Artifex
March 14th, 2003, 13:04
Hi, everybody.
I worked a program recently written and protected with aspack.
There are five sections called : aspack, aspack, .rsrc, pcompact, pcompact.
No file checker could tell me what version of aspack it is. I would like to know that. Do those names ring a bell ?
I unpacked it manually and arrived at the :
popad
jmp to Entry Point.
in Softice I did the usual :
a
jmp eip
then I dumped it with Lord PE and restore the IAT with Import Rec.
Dump worked as the packed program.
Strings References where very poor (only 3 !). I patched a few places to disable the anti-softice and nasty nagscreens.
----------------------
Then I tried another way :
instead of dumping and IAT rebuilding, I tried to patch the packed prog. After
popad
jmp to Entry Point there was about 200 free bytes.
On the "jmp to Entry Point" line I typed :
a
mov dword ptr [0044????], 90909090
mov word ptr [0044????], 9090
....
....
....
jmp to Entry Point
g
Program worked OK.
I saved the live patch with :
/dump 0047???? c0 patch.bin
and with HexWorkShop I patched the packed program. All worked OK.
-----------------------
Then I tried to assemble the patch with TASM or MASM. And now is the question :-)
When I type in Softice build-in assembler :
mov dword ptr [0044????], 90909090
Softice puts : c7 05 ?? ?? 44 00 90 90 90 90
that line writes an immediate value (90909090) into an immediate memory.
[0044????] doesn't mean "the value stocked into 0044???? memory". It means the memory itself.
When I assemble the same line with TASM or MASM they refuse ("illegal immediate"
. To have the same result I must write :
mov eax, 0044????
mov dword ptr [eax], 90909090
which is longer.
Why SoftIce assembler accepts to write directly 90 90 90 90 in dword memory 0044????, and the other assemblers don't ?
TIA
Artifex
I worked a program recently written and protected with aspack.
There are five sections called : aspack, aspack, .rsrc, pcompact, pcompact.
No file checker could tell me what version of aspack it is. I would like to know that. Do those names ring a bell ?
I unpacked it manually and arrived at the :
popad
jmp to Entry Point.
in Softice I did the usual :
a
jmp eip
then I dumped it with Lord PE and restore the IAT with Import Rec.
Dump worked as the packed program.
Strings References where very poor (only 3 !). I patched a few places to disable the anti-softice and nasty nagscreens.
----------------------
Then I tried another way :
instead of dumping and IAT rebuilding, I tried to patch the packed prog. After
popad
jmp to Entry Point there was about 200 free bytes.
On the "jmp to Entry Point" line I typed :
a
mov dword ptr [0044????], 90909090
mov word ptr [0044????], 9090
....
....
....
jmp to Entry Point
g
Program worked OK.
I saved the live patch with :
/dump 0047???? c0 patch.bin
and with HexWorkShop I patched the packed program. All worked OK.
-----------------------
Then I tried to assemble the patch with TASM or MASM. And now is the question :-)
When I type in Softice build-in assembler :
mov dword ptr [0044????], 90909090
Softice puts : c7 05 ?? ?? 44 00 90 90 90 90
that line writes an immediate value (90909090) into an immediate memory.
[0044????] doesn't mean "the value stocked into 0044???? memory". It means the memory itself.
When I assemble the same line with TASM or MASM they refuse ("illegal immediate"
. To have the same result I must write :mov eax, 0044????
mov dword ptr [eax], 90909090
which is longer.
Why SoftIce assembler accepts to write directly 90 90 90 90 in dword memory 0044????, and the other assemblers don't ?
TIA
Artifex