SD

,
Asprotect
<2009> < >
Note:
To change the product logo for your own print manual or
PDF, click "Tools > Manual Designer" and modify the print
manual template.
Title page 1
Use this page to introduce the product
by vnekrilov
This is "Title Page 1" - you may use this page to introduce
your product, show title, author, copyright, company logos,
etc.
This page intentionally starts on an odd page, so that it is on
the right half of an open book from the readers point of view.
This is the reason why the previous page was blank (the
previous page is the back side of the cover)
,
Asprotect
<2009> < >
All rights reserved. No parts of this work may be reproduced in any form or by any means - graphic, electronic, or
mechanical, including photocopying, recording, taping, or information storage and retrieval systems - without the
written permission of the publisher.
Products that are referred to in this document may be either trademarks and/or registered trademarks of the
respective owners. The publisher and the author make no claim to these trademarks.
While every precaution has been taken in the preparation of this document, the publisher and the author assume no
responsibility for errors or omissions, or for damages resulting from the use of information contained in this
document or from the use of programs and source code that may accompany it. In no event shall the publisher and
the author be liable for any loss of profit or any other commercial damage caused or alleged to have been caused
directly or indirectly by this document.
Printed: 2009 in (whereever you are located)
Publisher
...enter name...
Managing Editor
...enter name...
Technical Editors
...enter name...
...enter name...
Cover Designer
...enter name...
Team
Coordinator
...enter name...
Production
...enter name...
Special thanks to:

All the people who contributed to this document, to mum and dad
and grandpa, to my sisters and brothers and mothers in law, to our
secretary Kathrin, to the graphic artist who created this great product
logo on the cover page (sorry, don't remember your name at the
moment but you did a great work), to the pizza service down the
street (your daily Capricciosas saved our lives), to the copy shop
where this document will be duplicated, and and and...
Last not least, we want to thank EC Software who wrote this great
help tool called HELP & MANUAL which printed this document.
, Asprotect
Table of Contents
Foreword
Part I
Part II ,
Asprotect
12
1
...................................................................................................................................

12
2
...................................................................................................................................

14
3 ...................................................................................................................................
OEP (SBOEP)
16
4
...................................................................................................................................
INIT
21
5
...................................................................................................................................
IAT
28
6
...................................................................................................................................
APIs
38
7
...................................................................................................................................
APIs Asprotect
43
APIs
..........................................................................................................................................................
Asprotect ASProtect ( 2.xx SKE)
43
APIs
..........................................................................................................................................................
Asprotect ASProtect ( 1.xx)
47
APIs
..........................................................................................................................................................
Asprotect, Asprotect.dll
53
APIs
..........................................................................................................................................................
Asprotect,
56
8 (CRC)
...................................................................................................................................
56
...................................................................................................................................
58

..........................................................................................................................................................
Asprotect.dll
61

..........................................................................................................................................................

61

..........................................................................................................................................................
71

..........................................................................................................................................................
74

..........................................................................................................................................................
,
84

..........................................................................................................................................................
, VM
87
..........................................................................................................................................................
VM
88
..........................................................................................................................................................

89
10
...................................................................................................................................
91
..........................................................................................................................................................
(.idata) 91
..........................................................................................................................................................
Import REConstructor
98
11
...................................................................................................................................

101

..........................................................................................................................................................
Asprotect
102

..........................................................................................................................................................
Asprotect
104

..........................................................................................................................................................
Stolen Code
109
12
...................................................................................................................................

111

..........................................................................................................................................................
dumped.exe
112
..........................................................................................................................................................
dumped.exe
115
..........................................................................................................................................................
.rsrc
116
..........................................................................................................................................................
.aspr
118
..........................................................................................................................................................

119
13
...................................................................................................................................
Stolen Code
121
<2009> < >
Contents
Part III
1
...................................................................................................................................
Sticky Password v4.0.0.148
125
125
..........................................................................................................................................................

125
..........................................................................................................................................................

126
..........................................................................................................................................................
IAT APIs
127
..........................................................................................................................................................
CRC)
128
APIs
..........................................................................................................................................................
Asprotect,
128
..........................................................................................................................................................

128

..........................................................................................................................................................
Stolen Code
131
..........................................................................................................................................................
dumped.exe
131
..........................................................................................................................................................
.rsrc
134
..........................................................................................................................................................
JCLDEBUG
135

..........................................................................................................................................................

136
2
...................................................................................................................................
LanAgent v3.0.0.0
137
..........................................................................................................................................................

137
..........................................................................................................................................................

138
..........................................................................................................................................................
INIT
139
..........................................................................................................................................................
IAT APIs
140
..........................................................................................................................................................
CRC)
141
APIs
..........................................................................................................................................................
Asprotect,
141
..........................................................................................................................................................

141

..........................................................................................................................................................
Stolen Code
142

..........................................................................................................................................................
SBOEP .rsrc
143
..........................................................................................................................................................
dumped.exe
143
..........................................................................................................................................................
dumped.exe
146
..........................................................................................................................................................
.rsrc
147
..........................................................................................................................................................
.aspr
149

..........................................................................................................................................................
.aspr
150

..........................................................................................................................................................

150
3
...................................................................................................................................
Asprotect v2.5 SKE build 04.08 Demo
152
..........................................................................................................................................................

153
..........................................................................................................................................................

154
..........................................................................................................................................................
INIT
155

..........................................................................................................................................................
Asprotect.dll
156

..........................................................................................................................................................
VM
157
..........................................................................................................................................................
VM 160
..........................................................................................................................................................

161
APIs
..........................................................................................................................................................
Asprotect,
162
..........................................................................................................................................................

162
..........................................................................................................................................................

