Quick ASProtect question [Archive] - RCE Messageboard's Regroupment

View Full Version : Quick ASProtect question

squidge

February 18th, 2003, 17:05

When an ASProtect protected application is loaded by the ASProtect loader, as the application protected with it is called once before OEP, what is this called is asprotect-speak ?

As in, it calls some routine in the app, and then calls the OEP after returning back to ASProtect code.

This seems to be setting some flags in the main protected program, so I was just wondering what option(s) in ASProtect caused this to happen? Don't see anything in the current ASProtect docs.

nikolatesla20

February 18th, 2003, 17:23

Most people on the board call this a double dip, which I think is stupid. (Where is the double anyway).

In the Asprotect manual, look under sections about using exported functions in your protected program. It says that asprotect will delete the export table entries after it's wrapped your program. It keeps the offset of the functions to call tho. It's in the manual, trust me

- there really isn't a "setting" in asprotect to do this, it basically looks for predefined names of exported functions in your program and if it finds them it uses them. (Such as GetNumberOfDays, etc).

-nt20

squidge

February 18th, 2003, 17:42

Right, Will look into that in more detail. Thanks for the info.

foxthree

March 10th, 2003, 19:03

Hiya Folks:

Long time since I posted. Nice to see some new-comers tackling ASPR enthusiastically... Tesla, I think the word D-D was coined initially by +Splaj. Why do you think it is stupid? The first dip is when it sets the flags and the second is when ASPR starts executing your code (final unwrapping...)

I thought it was a precise yet funny naming...

Greetz to all
-- FoxThree

Solomon

March 13th, 2003, 08:16

wb fox3

BTW, I found sth. interesting in ReGet Pro(not Deluxe), which will help us to understand the random-zip-file-destroy trick of ReGet Deluxe. Obviously these are for Deluxe version, but they are left in the Pro version. stupid author?

Code:



* Referenced by a CALL at Address:

|:00414BE0   

|

:004645D6 33C0                    xor eax, eax

:004645D8 3905CCDD4D00            cmp dword ptr [004DDDCC], eax

:004645DE 740D                    je 004645ED



* Reference To: KERNEL32.GetTickCount, Ord:01BEh

                                  |

:004645E0 FF1540234A00            Call dword ptr [004A2340]

:004645E6 2403                    and al, 03

:004645E8 F6D8                    neg al

:004645EA 1BC0                    sbb eax, eax

:004645EC 40                      inc eax



* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:004645DE(C)

|

:004645ED C3                      ret



Exported fn(): ?GetDecryptProc@@YAXP6GXXZ@Z - Ord:0001h

:004645EE 8B442404                mov eax, dword ptr [esp+04]

:004645F2 A3D8DD4D00              mov dword ptr [004DDDD8], eax

:004645F7 C3                      ret







Exported fn(): ?GetEncryptProc@@YAXP6GXXZ@Z - Ord:0002h

:004645F8 8B442404                mov eax, dword ptr [esp+04]

:004645FC A3DCDD4D00              mov dword ptr [004DDDDC], eax

:00464601 C3                      ret







Exported fn(): ?SetDecryptionKey@@YAXP6GXPADK@Z@Z - Ord:0003h

:00464602 8B442404                mov eax, dword ptr [esp+04]

:00464606 A3E0DD4D00              mov dword ptr [004DDDE0], eax

:0046460B C3                      ret

foxthree

March 13th, 2003, 13:28

Hiya Solomon...

Howz it going? I see that you're still as much obsessed with ReGet as you were before

Give the guy a break

Anywayz nice to see some old faces around ... BTW, did you checkout the latest CV ...

-- FoxThree

crUsAdEr

March 13th, 2003, 16:00

LOL... fox3...

Quote:

Howz it going? I see that you're still as much obsessed with ReGet as you were before Give the guy a break Anywayz nice to see some old faces around ... BTW, did you checkout the latest CV ...

And who is the guy obssessed with Commview

?

Solomon, can u fill me in on what those code above do?

foxthree

March 13th, 2003, 16:15

Guilty as charged, crusader

-- FoxThree

Solomon

March 13th, 2003, 20:41

hey crusader,

We all know that the above exported functions are to be used by ASPR and will be deleted by ASPR if packed. At 004645D8 ReGet checks the address of Encrypt Proc, which is set by ASPR. If it's not NULL, ReGet knows it may be unpacked

, so it will use GetTickCount as random scheme to destroy zip/exe files. If the procedure at 004645D6 always returns 1, every downloaded zip file will be destroyed, even in Pro version(Pro is not packed). This GetTickCount trick was discovered long time ago, but I just couldn't understand the meaning of 004DDDCC. Now it's clear

fox3: what's your new findings of CV?