 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
|
|
|
||||||||||
|
||||||||||||||
|
||||||||||||||
|
#1
02-07-2005, 04:15 AM
|
|||
|
|||
ASProtect 1.3 Problem
Hello I've a problem with a tool which is packed with ASProtect 1.3.The last session bevore the tool started is:
00DA8AFB C601 FE MOV BYTE PTR DS:[ECX],0FE 00DA8AFE CB RETF ; Far return 00DA8AFF 3980 A7E0A3BE CMP DWORD PTR DS:[EAX+BEA3E0A7],EAX 00DA8B05 3F AAS 00DA8B06 A6 CMPS BYTE PTR DS:[ESI],BYTE PTR ES:[EDI] 00DA8B07 0B67 64 OR ESP,DWORD PTR DS:[EDI+64] 00DA8B0A 8F06 POP DWORD PTR DS:[ESI] 00DA8B0C 0000 ADD BYTE PTR DS:[EAX],AL 00DA8B0E 83C4 04 ADD ESP,4 00DA8B11 334C24 28 XOR ECX,DWORD PTR SS:[ESP+28] 00DA8B15 83D9 E1 SBB ECX,-1F 00DA8B18 59 POP ECX 00DA8B19 A1 08A4DB00 MOV EAX,DWORD PTR DS:[DBA408] 00DA8B1E C640 12 00 MOV BYTE PTR DS:[EAX+12],0 00DA8B22 A1 DC87DB00 MOV EAX,DWORD PTR DS:[DB87DC] 00DA8B27 8B80 84000000 MOV EAX,DWORD PTR DS:[EAX+84] 00DA8B2D 50 PUSH EAX 00DA8B2E 53 PUSH EBX 00DA8B2F E8 6CD1FFFF CALL 00DA5CA0 00DA8B34 8BF0 MOV ESI,EAX 00DA8B36 85F6 TEST ESI,ESI 00DA8B38 74 1B JE SHORT 00DA8B55 00DA8B3A 8D56 08 LEA EDX,DWORD PTR DS:[ESI+8] 00DA8B3D A1 08A4DB00 MOV EAX,DWORD PTR DS:[DBA408] 00DA8B42 E8 EDCEFFFF CALL 00DA5A34 00DA8B47 84C0 TEST AL,AL 00DA8B49 75 0A JNZ SHORT 00DA8B55 00DA8B4B 68 688BDA00 PUSH 0DA8B68 ; ASCII "151 " 00DA8B50 E8 F3BFFFFF CALL 00DA4B48 00DA8B55 8BC3 MOV EAX,EBX 00DA8B57 E8 C49FFEFF CALL 00D92B20 00DA8B5C 5E POP ESI 00DA8B5D 5B POP EBX 00DA8B5E C3 RETN 00DA8B5F 00FF ADD BH,BH I set a BP at the C3 00DA8B5E. Then I open the Memory BP Window with ALT+M and set a memory BP at the code session of the tool. After pressing CLTR+F11 I landed here: 00DA9FB5 C700 8F05AAF1 MOV DWORD PTR DS:[EAX],F1AA058F-------here 00DA9FBB DD27 FRSTOR (108-BYTE) PTR DS:[EDI] 00DA9FBD 9B WAIT 00DA9FBE 2A20 SUB AH,BYTE PTR DS:[EAX] 00DA9FC0 86B5 48F38167 XCHG BYTE PTR SS:[EBP+6781F348],DH 00DA9FC6 64:8F06 POP DWORD PTR FS:[ESI] 00DA9FC9 0000 ADD BYTE PTR DS:[EAX],AL 00DA9FCB 83C4 04 ADD ESP,4 00DA9FCE 2BC3 SUB EAX,EBX 00DA9FD0 58 POP EAX 00DA9FD1 A1 0088DB00 MOV EAX,DWORD PTR DS:[DB8800] 00DA9FD6 8B00 MOV EAX,DWORD PTR DS:[EAX] 00DA9FD8 8B68 1C MOV EBP,DWORD PTR DS:[EAX+1C] 00DA9FDB A1 0088DB00 MOV EAX,DWORD PTR DS:[DB8800] 00DA9FE0 8B00 MOV EAX,DWORD PTR DS:[EAX] 00DA9FE2 8B00 MOV EAX,DWORD PTR DS:[EAX] 00DA9FE4 894424 04 MOV DWORD PTR SS:[ESP+4],EAX 00DA9FE8 A1 0088DB00 MOV EAX,DWORD PTR DS:[DB8800] 00DA9FED 8B00 MOV EAX,DWORD PTR DS:[EAX] 00DA9FEF 8D78 18 LEA EDI,DWORD PTR DS:[EAX+18] 00DA9FF2 A1 8087DB00 MOV EAX,DWORD PTR DS:[DB8780] 00DA9FF7 8858 08 MOV BYTE PTR DS:[EAX+8],BL 00DA9FFA 833F 00 CMP DWORD PTR DS:[EDI],0 00DA9FFD 75 1D JNZ SHORT 00DAA01C 00DA9FFF 83C5 20 ADD EBP,20 00DAA002 A1 6C86DB00 MOV EAX,DWORD PTR DS:[DB866C] 00DAA007 8078 09 00 CMP BYTE PTR DS:[EAX+9],0 00DAA00B 75 0F JNZ SHORT 00DAA01C 00DAA00D B8 1F000000 MOV EAX,1F 00DAA012 E8 B987FEFF CALL 00D927D0 But where's the call, which is right? Can anyone help me to find the OEP? 
|
|
#2
02-10-2005, 12:33 PM
|
|||
|
|||
|
asprotect does not allow you to use breakpoints (execution or hardware), you landed in a piece of code that has not been decrypted (or that has been decrypted badly!). You should trace inside the call before the retn you breaked, and see if there are some anti break tricks.
The oep is hidden under about 10 layers of decryption at the end of the loader  Bye! AndreaGeddon
|
Linear Mode