162

..........................................................................................................................................................
Stolen Code
163

..........................................................................................................................................................
SBOEP .rsrc
164
..........................................................................................................................................................
dumped.exe
165
..........................................................................................................................................................
dumped.exe
167
..........................................................................................................................................................
.rsrc
168
..........................................................................................................................................................
.aspr
170
Part IV
173
<2009> < >
, Asprotect
Index
<2009> < >
Foreword
Foreword
This is just another title page

placed between table of contents
and topics
<2009> < >
Top Level Intro

This page is printed before a new
top-level chapter starts
Part
, CRACKL@B
, ASProtect.
, ,
, , ,
.
ASProtect 1.51 build 09.22 2.51 SKE build 09.22
( 2009 .). ,
, Asprotect,
, , .
. , ,
,
, , ,
, , ,
, . ,
, ,
.
. ,
Asprotect, . ,
, - . ,
, ,
Stolen Code.
,
. ,
,
20h . ,
Stolen Code 0Ah .
, , 20h
, Stolen Code
( ). , , .
20h :
Stolen Code,
Stolen Code .rsrc .adata.
, - ,
, , , ,
.
. , , -
, ,
. ,
, , ,
, ,
<2009> < >
10
, Asprotect
.
, :
- (OEP)
(Stolen Bytes OEP,
SBOEP);
- (IAT)
, , APIs ,
APIs ;
- , Delphi,
(INIT), , ;
- ,
;
- ,
. ,
,
,
.
, ,
cracker's.
,
, ASProtect.
vnekrilov
e-mail: vnekrilov@yandex.ru
<2009> < >
Top Level Intro

Part
II
12
, Asprotect
, Asprotect
. ,
, Asprotect.
, Asprotect.
:
:
:
:
:
:
2.1
ASProtect SKE v2.51 build 09.22

/
OllyDbg 1.10, PhantOm v1.54, PEiD v0.95, PE Tools
v1.8.800.2006 RC7, Hex Workshop v5.00.2511, Plugin
OdbgScript
v1.78.1,
ImportREConstructor
v1.6F, DiE v0.64 by
Hellsp@wn, Resource Binder v3.1
crackers
ASProtect SKE v2.51 build 09.22
, ASProtect

,
. , ,
Delphi, , ,
(INIT),
. , C/C++,
, INIT .
, , ,
PEiD v0.95, DiE v0.64 RDG Packer Detector v0.6.6.
, , ,
.

PEiD v0.95.
<2009> < >
, Asprotect
13
, ASProtect 1.2x - 1.3x [Registered].

, ASPrINF v1.6
Beta:
,
. , , .

,
.
.
, ,
, .
DiE v0.64:
<2009> < >
14
, Asprotect
, , RDG Packer Detector v0.6.6:
, DiE v0.64 RDG Packer Detector v0.6.6

,
Borland Delphi. ,
, INIT, , ,
, ,
.
2.2

OllyDbg v1.10,
:
<2009> < >
, Asprotect
, plugin PhantOm v1.54:
<2009> < >
15
16
2.3
, Asprotect
OEP (SBOEP)
, :
, Asprotect.
PUSH 5C5001 .data,
, Asprotect.dll, (
), .
( ),
,
, .
, Asprotect.dll,
,
. !
, Asprotect.dll ,
,
Asprotect. Asprotect.dll
.
Asprotect.dll
, , Asprotect.dll,
, ,
Asprotect.dll .
, ,
( ),
, . Asprotect.dll ,
, .dll, .. , , , ..
( PE-, 1000h ).
Asprotect.dll
( 1000h
, Asprotect.dll
). , , Asprotect.
dll API GetSystemTime kernel32.dll, API
Asprotect.dll:
<2009> < >
, Asprotect
17
, API GetSystemTime,
Asprotect.dll. Asprotect.dll
:
, Ctrl+F9,
API GetSystemTime.
Asprotect.dll API
GetSystemTime, , IAT
INIT, . , ,
Asprotect.dll,
,
, .
,
OEP SBOEP, ,
OEP, . OEP
, , OEP SBOEP.
OEP SBOEP
, Asprotect.dll
, ,
Asprotect.dll, OEP SBOEP
. :
<2009> < >
18
, Asprotect
00CB1CB8 . SBOEP
( OEP ),
00000000, OEP .
Asprotect.dll ,
MOV BYTE PTR DS:[EAX],0E1:
, Asprotect.dll (, 1.32),
- MOV DWORD PTR DS:[EAX],0E1.
BYTE
DWORD.
, ,
:
00C9FFA3
00C9FFA8
A1 B81CCB00
894424 04
MOV EAX,DWORD PTR DS:[CB1CB8]

MOV DWORD PTR DS:[ESP+4],EAX
<2009> < >
, Asprotect
19
,
A1????????894?.
, ,
.
,
OEP (SBOEP) , Asprotect.
:
1. API GetSystemTime .
2. MOV BYTE PTR DS:[EAX],0E1 ( MOV DWORD PTR
DS:[EAX],0E1).
3. MOV EAX,DWORD PTR DS:[CB1CB8].
4. , SBOEP.
OEP (SBOEP).osc
. ,
,
. ,
, ,
.
,
Asprotect.dll,
(CRC). , , BreakPoint
MOV BYTE PTR DS:[EAX],0E1,
, :
<2009> < >
20
, Asprotect
Asprotect.dll, .
, Hardware BreakPoint
BreakPoint,
EIP .

