HTML Link Validator v.3.45
==========================

Download size < 1Mb

ASProtect v1.23,

maybe not new, but no more 61 FF E0 or C3 90 90 90 90 90 90 90 90 90 ... to find OEiP!

PUSH 00
JMP 501EB4 ; jump to OEP ???

Search for IAT and found this:
IATRVA: 0013F398 IATSize: 000001EC
but only kernel32.dll thunk!

hmm, look on it!

Regards,
Bruce Lee

Hi Bruce:

Yep, this one looks kinda new ... I say kinda 'coz I vaguely remember seeing this sig looong back. In this proggie, OEiP sig is PUSH EAX, RET. I'm trying to rebuild this program to confirm the OEiP that I found. Just hang on!!!

Using the OEiP I "predicted", I'm able to see all the thunks (advapi, gdi, user etc.). So, mostly it is right but let me verify....

Signed,
-- FoxThree

Hi,
Its cryp32 not asprotect.Looking for further information

Hi Esther:

Are you sure? This one is from Lithopssoft. It is ASsPR...

Signed,
-- FoxThree

Hi!

Yes, this is asprotect, I'm 99% sure!

I resolved IAT.

Now I must fix dump!

Best regards,
Bruce Lee

Hiya FoxThree,

The file I download is 676kb
setup file name is hlvsetup
Did I downloaded the wrong one?


Regards

That's the one. It is ASsPR indeed

Signed,
-- FoxThree

I think my OEiP is wrong !!!

Did you find the OEiP, foxthree?

Bruce Lee

Hi all,
Yep its assprotect and the dll is cryp32 :P

hey BruceLee:

You might benefit from taking a look at NchantA's tut at tsehp.cjb.net (Unpacking Asprotect). It is an "exact" one but the IT table is mangled differently... Maybe Alex is mix-n-matching.... however, I managed to waddle through my notes to find that good tut by NchantA. Like I said, I remember seeing this one before

Signed,
-- FoxThree

PS: Esther: Hmmm... what dll??? am I missing sumthing here

Hey:

I think I have pretty much the correct OEP (XX1EB4) but still the unpacked proggie is crashing I've debugged for the past 1/2 hour without luck and I always get 0xc0000026 at 77FB186C???? None of the code that causes this exception look like ASPR checks?? Any clues/pointers?

Signed,
-- FoxThree

Hi all,
My program is weird.It got a error message "error loading library type" after executing.The program doesn't start at all ;ppp.

Hello foxthree, esther!

I think there is antidump routine or something similar. I can't dump with /pedump. If I dump with LordPe I have same problem as you!

Bruce Lee

It uses some sort of anti-imprec routine ans some other tricks
iŽll have a more detailed look later on this week prolly.
Btw, Bruce Lee mail me asap plz

Can't mail you, sorry. My account is to small. I found IAT, see attachment. I think is good.

Problem is in OEP

REgards,
Bruce Lee

I do get some different findings than the rest of you guys..
I found the oep to be 401000, the import table address to be 53F138, size F8C. This program seems to use the latest import protection to render RV and Imprec useless. But you can get around this one by doing as +Splaj have explained. Besides from that it looks like an "older" version. You have 4 dips before going to the OEP. The first one is quite different than usual, but the 3 others are as usual. There is no execution of code in higher memory before jumping to ordinary code and the OEP, as in the latest version of Aspack.
I manipulated the program to build a clean import table during te unpacking using the method described bu evaluator. After that I just used RV to get the imports. Got it all except the usuall ones.

My problem is here:

0187:004F5EA9 55 PUSH EBP
0187:004F5EAA 68F45F4F00 PUSH 004F5FF4
0187:004F5EAF 64FF31 PUSH DWORD PTR FS:[ECX]
0187:004F5EB2 648921 MOV FS:[ECX],ESP
0187:004F5EB5 803D6987530000 CMP BYTE PTR [00538769],00
0187:004F5EBC 740A JZ 004F5EC8
0187:004F5EBE 68588B5300 PUSH 00538B58
0187:004F5EC3 E8D44B0200 CALL KERNEL32!EnterCriticalSection
0187:004F5EC8 83C307 ADD EBX,07
0187:004F5ECB 83E3FC AND EBX,-04
0187:004F5ECE 83FB0C CMP EBX,0C
0187:004F5ED1 7D05 JGE 004F5ED8
0187:004F5ED3 BB0C000000 MOV EBX,0000000C
0187:004F5ED8 81FB00100000 CMP EBX,00001000
0187:004F5EDE 0F8F93000000 JG 004F5F77

When the program is executing the call to Entercriticalsection, it crashes. This call is also made in the unpacked version.
Well, this is how far I got right now. Does someone have any experience with this?
Will post more findings, if any..

hobgoblin

I think the OEP is at 401000. After extraction etc. etc. I found the standard entrypoint stuff at 401000.

