hi all ...


no tut this time (Yet... but just an update about the new
aspr that i saw..

SystemCleaner.com

so far i seen it detect OllyDbg and Si and at my win98.fe crash
when runing IceDump and on winXP pro with the Si 2.7 with NtIceDump it Detect it too...
AsprStripper v2.01 Can't unpack it ..

Real Good Work....(almost)

well it didn't detected just 1 thing tho...
TRW2000 my favorite Win9x Debugger tool

well .. when i will finish see all the new features i hope that i will
have time to write a tut about it...

i need help with new aspr too, i watches CreateFile, OpenService, int 3, int 41, int 68,UnhandledExceptionfilter, but it still detect my SoftIce, i use softice in win2000 server

is there any other method to detect si, i'm puzzled

http://www.woodmann.net/forum/showthread.php?s=&threadid=4031
AND
http://www.woodmann.net/forum/showthread.php?s=&threadid=4419


Tschau

Viper Zx

think its only this IsDebuggerPresent thing or more?

Disable all breaking on new.. bla and set it to System Breakpoint. Works well.

First Access on data at 407278, jumps to dword from 56F32C. than at 16A1528 he returns to main Code (40734D) -> retn -> call 5608F0 what looks like the OEP. Will look at it again after work.

nothing new so...

hmmm Well at win98 i couldn't find a solusion for

Why my win crash when IceDump is loaded and i run the pack file

Why i can't set a Bp on IsdebuggerPresent at OllyDbg ...
(could be just me....)

ALT+F1 in Ollydbg, type "bp IsDebuggerPresent" and the breakpoint is set.

man i know that ... but as i say : i can't set bp

it give me a msgbox that say : "Unable to Set BreakPoint"

so.... any sogestions ?

and BTW... i wanted to Use the Gr8 tool call : IcePatch
i think it can bypass any AntiSoftIce Shit...

but i don't have any idea about how to configure it...

so if any1 that know how to use this it will be real help
if u will tell me what to write in eatch text box
(just to make sure that i won't do stupid things)
TNX

PS...
did any1 found how to make that When IceDump Loaded it won't Crash the computer ?

OLLY in XP you can put BPX in apis, in 98 if IsDebuggerPresent olly don't find in Imported Functions you can put a BPX in a reference but there is no reference, for this cases use olly in XP you can put in apis bpxs directly easily.

Ricardo

LaBBa

Do as Ricardo suggests - but you can set breakpoints in ME & 98 if you use BPX IsDebuggerPresent, the thing you can't do is step into the function - it does, however, work much better in XP

/hobferret

use 2k and kick XP nuts please

well i didn't had time yet to check on winXP but i can tell u this

if i do on win98 bpx IsDebuggerPresent
it set all the bpx
BUT !
when i run the packed prog (ie F9/Shift+F9)
it doesn't break

BTW.. none still knows why does the packed app crash windows
if IceDump is loaded ?
and if u do know plz share the information about how to fix it...

TNX

This isnt a competiton XP versus 2000, but in OLLY is better XP, there are a thing you can make in 2K not posiible in XP? NOT,
There are a thing you can make in XP in 2K not, YES, read tuts of armadillo in OLLYDBG and look in XP you can detach the child process, and this process detached continue working, and in 2K this is not posible, this feature is only in XP included.

And if you have not this feature can not unpack armadillo with copymem2 in ollydbg.

Ricardo

LaBBa

You are getting me confused, you talk about aspr and you use TRW and you say you don't have a problem.

So why all the talk about olly??

If you intend to go with olly then you really need xp!

However, if you can't set IsDebbugerPresent, or it wont stop, try using the kernel address instead - i.e. BPX XXXXXXXX whatever it is in 98!

/hobferret

Hi all

Anyone have comment about this new version ?

Is there stolen code ?
Where it is ?
Entrypoint just before (first ?) API ?
What do this new obfuscated code ?
Stack and some registers at entry point ?

Regards

SV

Sorry for for the dumb question but why this shortcut is not working for me? I have OllyDbg 1.09b. I'd really like to be able to set BP this way (cmd line style). Am I missing somekind of special configuration or plugins?

Download the comandbar plugin and is always visible the box for write the commands.

hxxp://dd.x-eye.net/ollyplugin.html

Is only more easy to write but the impossibility of put bpx directly in the apis in W98 is the same, with or without cmndbar.

If you consider cracks all with OLLYDBG like i did and forget SICE, change to XP, and OLLY is better and you can put BPX is apis directly.

Ricardo

Thanks you for the quick answer. Looks like an handy tool for quick manipulation

Yes I'm using XP already, coz I can't really use Win9x for my job.

Thanks again


EDIT: Woot! I confirm this is SO cool

blah, here dump of this new asp.dll..

& it now conteins many known tricks for detect debugger..
for example:

1. at offset 00412122h I see 90% exact INT01 checking code,
as Daemon's written example..

2. at offset 00411FF4h is SICE, NTICE, SIWVID check by CreateFileA

3. at offset 00412078h resides INT68 check &
IDT check for distance between INT01-INT03 handlers,
1Eh distance means: SICE is here.. eh?


4. at offset 00412314h NtQuerySystemInformation..

so on..

Great findings, author.. are you plan obtein US Patent for this tricks & they will no more stolen..

***
BTW, what is SRV.SYS (this name is in DLL)?

thank you evaluator,

good work.
iam not sure but i think he use the SRV.SYS to lock the ctrl+d button like the example from

hXXp://spiff.tripnet.se/~iczelion/files/killsice.zip

if you replace the 90h, 90h -> 0e4h,060h softice will popup again.
it seems that Alexy use a lot of tricks by other authors without greetings
anyway he make good work and he knows how to steal things

nice job !!!

Global, you kill me..

As I understand from your words, aspr now conteins SYS driver??

I became crazy & expressly debugged this exe under XP &
none of driver burned..
uh..

Did you joke or what happens!?

BTW, what is nice job??

Hi Eval:

"nice job" means the same as "good work."

Regards.

JMI,
bleh!
I know thet eNglich..
I not see something Gr8 in dumping some memory..
Do you also think, that is Gr8?

Not necessarily. But I think YOU are great.

When are you going to send us some Music?

Regards.

iLLegal mp3 request!??

hey-hey, JMI!

what exact you need-love?

Love is all we need.

But if you were serious, I was speaking of something you might have written.

Regards.

my writeen is modern_classic, dissonances etc.

so you mostly not need it

I have a question about the new "stolen bytes" technique this Asprotect uses. It seems to run a lot of obfuscated code before the OEP. I traced this stuff but got lost recovering the stolen bytes this way. I tracked the stolen bytes by looking at another delphi program and a little guessing. Does anyone have a better idea to recover the stolen bytes?

What I also found strange was that asprotect seemed to have executed a lot of instructions already while the EIP had never been there. When asprotect hands over execution to the main program it just jumps in in a call that has not been executed.

I wonder if asprotect does actually execute the original functions or does emulate them.

Any insight in this would help me much. The obfuscation code seems to be hot these days and I want to be prepared

wow.. did i hear new aspr ?
or am i dreaming? where where is the new beast?

Identification of the beast is in the first post. It was hidden in plain sight to confuse those in a hurry or who might have dropped in at the tail end of the discussion. Hopefully Alex isn't reading this. I'm sure he missed it the first time through.

Regards.

yep.. thanx JMI... pardon my quick joy of hastily posting just for the heck of it.. havent touched sice for a while and here come new arma and aspr i heard .. time to dig into codewood again..
so many new packers seem to surface as well ?
like woodmann said.. now packing is the the most common practise then!