View Single Post
Old 05-05-2005, 03:55 PM
JohnWho JohnWho is offline
Junior Member
Join Date: May 2005
Posts: 4

With v1.2/1.3 you can redirect one of the dips and that way you don't have to deal with the CRC check! To use this method you'll need to study aspr's crypto to understand the encryption/decryption!

With v2.0x you can either change encrypted bytes after 2nd call to virtualalloc to break from the layer and start your patching chain, or you can start your patching chain from first hardcoded jmp in 1st decryption block shortly after EP(this way you don't need to know anything about aspr's crypto), this method you can also use on v1.2/1.3 ofcourse! Using this method you'll ofcourse have to deal with the CRC check by

1) make aspr do it's crc check on a backup file!(this is done before createfilea where eax contains file path and name)
2) patch the mapped image of file in memory back to original(this is done immediately after mapviewofileex where eax contains mapped image base)

Reply With Quote