.
OEP (SBOEP).osc,
. r-e
, ,
, ,
, , ,
. Olly Debugger
Script Editor v1.2 Guru.exe, OllySubScript v1.4.1
by Sub Xero ( ).
, :
, SBOEP. ,
, ,
INIT, , , , ,
.
<2009> < >
, Asprotect
21
OEP
, .
, :
, ,
OEP .
: OEP (SBOEP) - OEP
(SBOEP).osc
PS. r-e
, , .
2.4
INIT
Borland Delphi,
( INIT), ,
. Asprotect
INIT, ,
, ,
.
INIT. Entry
Point (EP) , Borland Delphi,
:
<2009> < >
22
, Asprotect
INIT .
INIT:
, INIT (
112h),
INIT, - ,
.
INIT .
:
, , INIT,
01h ( ),
CALL,
(
-
),
( ). INIT
.
, INIT
<2009> < >
, Asprotect
23
IAT APIs,
IAT APIs,
, .
,
, INIT,
Asprotect. Asprotect.dll
, 60:
, ,
INIT, . INIT
, JE XXXXXXXX (
Z 0), , INIT.
CALL 00BDABD0, 00BDD8F4,
,
INIT.
INIT , ( ,
), Z 1,
JE SHORT 00BDD907,
CALL 00BDABD0.
,
ASCII 60, , , Asprotect.dll.
, ,
INIT, ,
.
<2009> < >
24
, Asprotect
,
02020000.
:
,
02030000.
, , , ,
,
, ,
INIT. ,
:
, : 02020000,
02030000 02040000. CALL
REG, :
<2009> < >
, Asprotect
25
REG : EAX, ECX, .. ,

BreakPoint ,

, , , . ,
Hardware BreakPoint.
INIT,
.
, ,
INIT. VolX
, ,
INIT, ,
. , , ,
CALL REG.
, , , CALL REG,
,
INIT. , ,
, .
.
, , ,
B A, :
7383E5FF - 7383E2EE = 00000311
ImageBase ,
CALL REG, :
00000311 + 02040000 = 02040311
,
.
EAX, 4 ,
, CALL REG:
00000000 - 02EBF352 = FD140CAE
<2009> < >
26
, Asprotect
4 ,
, EAX:
FD140CAE - CD02EBF3 = 301120BB
,
INIT 02040311.
, EAX
, INIT:
8CFE4BBA + 7383E2EE = 00822EA8
INIT, ,
:
,
, .
- C1FF0493,
C281A541 4E. :
00822EA8 + C1FF0493 = C281333B
C281333B - C281A541 = FFFF8DFA
1 - FFFF8DFA = 00007206
00007206 + 4E = 00007254
, ImageBase
00400000, INIT:
00007254 + 00400000 = 00407254
INIT,
, , , 02040000.
:
<2009> < >
, Asprotect
27
, INIT,
,
,
.
INIT.osc.
, ,
, CALL
REG, .
, CALL REG
, 5h . CALL REG
2h , ,
CALL REG.
, , ,
.
,
INIT Asprotect.dll. INIT
, (IAT)
APIs, .
INIT ,
, cracker's.
, , , ,
INIT.
, , :
INIT table_INIT.bin,
, .
INIT , :
<2009> < >
28
, Asprotect
:
INIT.osc.
2.5
INIT
INIT,
IAT
IAT
APIs. , , .
DLL, ,
, ,
IAT. IAT -
, ( DeDe,
Borland Delphi):
, :
ntdll.dll kernel32.dll,
() . .., IAT
APIs, .
<2009> < >
, Asprotect
29
, ,
Import Table ( ):
,
DeDe. IAT . PE , IAT PE- - ,
. ,
14h .
, ,
. , , ,
- :
, ,
, IAT
, APIs . (
VirtualOffset ,
VirtualAddress, VirtualOffset ImageBase
). 005B1A28 (VirtualOffset = 001B1A28):
API IAT,
IAT,
DLL (kernel32.dll), APIs,
, .
005B11B8 (VirtualOffset = 001B11B8):
<2009> < >
30
, Asprotect
14h
, .
Borland Delphi, IAT. -
IAT, APIs
kernel32.dll, .
, :
APIs VirtualOffset .
:
, . ,
,
. ,
, PE- ,
.
, , Borland Delphi, APIs
:
- ;
- IAT;
- DLLs APIs.
Borland Delphi APIs
, .idata.
, , ,
Microsoft Visual C++ | C/C++. , , Mtk_Res1.4.exe, IAT
.rdata:
<2009> < >
, Asprotect
31
,
IAT:
-
DLLs, .
.
Original First Thunk, ,
DLLs APIs:
, ,
, Borland Delphi.
Original First Thunk, Hint,
API:
<2009> < >
32
, Asprotect
Hint,
API.
, , Microsoft Visual C++ | C/C++,
APIs :
- IAT;
- ;
- ;
- Hint;
- DLLs APIs.
,
.
.
, , IAT
,
PE-, .
Asprotect, , ,
DLL APIs,
IAT. , APIs,
,
.
IAT ,
Asprotect. , ,
ASProtect IAT APIs.
OEP (SBOEP) , ASProtect,
(IAT), :
IAT.
<2009> < >
, Asprotect
33
IAT ;
APIs, DLL (kernel32.dll),
APIs, DLL (user32.dll).
DLL ,
APIs,
. IAT .
IAT. ,
, Asprotect
(IAT) Asprotect.dll.
IAT
. ,
, IAT.
IAT APIs (
), IAT ,
.
, ,
IAT.
APIs, , APIs
DLLs, APIs.
:

IAT, APIs,
. -
IAT, API (
IAT, ).
DLL, , DLL
, .
DLL, . , ,
- API.
API:
<2009> < >
34
, Asprotect
- API,
API, API,
API.
API
IAT. ,
IAT API,
.
,
IAT APIs .
IAT APIs
Asprotect.dll, :
"INC EAX", "MOV

DWORD PTR DS:[EBX],EAX" "ADD EDI,4",
IAT APIs.
IAT APIs
Asprotect.dll, 1.32, 1.32
APIs.
,
APIs,
IAT:
,
, Asprotect.dll
, IAT.
<2009> < >
, Asprotect
35
:
1- ( , ):
EAX
, .
, ,
JE SHORT 00F064B0 JMP SHORT 00F064B0,
IAT, JE
SHORT 00F064B0.
2- :
IAT (
APIs), ESI , ,
JE SHORT 00F1008B ,
.
ESI, .

