View Full Version : ASPR not full tut
LaBBa
August 1st, 2003, 10:44
hi all
i have tried again and again so many time to unpack
this new version of ASPR but no luck all the time it crashes
so i made this tut about the new aspr ..
this tut is yet not fully working so if anyone else wishes to
finish this tut and fix my errors..
evaluator
August 1st, 2003, 11:08
yei, LaBBa!
Why you wrote this TRAGEDIE-tut?
ASS just waits for this, & then he will say:
"look here, what a stangest pucker i wrote.."
Ok, I will look at this..wait..
evaluator
August 1st, 2003, 11:21
I just tried for DLD it, but it not exists!
seems, ASS sad:"why i make so bad puker, Labba very tired.."
LaBBa
August 1st, 2003, 11:22
hehe ... it's just i wroted this when i was tierd..
sorry about the bad english at this stupid tut..
i think there is somthing wrong at my dump still havn't got it yet..
evaluator
August 1st, 2003, 11:45
no probs!
Lets wait for new release & together unpuk newest ..
LaBBa
August 1st, 2003, 11:55
have u took a look yet about the tut ?
evaluator
August 1st, 2003, 12:04
i look only, but i not play with OLLY, so for me there is nothing

Zilot
August 2nd, 2003, 01:48
What kind of SADIST you use to be................

Bengaly
August 2nd, 2003, 06:37
lol eval, ur engl is so weird that it takes dictionary to decode it

/me ment in a good way

evaluator
August 2nd, 2003, 08:00
seriously, if you can't decode my iNgLich
just re_ask me.
Don't worry LaBBa, we will..we will..
LaBBa
August 2nd, 2003, 15:53
well all that i have found out more about the Crashes of the App
is this :
00402262 . 83C0 03 ADD EAX,3
00402265 > C1F8 02 SAR EAX,2
00402268 . 8B15 24E65600 MOV EDX,DWORD PTR DS:[56E624]
0040226E . 8B5482 F4 MOV EDX,DWORD PTR DS:[EDX+EAX*4-C]
00402272 . 85D2 TEST EDX,EDX
00402274 . 74 79 JE SHORT Dump_.004022EF
00402276 . 8BF2 MOV ESI,EDX
00402278 . 8BC6 MOV EAX,ESI
at : MOV EDX,DWORD PTR DS:[EDX+EAX*4-C]
with an error of Read Access Violation
and ther is more of those
some with an Error of Write Access Violation..
at the Packed file at Olly u can see that
DWORD PTR DS:[EDX+EAX*4-C] = 00000000
and at the unpacked file u can see that :
DWORD PTR DS:[EDX+EAX*4-C] = ?????????
realy wierd ! all other places are like that ..
well at ASPR Stripper i saw it doing somtimes those lines at some other unpacked apps : i.e :
ApiEntry RVA :0001e984 *esp = (00a738fd, 00a63861, 0012ffe0)
ApiEntry RVA :000181dc *esp = (00a739f1, 00000010, 00000010)
ApiEntry RVA :000012cc *esp = (00a73b2f, 004012c8, 0012ffe0)
what those lines are for ??? i think this could help to solve this thing...
squidge
August 2nd, 2003, 17:23
why u double post onto exetools?
Anyway, sounds like the app is verifying registration status or something like that using structure from asprotect. Since asprotect is no more, structure is invalid, hence the read access violations.
LaBBa
August 2nd, 2003, 17:31
well i post there because some other ppl over there could help too ...
about u'r answer abuot ASPR .. is there a way to fix that so it will work ?
Shoob
August 2nd, 2003, 19:04
Man please use
PUSH EBP
MOV EBP,ESP
ADD ESP,-10
PUSH EBX
MOV EAX, XXXXXXX
this structure thx you see oep ist 5C7F40 please use it and work with real structures thx.
evaluator
August 3rd, 2003, 02:52
OK, I DLD now setup.exe size 1080445 byte.
Is it, LaBBa?
evaluator
August 3rd, 2003, 04:57
hemm!
I'm little curious.
ass_dll's code now less then previous dll(uploaded by me).
it not conteins INT68 check.
Now I more debug this dll & found some crazy things,
like grand checking VMM space for service instructions
(this check is also in previous dll)...
Or ASS became crazy doing such shameless tricks,
Or this is experimental one.
So my opinion is:
Lets dedicate this strange SystemCleaner to ASS's experimental studio
& don't trush time on it.
Better find wellknown software,
which regularly uses updated ASSpr & reverse it..
later I will look more for LaBBa
evaluator
August 3rd, 2003, 14:15
yah, LaBBa, I look at it.
In DATA section(2nd) ASSpr puts pointer to ass_dll in memory.
then many times checks it.
then this pointer changes to point text "Unregistered Version"
for "About" dialog.
so you need somewhere in free space write "xregistered Version"
& correct that pointer.
LaBBa
August 3rd, 2003, 17:07
tnx evaluator ...
can u add this part of fixing to the text file ? so we could all have a nice tut about F**king ASPR ?
evaluator
August 3rd, 2003, 18:00
seems my exe is newer then you have.
redownload it. then I will upload for you my unpacked.
so you can then compare & write new tup.
LaBBa
August 4th, 2003, 06:17
that would be great !! tnx..
evaluator
August 4th, 2003, 12:51
i already done this quite time ago, check your PM.
britedream
August 5th, 2003, 11:21
Hi Labba
Please, recheck your IT, I have unpacked and it is running ,
except minor error on closing which can be corrected .
Britedream
britedream
August 5th, 2003, 12:33
Hi LaBBa !
now I have it runnig correctly.
LaBBa
August 5th, 2003, 16:27
well .. thats weird..
can u tell me all the info ?
RVA , IT , Size etc... ??
britedream
August 5th, 2003, 17:40
Here some of the info:
IatRVA=17221c
IATSIZE=1000
the actual size is slightly less than 1000
britedream
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.