ppl

Some infos about latest ASPR code that 'rebases' the code that decrypts to POPAD JMP EAX (61 FF E0)

Some of you may remember the earlier aspr that used GetTickCount to constantly rebase itself on each run....VERY fuckin annoying. Well Alexey stopped it cos it was found out and a soloution posted. Well, here we go again

Now with GetSystemTime.........

Here is AdvancedMP3Crapalot Pro:-

0167:00DA2658 55 PUSH EBP 
0167:00DA2659 8BEC MOV EBP,ESP
0167:00DA265B 83C4E8 ADD ESP,-18
0167:00DA265E 8D45E8 LEA EAX,[EBP-18]
0167:00DA2661 50 PUSH EAX
0167:00DA2662 E811EAFFFF CALL KERNEL32!GetSystemTime <-used as 'randomizer'
0167:00DA2667 0FB745F0 MOVZX EAX,WORD PTR [EBP-10]
0167:00DA266B 6BC03C IMUL EAX,EAX,3C
0167:00DA266E 660345F2 ADD AX,[EBP-0E]
0167:00DA2672 6BC03C IMUL EAX,EAX,3C
0167:00DA2675 31D2 XOR EDX,EDX
0167:00DA2677 668B55F4 MOV DX,[EBP-0C]
0167:00DA267B 01D0 ADD EAX,EDX
0167:00DA267D 69C0E8030000 IMUL EAX,EAX,000003E8
0167:00DA2683 668B55F6 MOV DX,[EBP-0A]
0167:00DA2687 01D0 ADD EAX,EDX
0167:00DA2689 89053C50DB00 MOV [00DB503C],EAX <-store variable for later
0167:00DA268F 8BE5 MOV ESP,EBP
0167:00DA2691 5D POP EBP
0167:00DA2692 C3 RET

So (using SuperBPM or NticeSET to stop BPM ThreadContext shit)
POKE back into EAX a known value and location of the 61 FF E0
and then you can BPMB CS:<ASPR61FFE0> X

It was same code in ENT3.1 from Tamos.


Game over for now

Have phun.

Spl/\j

And just when he's ready with the release candidate...


-nt20

Thanks for the description, was interesting.. so in a nutshell, if I understand it right, he's just making it move the POPAD and JMP EAX around each time the program runs? Pretty neat.. I'm wondering why he hasn't revised the protection in any other way, however. Seems it's just been obfuscating the OEP lately.

take care