IAT
APIs.
. APIs RaiseException
GetProcAddress. APIs , , , ,
API RaiseException :
<2009> < >
36
, Asprotect
APIs RaiseException GetProcAddress

, Eb01??
B8????????:
JMP SHORT 00F06471, :
- API
RaiseException.
,
API RaiseException, ,
APIs - RaiseException GetProcAddress.
API RaiseException, API GetProcAddress.
IAT,
, -
. , , -
APIs IAT,
APIs ( API),
, .
APIs,
APIs
IAT.
<2009> < >
, Asprotect

APIs :
37
IAT
IAT ;
APIs, kernel32.dll,
APIs, user32.dll.
DLL .
IAT .
. ,
IAT.
,
,
APIs,
APIs IAT
.

APIs ( - ), APIs
IAT ( ). ,

APIs.
IAT (table_IAT.bin)
(add_table_IAT.bin),
- .
<2009> < >
38
2.6
, Asprotect
APIs
, IAT,
APIs,
APIs.
APIs. OEP (SBOEP)
, , APIs IAT,
:
API CreateFileA ,
Borland Delphi. CALL 02270000,
APIs.
APIs ,
. , , ,
APIs:
- API
DLL, API;
-
IAT API;
- API;
- API
;
- API.
,
. , ,
APIs, :
<2009> < >
, Asprotect
39
, CALL 02270000, CALL 02300004

. APIs .
.
, APIs
, Asprotect.dll
, Asprotect.dll.
:
: "MOV EAX,
DWORD PTR DS:[EBX+2C]", "SUB EAX,EBP" "SUB EAX,5".
INC EBP, EBX
,
APIs . ,
:
ImageBase ,
APIs,
.
CALL,
APIs,
CALL, APIs
. ,
<2009> < >
40
, Asprotect
CALL EBP CALL EDX,

. , , -
,
APIs,
,
APIs ( ).
, ,
API,
:
- ,
API, , ,
APIs FF25, ,
Borland Delphi;
- , APIs
FF15, ,
.
-
, APIs (
).
,
APIs:
-
APIs, ,
,
, API.
API.
APIs :
- CALL APIs
( - CALL 02300004);
- CALL APIs
,
APIs ( - CALL 02270000);
- ,
APIs (
).
<2009> < >
, Asprotect
41

APIs Asprotect.dll,
APIs
. ,
APIs ,
APIs .
,
. ,
, - ,
Asprotect, RUN,
. , IAT
OEP (SBOEP)
OllyDbg, .
,
. , ,
APIs, :
- ,
, API
RegCloseKey.
, :
,
.
,
API JMP, CMP, OR MOV. 4 ,
CMP CMP + Jcc,
,
MOV ,
, .. ,
<2009> < >
42
, Asprotect
- :

, ,
.
,
. :
- API,
,
,
API;
- ,
, ;
-
;
- , , .
,
IAT APIs.osc ,
.

,
.
,
,
, Asprotect.
:

IAT APIs,
APIs Asprotect,
Asprotect.dll.
IV ,
APIs Asprotect, Asprotect.dll.
<2009> < >
, Asprotect
2.7
43
APIs Asprotect
ASProtect APIs,
APIs Asprotect,
: ,
,
, ..
APIs Asprotect ,
. , ,
APIs Asprotect,
ASProtect ( 1.), ( 2.
xx SKE), - .
2.7.1
APIs Asprotect ASProtect ( 2.xx

SKE)
APIs Asprotect
, ASProtect ( 2.xx
SKE).
ASProtect ( 2.xx SKE)
12 APIs Asprotect:
SetRegistrationKey,
GetRegistrationInformation,
CheckKey,
CheckKeyAndDecrypt,
GetKeyDate, GetKeyExpirationDate, GetTrialDays, GetTrialExecs, GetExpirationDate,
GetModeInformation, GetHardwareID, SetUserKey.
APIs Asprotect, 13:

SetRegistrationKey, GetRegistrationInformation, SaveKey, CheckKey, CheckKeyAndDecrypt,
GetKeyDate, GetKeyExpirationDate, GetTrialDays, GetTrialExecs, GetExpirationDate,
GetModeInformation, GetHardwareID, SetUserKey.
, 14 APIs
Asprotect:
SetRegistrationKey,
GetRegistrationInformation,
RemoveKey,
CheckKey,
CheckKeyAndDecrypt, GetKeyDate, GetKeyExpirationDate, GetTrialDays, GetTrialExecs,
GetExpirationDate, GetModeInformation, GetHardwareID, GetHardwareIDEx, SetUserKey,
Asprotect.dll , APIs
Asprotect:
<2009> < >
44
, Asprotect
,
APIs Asprotect (
).
, BA01000000B9????????
8B.
, , 1- 6- APIs
Asprotect. APIs Asprotect IAT.
, APIs Asprotect,
. VolX
, Asprotect,
APIs Asprotect , VolX.
APIs Asprotect.
API GetRegistrationInformation:
API RemoveKey, API CheckKey, API CheckKeyAndDecrypt:
API GetKeyDate:
<2009> < >
, Asprotect
API GetKeyExpirationDate:
API GetTrialDays, API GetTrialExecs:
API GetExpirationDate:
API GetModeInformation:
API GetHardwareID, API GetHardwareIDEx:
<2009> < >
45
46
, Asprotect
APIs Asprotect,
.osc, :
- APIs Asprotect Asprotect.dll;
- IAT, APIs Asprotect;
- APIs Asprotect;
- APIs Asprotect ;
- APIs Asprotect IAT;
-
APIs Asprotect IAT, APIs
Asprotect, .
APIs Asprotect
IAT
APIs.osc, , OllyDbg.
,
OllyDbg, :
00584A5C ( APIs Asprotect

