Log in

View Full Version : Aspr IAT Cleaner


Zilot
February 8th, 2003, 10:10
Hi to all !!


Before I posted this thread I was wondering to do or not it here.
But this is the place were all big stuffs about Aspr happen so I decided to do it.
This in attachment is little tool I made in recent time (100% ASM). It tries to clean Aspr IAT, so after it just several unresolved APIs will remain and they will be easy resolved with usual plug-ins we used in old good times before a lot of garbage in IAT space. There are several garbage in IAT space, they must be cut in ImpRec with option "Cut Thunks"

So because its size ( it is like plug in ) I hope that administrator will not complain.
This was tested under Win2k ,and worked fine with several Aspred programs.

regards Soldat

Zilot
February 8th, 2003, 11:13
In the mean time I realized that with first attached version can be problems so I changed something, and here is one improved. That doesn't mean that first one have bug.

So instruction:

1) Try with first one if doesn't make
2) Try with second, it will do

There is a little difference between version v 1.0 and this v1.0 b

Soldat

Zilot
February 9th, 2003, 07:47
I realized another mistake. Nothing is changed in code, but in work direction. Both of exes in previous attachments are now in this one.
Sorry for this and any comment about "Cleaner" is wellcome.


Soldat

Manko
February 9th, 2003, 10:54
I have quickly tried your little app and it's always nice to see people coding. (I ought to get started one of these days myself, but... :P)

Anyway. Haven't traced or dissassembled it yet, but...

1. I'd much rather see it as a plugin, since 2 apps is more pain...
2. I'd like if it zeroed out the invalid-adress trash you see sometimes...
3. It should be able to do ALL API-tricks we know of. (Existing plugins do...(If you combine them...))

I'd like this plugin to do it like,
1. Find boundaries, zero out thrash.
2. Give back command to imprec and put up a message about the boundaries. Both at the same time. Or even better; just fill in the right values... ;P
3. On the second run, resolve ALL apis!

I suspect though, that your app might have some nice things I should look closer at.
Might be that whatever you do (spy on api-mangling?) to get the boundaries is a big reason why a loaderapp is better. Maybe just make your app load imprec with the right values... ;P
Hehe...

Thought someone ought to post SOME comments!
Looking forward to comments on my comments...

/Manko

Manko
February 10th, 2003, 05:44
I just quickly tried to have a look at this one, and it seems you have it protected...

Wonder what secrets it might contain?
Nahh... Guess you wanted it smaller too.

Don't know what you have it protected with though...

/Manko

neviens
February 10th, 2003, 11:27
Protection seems to be ExeStealth, had a phun with this
baby, unpacking Morhuhn 3 some time ago. BTW there
was a funny bug in code. String in Meltice detection
was terminated with o and not zero
I hate the programs, that refuse to run under Sice, or
even worse reboot the puter, with loaded Icedump.
Therefore most of such a proggies become stripped from
offending code usualy.
Neviens.

Zilot
February 11th, 2003, 04:26
Quote:
Originally posted by neviens

I hate the programs, that refuse to run under Sice, or
even worse reboot the puter, with loaded Icedump.




I hate them too. My intention was something another (included) but this was appendix I couldn't avoid.

Soldat