Was gonna take this privately with BruceLee, but he doesn't receive pm's... :P

Can't get this to work right and wonder if someone knows anything about it?

I deleted crap from iat section before it fill it with apis. I redirected eip from first instruction in 1st dip to ret04 at end of it then dump at oep.

Make code (in hole) to call 1st dip then jmp oep.

It starts fine! But when I access popuptrackmenus the shutdown almost at once and on 3 occations explorer crashes shortly after I terminate program.

On CC 2.51 I was tricked by Freresource and then made it only ret04 and all was ok. Thought this was same, but no luck.

Any ideas?

/Manko

Manko:

Clear your PM

Signed,
-- FoxThree

Yeah, i have the same problem...

I can access everything fine... except that after about 1 mintue my Explorer crashes... it happens all the time so it is definitely somethign to with Chameleon Clock chekcing for AsProtect present?

SetTimer not the case used here i think.. bpx on it only give the 5sec delay at the nag box.. then if we put our mouse at the task bar chameleon clock, then settimer is called every 0.5 sec to do refreshing i guess... so it is somethign else probably.. the thing is that it causes Explorer to crash!!! i am stuck as well ...

regards,
crUsAdEr

P.S : has anyone seen this?
Secure Family Album
Old or New AsProtect? No API emulation, IAT redirection scheme stolen from VBox :>...??? new seh trigger? or is this old? used to be "xor [eax], eax" now it is "lea eax. eax"!!! Minimal onfuscation and stuff... no OEP hiding anymore?

Yup, now EVEN the outbox is empty.

/Manko

Hi crUsAdEr,

>P.S : has anyone seen this?
Secure Family Album
Old or New AsProtect? No API emulation, IAT redirection scheme stolen from VBox :>...??? new seh trigger? or is this old? used to be "xor [eax], eax" now it is "lea eax. eax"!!! Minimal onfuscation and stuff... no OEP hiding anymore?

Although the compiler sigs are similar to as* but it seems to be another type of encryptor.

Latest as* check out Ta*, com*.Double protection as*+aspa**?

Check out guys

Regards

Hi esther,
What on earth do you mean? What program do you want us to check out?

Regards,
hobgoblin

********************************************
Although the compiler sigs are similar to as* but it seems to be another type of encryptor.
********************************************

I can BET with you a pint of beer it IS Aspr...lol... everythign else is the same with old/usual Aspr... i mean everythign else ...

regards...
crUsAdEr

P.S :esther, tell me when u wanna buy me beer

P.P.S : sorry.. file analyser identifies it as AsProtect 1.1b.. lol.. it is Dakien faults that taught me not to use tools...

Hi Hobgolin,
I'm talking about commview

crUsAdEr:

>P.S :esther, tell me when u wanna buy me beer
P.S.S.:I'm not alcoholic sorry no b33r for you

>P.P.S : sorry.. file analyser identifies it as AsProtect 1.1b.. lol.. it is Dakien faults that taught me not to use tools...

Blame yourself ;p

Regards

esther

#DF

Tamos is in AGONY!!!
They can't use latest (betas!?) ASsPR because of
OEP-stripping ~~;0

Sigh! Feel stupid! Have done this already...

Link -> Thread on pstrip... (http://www.woodmann.net/forum/showthread.php?s=&threadid=4054&perpage=15&pagenumber=2)

My comment is a few posts down...

But if you don't like the link...

seg001:004C11C0 5B pop ebx
seg001:004C11C1 58 pop eax
seg001:004C11C2 8B 40 02 mov eax, [eax+2]
seg001:004C11C5 8B 00 mov eax, [eax]
seg001:004C11C7 FF 30 push dword ptr [eax]
seg001:004C11C9 8F 00 pop dword ptr [eax]
seg001:004C11CB FF E3 jmp ebx

When not run these bytes are encoded. (Just INCed.)

The exact same code. Though MORE used this time I think.

Thanks for not messing me again FoxThree! I was being lazy! ;P

/Manko

Nice one Manko,

I missed that totally ... how did you find it?

I often have the drawer of the application I'm working on open while I'm doing my thing...

I suddenly noticed how one file was growing fast when I ran the dumped exe...

I seems it handles it's own exceptions and dumps info of the callstack and maybe something else (deleted it. DOH!) in a logfile...

Anyway, that adress range was often represented...

/Manko

LOL.. very nice, Manko...

lesson learnt.. READ THE LOG FILE ...

cheers
crUsAdEr

Hi Manko:

U're welcome and crus... yes it has the same protection as PStrip. In fact, after finding it, I sent PM to Manko *hinting* the irony of the situation... I too found it only by taking look at *.log and of course EliCZ "tiny" tools

[Look for CheckAlarm handlers ]

Signed,
-- FoxThree