Extreme Coders Posted April 11, 2014 Posted April 11, 2014 (edited) The other day I was testing an Asprotect 1.2 target. Imprec 1.7e IAT Autosearch function successfully locates the IAT. ( Size 0x55C ) However Scylla v0.9.6b Autosearch fails. (Size : Garbage value ) See the image for comparsion. Imprec Scylla Edited April 11, 2014 by Extreme Coders
Aguila Posted April 11, 2014 Posted April 11, 2014 hm I dont know. Can you give me the target? The only explaination I have is that distorm fails to resolve the call dword ptr instructions. Is it somehow obfuscated?
Extreme Coders Posted April 12, 2014 Author Posted April 12, 2014 (edited) @Aguila Sent you the target. The target is the protector binary itself.I do not see any obfuscation in it.It can be easily dumped and rebuilded in Imprec 1.7e. Although you have to trace (Level 1 -> disasm ) some calls. Edited April 12, 2014 by Extreme Coders
GIV Posted April 12, 2014 Posted April 12, 2014 (edited) Don't rely on autosearch. ALWAYS check the IAT manualy. Then you will not have any errors. These tools can put wrong start/end. The tools are ok but might have some problems sometimes. Edited April 12, 2014 by GIV
Aguila Posted April 12, 2014 Posted April 12, 2014 I know why it doesn't work. The target is too old. This target is not DEP compatible: https://en.wikipedia.org/wiki/Data_Execution_Prevention Maybe I will not fix this, because I don't really like to support such old operating systems. http://pixs.ru/showimage/CapturePNG_1732868_11659177.png Thanks for the bug report.
Extreme Coders Posted April 12, 2014 Author Posted April 12, 2014 (edited) Thanks Anyways the target is quite old, so bug fixing is not a priority. Edited April 28, 2014 by Extreme Coders
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now