|
|
|---|---|
|
|
Inline patching asprotect
This is not really a tutorial , but synopsis on the basis of inline patching asprotect. The general tactic is very useful indeed for patching any protected target by other protections as well. To make things easy I will only touch the ground with you on the basic that you need to accomplish the goal. The goal is to pass through the protection and patch the target code. I will do that by attaching a dll that oversees the execution of protected target, if succeeded , then your imagination and skills are the limit of what you can do. Asprotect will refuse to take our remedy, we either have to force it or play a trick on it so I will go with gentle one, the trick: The trick is well known and can be accomplished by different means, my way of doing that is easy and is as follow: As you may know, the trick is to have asprotect checking the original exe , not the patched one. So make a copy and change the last letter of its name, if we take dvdfab.exe for example the patched exe would be dvdfah.exe. Load the patched exe into ollydbg, follow esp to dump, shift+f9 about 5 times or so, search in dump for “h.ex” with out the qt., once found make a note of the stack address. Restart ollydbg, in dump go to the noted address, shift+f9 till you see the string “h.ex”, then Alt+k , double click on the address you see , this is the call we want to loop right below it , just choose an address the best fit. The mission is almost over, by changing the “h.ex” to “b.ex”, asprotect will swallow the bait. Now we have all the info needed, we can check for landmarks to guide us through. Will try to make it works on other pcs, so set bp on virtualAlloc , second stop , alt+f9 , you will see three moves storing the eax value the first one is the base we need , the last one , the one after the fs:[0], is the landmark we need. Write down the two address you found at [ebp+xxx], Subtract the base from va address for looping, will have the rva needed. In the initialization phase of the dll , create a thread the checks the landmark address for non zero entry if true then you can suspend the main thread , if you want, or just go ahead and add the rva to base to get va address to patch to make target loop, if you had suspended the thread resume it now check the stack address for the string as I indicated above, continue checking the stack address till string found, you can suspend the process thread if you want, change string as I indicated above ,if suspended resume, now you can pass through asprotect with your dll on board, have your dll check for landmarks to patch the target exe for anything you desire.[I did not include images because I think it is easy enough]. hoping it may be of any benefit to any of you. Kind Regards ! BriteDream. 谁译一下 
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 楼上的看来是很恐怖啊
|
|
|
|
