Posted April 11, 201411 yr The other day I was testing an Asprotect 1.2 target. Imprec 1.7e IAT Autosearch function successfully locates the IAT. ( Size 0x55C ) However Scylla v0.9.6b Autosearch fails. (Size : Garbage value ) See the image for comparsion. Imprec Scylla Edited April 11, 201411 yr by Extreme Coders
April 11, 201411 yr hm I dont know. Can you give me the target? The only explaination I have is that distorm fails to resolve the call dword ptr instructions. Is it somehow obfuscated?
April 12, 201411 yr Author @Aguila Sent you the target. The target is the protector binary itself.I do not see any obfuscation in it.It can be easily dumped and rebuilded in Imprec 1.7e. Although you have to trace (Level 1 -> disasm ) some calls. Edited April 12, 201411 yr by Extreme Coders
April 12, 201411 yr Don't rely on autosearch. ALWAYS check the IAT manualy. Then you will not have any errors. These tools can put wrong start/end. The tools are ok but might have some problems sometimes. Edited April 12, 201411 yr by GIV
April 12, 201411 yr I know why it doesn't work. The target is too old. This target is not DEP compatible: https://en.wikipedia.org/wiki/Data_Execution_Prevention Maybe I will not fix this, because I don't really like to support such old operating systems. http://pixs.ru/showimage/CapturePNG_1732868_11659177.png Thanks for the bug report.
April 12, 201411 yr Author Thanks Anyways the target is quite old, so bug fixing is not a priority. Edited April 28, 201411 yr by Extreme Coders
Create an account or sign in to comment