PDA

View Full Version : nProtect modded asprotect 1.23 rc4


b41ulu
07-20-2009, 11:35 PM
Ok, before i get flammed about not using the search tool. I have, and I've read the tutorials on Asprotect. I've also read countless others out on other sites, yet I still can't seem to find any clues for repairing my IAT.

The target is SFrame.exe
http://rapidshare.com/files/258187320/SFrame_old.exe.html

I've successfully dumpped the program, but the IAT repair isn't going well. About 90% of the Thunks seem to be taken care of with ImpRec's "Trace Level 1 (Disam)" feature, but the other ~10% remain invalid. I've tried every other trace feature including the plugins for aspr 1.23 rc4 and all other asprotect plugins, but still I am left with invalid thunks.

I have a read that nProtect mods protectors, and I have a sinking suspicion that this is another case of it.

What I've observed thus far:

-Calls are redirected to segment at end of code (Api redirection. Right?)
-the segment doesn't exist at load time
-It is created right before an alg that does the api redirection (I can't decipher it :( )

I don't mean to beg, but I have been working on this for the last week or so and have made no headway. If anyone can explain how the Api's are being redirected / document an unpacking strategy for the target it would be greatly appreciated and I will be sure to re-work it into a tutorial so that noobs like me can stop bugging the intelligent people on message boards.

Git
07-21-2009, 07:11 AM
Couple of questions. Can you upload the dependant DLL(s) please and what OEP have you been using?

Git

b41ulu
07-21-2009, 08:39 AM
Sure thing.
http://rapidshare.com/files/258317439/SFrameDLL_s.7z.html

And the OEP i've been getting is 9291CB real one i'm guessing is after the jump at 9291D0 to 928FEB.

Oh and a few other things I've left out. (feel stupid). The program is protected by gameguard so once running it tends to see if your debugging the process. (Even gets the snd modded olly ice). Other thing is that you should probably pass these paramaters to it, else it will spit out some garbled message on run. then exit.
"/auth_ip:38.99.82.120 /locale:ASCII /country:US /cash /commercial_shop /help_url_w:620 /help_url_h:633-->
<!-- UPDATE_SERVER : 38.112.59.240 /render:<NULL>"


EDIT: Figured it out, the thing i though was IAT re-routing was actually inline hooking its own imports. Managed to fix it, and now I feel real dumb because reversing the target (although educational) turned out to be a waste of time because the game will not run w/o gameguard. :p