BTW. Once again I pressed the new thread button where it should be reply.... Damn buttons. It's about the HTML parser.


EDIT: I hope this is the one you meant (Kayaker)

Iwarez:

If you press the "new thread" instead of the "post reply" button, you can press the "edit" button and then there is a "delete" button at the top to completely remove your thread. I beleive you can only delete the thread if you start it, but using the "edit" button" you can delete a "reply" you made.

Regards.

Hi guys,

this one is an old trick discussed by Tsehp and SplAj long long ago... search for Chameleon Clock and you will find the answer...

Watch the first DIP *hint*
it is a good idea to look at all the dips cos all of them serve a specific purpose...

LOL.. i wasted 1 hr woondering what the hell went wrong when i finally realised Alexey got me

push ebp
mov ebp, esp
push [GetVersion_result]
pop eax
mov esp, ebp
pop ebp
mov eax, [GetCommanLIneA_result]
ret

LOL.. was tracing and wondering how the hell my commandline looks funny and the prog crashed there... guess i must be careful cos Alexey is using old trick to bluff hasty cracker like me ...

regards
crUsAdEr

I tried to delete it but it said I had no rights.

Iwarez:

That's because your "thread" was moved here before you tried to delete it.

Regards.

For me this function is GetCommandLineA not GetVersion. OEP is 401000. Program still crash on location 4f5ec3, call Entercriticalsection!

Bruce Lee

Yep Bruce Lee,

I realised my mistake ... yeah... OEP is NOT 401000!!! so search for Chameleon CLock and give it a try, or check out those dips...

I can post the answer now but hey, what is the fun without trying... hours of reading all the AsProtect threads do pay off ...

regards,
crUsAdEr

Well, I figured it out. first, I too recalled the discussion around Chamelion Clock (or whatever the name was..). And then I tried some new things while dumping the program. I agree that the OEP isn't (or maybe shouldn't be is a better word...). But when I tried to dump it from what looks like the original OEP (the address listed in the jump instruction at 00401054), it still crashed. More accurate: it froze a few instruction down from the OEP. And the reason is that the program tried to read and use an adress that wasn't accessible, the esi/eax register was emtpy. So it froze. The adress that was supposed to be read was loaded into memory in the second call upwards from the jump instructions at 00401054. The program need this information to run properly. Another thing: by checking out the first dip, which is unusal long, it looked to me as the program did some register checking. I tried to ret from this call, then go to the new OEP and dump it. No success. It failed to even get there. So after some trial and error this is what worked for me:
In the high memory just before the call to the first dip is executed, there is a conditional jump. I forced the program to jump, then put the program into a loop at address 00401054 and dumped it. After pasting in the rebuild IAT, I set the new OEP to be 401000. And guess what: it runs like a dream.

just me sharing some info...

regards,
hobgoblin

Hey Hobgoblin,

Sorry I can't execute this program on my machine
Guess I have to give up this program.

A small experience

0030:00400300 04 10 40 00 03 07 42 6F-6F 6C 65 61 6E 01 00 00 ..@...Boolean...
0030:00408000 00 00 01 00 00 00 00 10-40 00 05 46 61 6C 73 65 ........@..False
0030:00401020 04 54 72 75 65 8D 40 00-2C 10 40 00 02 04 43 68 .True.@.,.@...Ch

if the OEP is decrypt you will see it

Regards

Bruce Lee:

Follow the advise and do a search using Chameleon Clock and you will find this thread:

http://www.woodmann.net/forum/showthread.php?threadid=2565

which discusses the "Entercriticalsection" problem.

Doing a search with "entercriticalsection" will find several additional entries, including this one:

http://www.woodmann.net/forum/showthread.php?threadid=2775

where +Spl/\j discusses how to avoid the problem.

Again this is to demonstrate the value of searching yourself for the solutions to your problems, rather than relying on others to solve them for you.

Regards.

Wow JMI

that was efficient, just read my posts in Feb and man, I was staggering towards making my first Asprotect kill... gosh and i was asking silly question like everyone else.. does bring back some good memory heh, FoxThree :>?

Yep, then now i realise that HLV.exe is same case as Reg Organizer... even OEP looks similiar!!!

Yep, i guess AsProtect is really over-discussed :>...

Anyway, i just coded a beta version of Asprotect plug-in for Imprec/Revirgin.. anyone care for testing? It handles all the emulated APIs only!

regards
crUsAdEr

Hello crUsAdEr, JMI, esther, hobgoblin, Pr1mus, Splaj !

Check out!

New Chameleon clock:

Chameleon Clock v3.0 beta 4 / November 6, 2002.

ASProtect v1.23.b

OEP=4BEB2C

Only one dip.

My IAT is attached! I use all trick, but I can't make to work it!
It's hard! Too much!

Bruce Lee

My resolved IAT!

Hi Bruce Lee,

What did you do with the first dip then?

regards,
crUsAdEr