .. Everything is "normal"...
Okay let's see where we land at the JMP Table and lo! a whole lot of stuff has changed in the way ASPR redirects IAT! WTH??? No wonder RV/ImpREC is blown away...
For eg. Look at the following piece of code that redirects to GetModuleFileNameA:
[CODE]
017F:00C6493C 2BD2 SUB EDX,EDX
017F:00C6493E 681A1DFABF PUSH BFFA1D1A
017F:00C64943 64FF32 PUSH DWORD PTR FS:[EDX]
017F:00C64946 648922 MOV FS:[EDX],ESP
017F:00C64949 E9B62D31BF JMP BFF77704 (JUMP)
BFF77704 == GetModuleFileNameA+000D which is the bytes that are executed by ASPR! Hmmm.
Also, another funny thing is that ASPR now pushes values on stack and then RETs. Which again I belive RV can't find (as found by Eval on Armadillo) [So Alexey steal code from ARMA?]...
Anyways, it is 4.a.m here and I gotta go to sleep.
If this is not what it claims to be, moderators, just delete this post and let me lie in peace or else you'd better give this strain my name
Signed,
-- FoxThree
I'm excited as I type this 'coz I *think* this may be a long awaited new ASPR strain. Look at this app.
Hide Folders v.2.3.5
hxxp://yyy.fspro.net
Hmmm okay It is ASProtect all right.



Hmm... Open in SoftICE and find the IAT Decryption loop .. Everything is "normal"...
Okay let's see where we land at the JMP Table and lo! a whole lot of stuff has changed in the way ASPR redirects IAT! WTH??? No wonder RV/ImpREC is blown away...
For eg. Look at the following piece of code that redirects to GetModuleFileNameA:
[CODE]
017F:00C6493C 2BD2 SUB EDX,EDX
017F:00C6493E 681A1DFABF PUSH BFFA1D1A
017F:00C64943 64FF32 PUSH DWORD PTR FS:[EDX]
017F:00C64946 648922 MOV FS:[EDX],ESP
017F:00C64949 E9B62D31BF JMP BFF77704 (JUMP)
BFF77704 == GetModuleFileNameA+000D which is the bytes that are executed by ASPR! Hmmm.
Also, another funny thing is that ASPR now pushes values on stack and then RETs. Which again I belive RV can't find (as found by Eval on Armadillo) [So Alexey steal code from ARMA?]...
Anyways, it is 4.a.m here and I gotta go to sleep.

If this is not what it claims to be, moderators, just delete this post and let me lie in peace or else you'd better give this strain my name

Signed,
-- FoxThree