IAT), :

APIs Asprotect, DLL,
- DLLs IAT.
, , API Asprotect,
00566940, :
<2009> < >
, Asprotect
47
API GetHardwareIDEx,
HWiD .
API :
: APIs Asprotect
, OEP (SBOEP) .
2.7.2
APIs Asprotect ASProtect ( 1.xx)

APIs Asprotect
, ASProtect ( 1.
xx). PasswordPro
v2.5.1.0, Asprotect 1.41 build 04.01 Beta.
ASProtect ( 1.xx), APIs Asprotect
Asprotect.dll, :
, ,
INIT:
INIT.
JE SHORT 00698972,
<2009> < >
48
, Asprotect
INIT, , ,
. RET,
APIs Asprotect. APIs
Asprotect OEP (SBOEP) .
: ,
, , ,
Asprotect, ,
APIs Asprotect ,
APIs Asprotect. ,
,
(CRC), .
.
,
, ,
.
IAT APIs.osc
,
. ,
:
API Asprotect,
:
HWiD ( HWiD
). HWiD
API GetHardwareID API GetHardwareIDEx.
:
<2009> < >
, Asprotect
49
, , ESI, ,
Asprotect.dll, OEP (SBOEP),
.. APIs Asprotect.
0Eh (15 dec), 0Fh (16 dec),
( , , 3Ch
). , OEP(SBOEP) ,
,
.
Asprotect 12 APIs
Asprotect, 2 APIs (),
. GetEncryptProc
GetDecryptProc, .
:
, Asprotect
(v1.32, 1.35, 1.40, 1.41, 1.50),
Asprotect SKE (v2.0, 2.11,
2.20, 2.3, 2.4, 2.41, 2.50), APIs Asprotect (
APIs ),
.
APIs Asprotect ,
, :

ESI
API Asprotect
00
SetRegistrationKey
04
GetRegistrationInformation
08
GetKeyExpirationDate
0C
CheckTrial
10
<2009> < >
GetHardwareID
50
, Asprotect
14
GetTrialDays
18
GetTrialExecs
1C
GetExpirationDate
20
ExecuteApplication
24
ExecuteTrial
28
GetRunApplicationFunction
2C
SetDecryptionKey
30
GetEncryptProc
34
GetDecryptProc
, Asprotect.dll, ESI
EDI.
APIs Asprotect
, APIs.
APIs Asprotect,
, , ..,
.
APIs Asprotect,
, APIs.
API SetRegistrationKey:
API, .
, API, , ,
,
.
API GetRegistrationInformation:
<2009> < >
, Asprotect
51
API
.
API GetKeyExpirationDate GetExpirationDate:
APIs , . :
1Eh 30- ;
0Ch 12- ();
807h 2055 .
.., 30 2055 .
API CheckTrial:
API
( ).
API GetHardwareID:
<2009> < >
52
, Asprotect
API HWiD
.
API GetTrialDays GetTrialExecs:
API GetTrialDays
, . :
1Eh 30 ;
1Eh 30 .
API GetTrialExecs
, . :
1Eh 30 ;
1Eh 30 .
API GetRunApplicationFunction:
API APIs ExecuteApplication ExecuteTrial.

, API GetRunApplicationFunction API
ExecuteTrial,
. ,
, API GetRunApplicationFunction API
ExecuteApplication.
API GetRunApplicationFunction
API ExecuteApplication ExecuteTrial.
<2009> < >
, Asprotect
53
API GetDecryptProc:
API API GetEncryptProc. APIs

- , .
API SetDecryptionKey. ,
API, , ,
, API.
2.7.3
APIs Asprotect, Asprotect.dll

APIs Asprotect, Asprotect.dll,
IAT APIs.osc. :
- Asprotect.dll APIs Asprotect;
- ,
;
- API Asprotect;
- API
Asprotect.
, APIs Asprotect,
. CMP EBX,0F, JNZ SHORT 00699A6E,
, APIs Asprotect:
, ,
[ESI+Value]. ,
API Asprotect.
<2009> < >
54
, Asprotect
, ,
,
PUSH EAX .
API Asprotect CALL EAX.
API Asprotect,
, .
, , OEP/SBOEP,
, 00427A30 004275B0
( , ).
, APIs SetRegistrationKey
GetRegistrationInformation.
, API SetRegistrationKey ,
. ,
API. ,
, API SetRegistrationKey.
:
CALL 00699460, 00699BAC,

