Log in

View Full Version : ASProtect 1.23 RC4 (again) - Stolen bytes

Strangerke
May 5th, 2004, 09:41
Hi,

I'm busy on a tool packed with ASProtect 1.23 RC4 for DAYS and I read a lot of tutorials just to be sure I wasn't doing stupid things.

Well, I thing that what still missing are the stolen bytes and obviously the final OEP modification (I've already set it to a temporary value I got by using tc eip<900000)

I'm sure there are stolen bytes because in the trace run I can see
REPSTOSB
POPFD
POPAD
RETN

I then tried to use LaBBa trick (searching for a "push ebx push esi push edi" block) but found nothing useful.
And when I take a look at the bytes before the OEP, I just can find 46 (!!!) stolen bytes.

My question is the following :
Does someone already saw this king of enormous amount of stolen bytes ?

By the way, I identified the version ASProtect by using PEid. Is there anothere way to do so ? (Manually if possible)

Thanks in advance for your precious help...
Scarabee
May 6th, 2004, 02:39
Well, as we dont know what target you are working this is rather hard to determine your stolen bytes.
However, i ran into some application once which contained a great deal of stolen bytes also. The pattern looked like this:

PUSH EBP
MOV EBP,ESP
PUSH -1
PUSH DVDIdleP.00****** <-- Needs updating
PUSH DVDIdleP.00****** <-- Needs updating
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0],ESP
SUB ESP,68
PUSH EBX
PUSH ESI
PUSH EDI
MOV DWORD PTR SS:[EBP-18],ESP
XOR EBX,EBX
MOV DWORD PTR SS:[EBP-4],EBX
PUSH 2

This might be of use to you !?

/Scarabee
Scarabee
May 6th, 2004, 02:54
btw, read all about this subject here:

h**p://www.exetools.com/forum/showthread.php?t=3720&highlight=stolen+b ytes

Thats where i discovered about that ammount of stolen bytes also then. very usefull!
Radier
May 6th, 2004, 05:26
try this tute
h**p://www.exetools.com/forum/attachment.php?attachmentid=1199

it may help

Best Wishes

R@dier
Strangerke
May 6th, 2004, 06:25
Well in fact the problem is I cannot find any reference to
PUSH EBX
PUSH ESI
PUSH EDI

Therefore, I have problems finding the stolen bytes.

I just added the initialization of EAX and a standard header, and I can continue the job, but it's far from being perfect (I don't like to do approximations, even if in this case it works).

In order to find the stolen bytes, I thaught I could also set a trace condition on
REP STOS BYTE PTR ES:[EDI]
as it's the operation that erases the stolen bytes.

It doesn't seem to work... (nor to trace with an address condition by the way : e.g. 'TC EIP = A57946' has no usefull effect) Is it related to the version of OllyDbg I'm using ? (1.10c)

By the way, exetools doesn't accept new members nowadays, and I'm not registered...I therefore do not have access to the forums...

Strangerke
Radier
May 6th, 2004, 07:13
Strangerke
give me an email addy or
pm me at the W**dmann's board
and I will send it to you

R@dier