Manko
April 23rd, 2003, 05:00
Hi!
Back when everybody started making debuggers of all kinds, pretty recently, I decided it was time to start programming on the PC, and asm was the natural choice, since I have my nose down in it as soon as I have time...
I decided to rellease my small proggy with commented source, so some of you will have a chance to learn, or improve the proggy...
Actually You can do whatever you wich with it.
It's not so nicely coded, since this is my first app, and commenting source was a pain, though I'm glad someone persuaded me to do it... Besides, how could I rellease source otherwise?
I hope this will be interesting to both RCE and Alexey, since I think it's time for him to know some of the tricks we use... Though these are far from all, I still look forward to getting some new code in aspr to play with.
I suspect though, we'll only see changes to signatures, - if anything -
, not true inovations...
When you have tested my app, you will realise it'll work perfectly with sice and other apps. Actually I hope you will do it that way, since I don't handle dips or stolen bytes, in any way... It was never my intention to do everything, since I like to have my hands in the code. (Though this could easily be converted into a simple unpacker...)
(Besides, dips can never be handled ok, in an unpacker, since it is custom code by author, though most are lazy and use alexeys old example code, or whatever... I'm guessing his new advice is far better, but not used by stupid authors...)
(ANyway it's the encryption of crucial code, that is what they should use... but don't...)
I suggest to anyone interested in building any debugging apps to visit [Yates] and Iczelion's pages as they have some pretty good stuff on these and other things...
Snipped from the presentation in my source...
edit:
!!! Look for updated version further down! !!!
(This was downloaded 162 time(s).)
edit:
Just go to this stupid page, to download...
http://www.kommunicera.umea.se/hemma/mawiklund/
/Manko
Back when everybody started making debuggers of all kinds, pretty recently, I decided it was time to start programming on the PC, and asm was the natural choice, since I have my nose down in it as soon as I have time...
I decided to rellease my small proggy with commented source, so some of you will have a chance to learn, or improve the proggy...
Actually You can do whatever you wich with it.
It's not so nicely coded, since this is my first app, and commenting source was a pain, though I'm glad someone persuaded me to do it... Besides, how could I rellease source otherwise?
I hope this will be interesting to both RCE and Alexey, since I think it's time for him to know some of the tricks we use... Though these are far from all, I still look forward to getting some new code in aspr to play with.
I suspect though, we'll only see changes to signatures, - if anything -
, not true inovations...When you have tested my app, you will realise it'll work perfectly with sice and other apps. Actually I hope you will do it that way, since I don't handle dips or stolen bytes, in any way... It was never my intention to do everything, since I like to have my hands in the code. (Though this could easily be converted into a simple unpacker...)
(Besides, dips can never be handled ok, in an unpacker, since it is custom code by author, though most are lazy and use alexeys old example code, or whatever... I'm guessing his new advice is far better, but not used by stupid authors...)
(ANyway it's the encryption of crucial code, that is what they should use... but don't...)
I suggest to anyone interested in building any debugging apps to visit [Yates] and Iczelion's pages as they have some pretty good stuff on these and other things...
Snipped from the presentation in my source...
Code:
; It's just a small proggy to mainly show some important info for un-
; packing asprotect_ed apps. It will ofcourse do some other minor tasks...
;
; Features:
;
; 1. Put EAX=12121212h in place after GetSystemTime to stop pre-OEP-
; code from moving with every execution... Also same for IAT. (Rare)
;
; 2. It will show IATstart, end, length and ask to clean out some
; redirection, resolve emulated APIs and remove trashbytes, sometimes
; put between real IATentries.
; It will not yet resolve DialogBoxParamA + that visual-basic API...
;
; 3. It will show Dip-Table, pause and let you erase entries if wanted,
; making aspr-code skip those dips... Remember (!), some entries
; in the Dip-table are just "dip-data", not actual dips...
;
; 4. It will singlestep to oep and record occurance of some signatures
; such as stolenbyteserase, oepjumpsetup and stolenbytes(sometimes).
; It will ofcourse pause at all these and at OEP, where it also will
; show last address executed before reaching OEP.
;
; 5. Show any access violation exceptions caused by the debuggee after
; OEP... My thinking is, we might catch some tricks testing if API's
; are writeable.
;
; 6. Now if debugged prog is not aspred but dynamically loads dll that is,
; my proggy manage this as well.
edit:
!!! Look for updated version further down! !!!
(This was downloaded 162 time(s).)
edit:
Just go to this stupid page, to download...
http://www.kommunicera.umea.se/hemma/mawiklund/
/Manko
Sure it wasn't one of the dips or something? 
(Stupid me. I never let it know which address the table was at... That is, the part that does the erase, to skip dips...)