, .
CALL EBX, EBX = 00427A30.
PasswordsPro.key (
).
, :
[ESI+4] 004275B0.
, , PUSH EAX, ,
<2009> < >
, Asprotect
55
,
. 00699DBD.
IAT
APIs.osc , ,
:
API
GetRegistrationInformation , -
APIs Asprotect,
APIs Asprotect.
API GetRegistrationInformation,
:
,
,
About.
, , APIs
Asprotect OEP (SBOEP) .
, APIs Asprotect,
, .
:
1. IAT APIs
- IAT APIs.
osc.
2.
Asprotect.dll recovery_emulate_inst_Asprotect_dll.bin.
:
<2009> < >

recovery_emulate_inst_Asprotect_dll.bin.
, ,
56
, Asprotect
1328, .
2.7.4
APIs Asprotect,
APIs Asprotect,
. , , Asprotect
( Asprotect 1.xx), APIs Asprotect
IAT APIs. ,
, APIs Asprotect,
, APIs Asprotect, OEP
(SBOEP) , .
, Asprotect
( Asprotect 2.xx SKE). , APIs Asprotect
OEP (SBOEP), .
APIs Asprotect,
OEP (SBOEP).
,
APIs Asprotect.
APIs Asprotect, .osc.
IAT
APIs.osc, OllyDbg,
main_parameters.bin,
, .
IAT APIs.osc,
, , 4 :
- APIs Asprotect;
- (CRC) ;
- ;
- (.idata).
,
OEP (SBOEP). ,
,
, , ,
, .
2.8
(CRC)

,
cracker's, .
(CRC).

APIs. 3-
<2009> < >
, Asprotect
57
, APIs
CALL XXXXXXXX:
APIs kernel32.CreateFileA
CloseHandle, APIs kernel32.GetFileType GetSystemTime,
CALL 01FE0000.
1- E8h
APIs. ,
FFh, , .
:
- APIs,
,
- FF E8. ,
<2009> < >
58
, Asprotect
. ,
EDI 17h (0FF 0E8 = 17h),
JE 0051FDD5,
0051FDAF, .
(CRC) .osc,
, .
,
E9000000005?5?E9. ,
JE_xxxxxxxx
JMP_xxxxxxxx.
, CRC
.
(CRC) .osc
IAT APIs.osc,
OllyDbg.
main_parameters.bin, ,
.
2.9
, Asprotect,
.
,
Asprotect.dll. ,
, ,
. ,
:
,
PUSH, CALL 00EF7710,
<2009> < >
, Asprotect
59

Asprotect.dll.
, ,
Asprotect, ,
. , ,
. ,
, . ,
, ,
.
(VM)
. , ,
VM ,
MOV, ADD SUB,
. VM
,
. .
1. , VM
.
2. , VM (MOV,
JMP, SUB, ..), .
3. ,
.
.
4.
, .
5. MOV, ADD SUB,
, VM.
VM ,
VM .
VM ,
2.41 SKE build 02.26 Beta,
. VM
, ,
, ,
.
, , -, VM,
.
, :
1.
, .
<2009> < >
60
, Asprotect
2.
.
3.
.
4.
VM.
5. MOV, ADD SUB VM.
,
ASProtect 2.41 SKE build 02.26 Beta, VM
,
, VM.
VM
,
:
1.
2.
3.
4.
5.

. , ,
VM, ,
, ( E8
CALL, E9 JMP, 8B MOV, ..).
.

VM, ASProtect 2.41 SKE build 02.26 Beta.

VM.

VM.
MOV, ADD SUB VM.
VM VM_Machine_main_code.exe
, .
VM,
.osc,
recovery_emulate_inst_main_code.bin,

.osc.
, , ,
VM, ,
, , .

VM.
Asprotect_241_0226.dll, , VM_Machine_main_code.exe
.
<2009> < >
, Asprotect
2.9.1
61
Asprotect.dll
, . Asprotect.dll
.
, VM
MOV, ADD SUB, .
deroko AsprDllDumper.exe,
Asprotect.dll , , ,
Asprotect.dll.
Asprotect.dll,
Asprotect_dll OEP (SBOEP).osc, Asprotect_dll.osc
(.idata) Asprotect_dll.osc.
2.
, ,
IAT APIs.osc,
OEP (SBEOP) . , ,
OEP (SBOEP).osc INIT,
IAT APIs.
,
Asprotect_dll OEP (SBOEP).osc,
Asprotect.dll.
, ,
Asprotect_dll.osc,
Asprotect.dll, (
IAT). ,
, (.idata)
Asprotect_dll.osc, Asprotect.dll,
Asprotect.dll. Asprotect.dll,
,
, APIs APIs.
OllyDbg,
IDA, . ,
Asprotect.dll, ,
,
, .
Asprotect_251_0922.dll, , Asprotect.dll
Asprotect v2.51 SKE build 09.22.
2.9.2

, Asprotect_251_0922.dll,
Asprotect_241_0226.dll, VM
<2009> < >
62
, Asprotect
.
OllyDbg, Asprotect_241_0226.dll,
Asprotect_251_0922.dll.
Ctrl+A, .
Ctrl+B,
6089E09C5A5589E583C52431C9648B0981ECB80B0000FF7508FF750C525150FF7504
, , VM
.
:
, :
1. VM
;
2. VM Asprotect.dll.
1-
, , , CALL 00EFAB18,
XOR EAX,CONST:
- ,
.
, ,
, XOR EAX,6CB02433.
, Const_EAX
IAT APIs.osc.
<2009> < >
, Asprotect
VM,
.
63
CALL 00EF7F84,
:
CALL TEST AL,AL

, .
CALL 00EF7F84 Enter, CALL 00EFAFDC:
VM .
CALL INC EAX,
, , , CALL .
CALL 00EFAFDC Enter, ,
, :
, :
<2009> < >
64
, Asprotect
- hex-
( ,
hex-: 0h, 1h, , 0Fh). CALL,
, VM,
.
hex-, CALL BreakPoint
.
:
Hex-

