0rp
July 14th, 2004, 18:38
readme content:
1. New EntryPoint Protection
This improved option now uses advanced technique for changing the
part of application and placing it to the envelope's code. Original
code content is changing throw emulation and polymorphic replacement.
Since this version EntryPoint protection uses a Virtual Machine, which
makes the removal or recovering of original code practically impossible.
<---- P-CODE ?
2. Emulate Standard system functions. One more good option against manual
unpacking - ASProtect just removes some common functions from protected
application and executes them in the envelope code.
You can change this oprtion via the Option Tab ("Emulate Standard
system functions" option).
3. New ASProtect polymorphic markers (for EXE files only !)
By using this marks you could protect any code inside your application.
In order to use new marks, you need to insert one mark instance at any
place of the code inside function you would like to protect.
and a simple function
before protecting:
and after protection:
jumptarget:
is this still dumpable?
1. New EntryPoint Protection
This improved option now uses advanced technique for changing the
part of application and placing it to the envelope's code. Original
code content is changing throw emulation and polymorphic replacement.
Since this version EntryPoint protection uses a Virtual Machine, which
makes the removal or recovering of original code practically impossible.
<---- P-CODE ?
2. Emulate Standard system functions. One more good option against manual
unpacking - ASProtect just removes some common functions from protected
application and executes them in the envelope code.
You can change this oprtion via the Option Tab ("Emulate Standard
system functions" option).
3. New ASProtect polymorphic markers (for EXE files only !)
By using this marks you could protect any code inside your application.
In order to use new marks, you need to insert one mark instance at any
place of the code inside function you would like to protect.
and a simple function
before protecting:
Code:
00401F44 $ 68 981F4000 push test.00401F98
00401F49 . 64:A1 0000000>mov eax, dword ptr fs:[0]
00401F4F . 50 push eax
00401F50 . 8B4424 10 mov eax, dword ptr ss:[esp+10]
00401F54 . 896C24 10 mov dword ptr ss:[esp+10], ebp
00401F58 . 8D6C24 10 lea ebp, dword ptr ss:[esp+10]
00401F5C . 2BE0 sub esp, eax
00401F5E . 53 push ebx
00401F5F . 56 push esi
00401F60 . 57 push edi
00401F61 . 8B45 F8 mov eax, dword ptr ss:[ebp-8]
00401F64 . 8965 E8 mov dword ptr ss:[ebp-18], esp
00401F67 . 50 push eax
00401F68 . 8B45 FC mov eax, dword ptr ss:[ebp-4]
00401F6B . C745 FC FFFFF>mov dword ptr ss:[ebp-4], -1
00401F72 . 8945 F8 mov dword ptr ss:[ebp-8], eax
00401F75 . 8D45 F0 lea eax, dword ptr ss:[ebp-10]
00401F78 . 64:A3 0000000>mov dword ptr fs:[0], eax
00401F7E . C3 retn
and after protection:
Code:
00401F44 $- E9 A13D4F00 jmp 008F5CEA
CRAP
00401F7E 4D db 4D
jumptarget:
Code:
008F5CEA 68 64BC735E push 5E73BC64
008F5CEF 66:9C pushfw
008F5CF1 57 push edi
008F5CF2 8D7C4B 78 lea edi, dword ptr ds:[ebx+ecx*2+78]
008F5CF6 8D7C37 88 lea edi, dword ptr ds:[edi+esi-78]
008F5CFA 2BFE sub edi, esi
008F5CFC EB 01 jmp short 008F5CFF
008F5CFE F3: prefix rep: ; Superfluous prefix
008F5CFF 8D7C51 2B lea edi, dword ptr ds:[ecx+edx*2+2B]
008F5D03 8D7C0F D5 lea edi, dword ptr ds:[edi+ecx-2B]
008F5D07 2BF9 sub edi, ecx
008F5D09 F3: prefix rep: ; Superfluous prefix
008F5D0A EB 02 jmp short 008F5D0E
008F5D0C CD 20 int 20
008F5D0E 13FE adc edi, esi
008F5D10 8D7C0C 3B lea edi, dword ptr ss:[esp+ecx+3B]
008F5D14 2BF9 sub edi, ecx
008F5D16 8D7C37 C5 lea edi, dword ptr ds:[edi+esi-3B]
008F5D1A 2BFE sub edi, esi
008F5D1C 8D7F 06 lea edi, dword ptr ds:[edi+6]
008F5D1F 68 BED4ACD1 push D1ACD4BE
is this still dumpable?