Asprotect_241_0226.dll
0h
D4h
9Dh
1h
E0h
F7h
2h
4Eh
C7h
3h
8Dh
E0h
4h
07h
F6h
5h
5Bh
EBh
6h
5Eh
4Eh
7h
99h
DCh
8h
C7h
F9h
9h
FCh
D2h
Ah
A0h
08h
Bh
49h
57h
Ch
8Bh
CDh
<2009> < >
, Asprotect
Dh
93h
10h
Eh
4Ah
D0h
Fh
9Ah
72h
65

hex-
Asprotect_241_0226.dll ,
. ,
, CALL,
. ,
CALL,
. , ,
CALL BreakPoint,
hex-.
C7h:
, ,
( ,
Asprotect_241_0226.dll),
hex- 4Eh.
E0h:
<2009> < >
66
, Asprotect
F6h:
EBh:
VM,
CDh:
<2009> < >
, Asprotect
67
DCh:

72h:
9Dh:
<2009> < >
68
, Asprotect

08h:
, , ,
.
D2h:
<2009> < >
, Asprotect

69
F7h:

10h:

D0h:
<2009> < >
70
, Asprotect

4Eh:
, , ,
.
57h:
F9h:
<2009> < >
, Asprotect

71
, ,
hex-
Asprotect.dll.
, ,
VM .
:
1. APIs Asprotect, -
2. (CRC) -
(CRC) .osc.
3. Asprotect.dll,
OEP (SBOEP) -
Asprotect_dll OEP (SBOEP).osc.
4. Asprotect.dll - Asprotect_dll.osc.
5. Asprotect.dll -
(.idata) Asprotect_dll.osc .
6. Asprotect.dll - Asprotect_241_0226.dll.
7. Asprotect.dll - Asprotect_251_0922.dll.
8.
VM_Machine_main_code.exe.
2.9.3

,
.
Asprotect v2.41 build 02.26.
, OEP (SBOEP),
, ,
68????????68????????68????????E8:
<2009> < >
72
, Asprotect
CALL
Asprotect.dll.
,
EIP PUSH, Ctrl+*,
. , CALL,
F7, RETN 0C.
RETN 0C, ,
:
00F90CC8
:

Asprotect v2.51 build 09.22, 00FA3634:
<2009> < >
, Asprotect
73

20h , (
):
482h, ImageBase ,
PiD ,
.
, -
,
, SUB,
ADD MOV VM .

, Asprotect.
,
.
,

PiD , , , , +00h
+1Ch .
:

DWORD_00h
+ 00h
+ 00h
DWORD_04h
+ 04h
+ 0Ch
DWORD_08h
+ 08h
+ 18h
DWORD_0h
+ 0h
+ 14h
DWORD_10h
+ 10h
+ 10h
DWORD_14h
+ 14h
+ 08h
DWORD_18h
+ 18h
+ 04h
DWORD_1Ch
+ 1Ch
+ 1Ch
<2009> < >
74
2.9.4
, Asprotect

,
Asprotect_241_0226.dll Asprotect_251_0922.
dll. VM
.
Asprotect_241_0226.dll:
, VM
.
MOV EAX,DWORD PTR DS:[EBX+89] MOV EAX,DWORD PTR DS:
[EBX+23] EAX
. 89h
Asprotect_241_0226.dll, 23h Asprotect_251_0922.dll.
<2009> < >
, Asprotect
75
, ,
CPU.
, BreakPoint
.

Asprotect_241_0226.dll Asprotect_251_0922.dll.
:
<2009> < >
76
, Asprotect

DWORD_00h
+ 00h
+ 12h
DWORD_04h
+ 04h
+ 0Eh
BYTE_08h
+ 08h
+ 17h
BYTE_09h
+ 09h
+ 05h
BYTE_0Ah
+ 0Ah
+ 08h
BYTE_0Bh
+ 0Bh
+ 01h
BYTE_0Ch
+ 0Ch
+ 16h
DWORD_0D
h
+ 0Dh
+ 0Ah
BYTE_11h
+ 11h
+ 00h
BYTE_12h
+ 12h
+ 02h
BYTE_13h
+ 13h
+ 03h
BYTE_14h
+ 14h
+ 09h
BYTE_15h
+ 15h
+ 06h
BYTE_16h
+ 16h
+ 07h
BYTE_17h
+ 17h
+ 04h
Asprotect_251_0922.
dll.
, :
Asprotect_241_0226.dll :
<2009> < >
, Asprotect
77
. ,
VM . , ,
, ,
:
,
:
72h 9Ah Asprotect_241_0226.dll.

DLL, , + 05h
+ 09h. .
:
<2009> < >
78
, Asprotect
,
(
18h ).
.
:
,
:
VM,
MOV, ADD SUB. .., + 16h
+ 0Ch. .
:
<2009> < >
, Asprotect
79
Asprotect_241_0226.dll (
, ,
):
, + 0Eh + 04h.
.
:
, ):
, + 12h + 00h.
.
:
,
:
<2009> < >
80
, Asprotect
, + 04h + 17h.
.
:
, + 09h + 14h.
. ,
+ 10h, + 15h. ,
INC AL. + 09h (+ 14h)
(
66:8B4346).
(8h) 8Bh. (Bh
) INC AL.
.
, VM
:
<2009> < >
, Asprotect
81
, (

, VM).
:
<2009> < >
82
, Asprotect
, + 00h + 11h, + 02h

+ 12h, + 01h + 0Bh,
+ 06h + 15h.
,
, + 07h + 16h.
.
:
,
:
, + 08h + 0Ah.
.
:
<2009> < >
, Asprotect
83
Asprotect_241_0226.dll ,
:
, + 17h + 08h.
.
, , ,
VM, ,
.
VM, CALL :
CALL 00EFA340:
<2009> < >
84
, Asprotect
, + 0Ah + 0Dh.
.
2.9.5

, VM
, VM
, VM.
VM .
VM, CALL
VM:
CALL 00EF544C, CALL 00EF4E6C,

, VM:
<2009> < >
, Asprotect
85
, Asprotect,
VM, , Asprotect v1.51 build 09.22 Asprotect v2.51 SKE
build 09.22, ,
.
Asprotect v2.41 SKE build 02.26,
, (
,
VM). , FFFFFFFF,
,
VM, :

, VM, -
, VM,
,
VM.
, 0Dh .
,
.
ESI EDI,
( ,
, Asprotect v2.51 SKE
build 09.22):
<2009> < >
86
, Asprotect
,
VM, :

BYTE_00h
+ 00h
+ 00h
BYTE_01h
+ 01h
+ 0Ch
BYTE_02h
+ 02h
+ 05h
BYTE_03h
+ 03h
+ 06h
BYTE_04h
+ 04h
+ 0Bh
<2009> < >
, Asprotect
2.9.6
BYTE_05h
+ 05h
+ 07h
BYTE_06h
+ 06h
+ 08h
BYTE_07h
+ 07h
+ 09h
BYTE_08h
+ 08h
+ 0Ah
BYTE_08h
+ 09h
+ 01h
BYTE_0Ah
+ 0Ah
+ 02h
BYTE_0Bh
+ 0Bh
+ 03h
BYTE_0Ch
+ 0Ch
+ 04h
87
,
VM
,

:
,

<2009> < >
88
, Asprotect
, EDI+0.

VM :

CMP BYTE [EBP-1D],0
00h
05h
CMP BYTE [EBP-1D],6
06h
00h
CMP BYTE [EBP-1D],8
08h
07h
CMP BYTE [EBP-1D],5
05h
04h
CMP BYTE [EBP-1D],9
09h
09h
,
VM .
2.9.7
VM

VM
, ,
VM
.osc, .
,
, .
:
1. ,
.
2. ,
VM, VM,
.osc.
:
1. main_parameters.bin , .
2. VM_recovery_main_code.exe .
3. VM_recovery_main_code.exe OllyDbg.
VM
. ,
:
1. .
2. .
<2009> < >
, Asprotect
89
3. .
4. VM.
5. VM.
,
, plugin ODbgScript,
VM
.osc, .
.
,
.
,
VM,
.osc.
VM
VM. .
VM, .
:
VM,
- VM
.osc.
2.9.8

, , 5 2
, VM
.
, IAT
APIs.osc, , ,
APIs Asprotect, .osc,
(CRC) .osc
.osc.
.osc
VM
.
, .
68????????68????????68????????E8,
, ,
CALL, PUSH. ,
, Asprotect.dll (.., VM
),
,
<2009> < >
90
, Asprotect
.
,
,
PUSH,
CALL. , ,
1 . ,
, ,
. , .
:
.
:
,
.
.
.osc
,
. ,
, ,
<2009> < >
, Asprotect
91
. -
VM ( VM
.osc,
).
, ,
.
, .
:
-
.osc.
2.10
, :
1. OllyDbg,
IAT APIs.
2. APIs Asprotect.
3. (CRC).
4. .

. Import
REConstructor, . ,
, ,
, , Asprotect,
. ,
pavka, ,
,
Asprotect. , , Import REConstructor,
, , , , ,
,
. :
1. pavka.
2. Import REConstructor.
2.10.1
(.idata) .osc
, , IAT,
. , IAT
, Borland Delphi
Microsoft Visual C++ | C/C++. IAT
, Asprotect.
<2009> < >
92
, Asprotect
Asprotect v2.51 SKE build 09.22, Borland Delphi

, :
, IAT (
SBOEP OEP (SBOEP).osc),
IAT APIs. ,
.
, DLLs, .
, , 1E0h
.
, IAT:
-
DLL, ,
IAT.
IAT, DLL,
, API.
IAT, :
DLLs,
- API DLLs.
, ,
<2009> < >
, Asprotect
93
DLLs APIs.
,
, :
, 0060EC48 (
0020EC48 + 00400000), 4C0h ( 1E0h ).
, 0060EC48:
( PE-
), .
:
kernel32.dll, APIs
. ,
:
,
:
<2009> < >
94
, Asprotect
APIs , APIs.
.
, ,
Microsoft Visual C++ | C/C++.
SpiderMan.
, , IAT.
APIs, , .
,
IAT, ImageBase :
0048F000 00400000 = 0008F000
00F00800. ,
.
IAT :
0048F01C 00400000 = 0008F01C
1CF00800.
( ,
IAT ,
):
<2009> < >
, Asprotect
95
IAT, . ,
, , ,
. :
, 004C67F0.
(
, ,
14h ) 17Ch . .., .
Original First Thunk,
, DLLs APIs.
:
-
,
Original First Thunk, Original First Thunk,
.
APIs.
, ,
. ,
, ,
APIs. ,
, ,
Import REConstructor.
(.
idata) .osc, pavka,
.
, Borland Delphi Microsoft Visual C++ |
C/C++. , Borland Delphi,
<2009> < >
96
, Asprotect
, ,
APIs.
Microsoft Visual C++ | C/C++,
,
, ,
APIs.
, Borland Delphi, ,
Microsoft Visual C++ | C/C++.
,
, PE- ,
.
, APIs Asprotect,
(CRC), ,
. ,
,
, ,
. , ,
.
, .
1. APIs, . ,
, IAT,
APIs:
APIs WSAGetLastError WSARecvEx,

wsock32.dll. ,
. , API
, . ,
Import REConstructor,
<2009> < >
, Asprotect
97
, API ,
. , - ,
, , Import REConstructor,
. , pavka
:
, .
APIs .
2. , , ,
:
, DLL - SLA_Challenge.dll
0Dh ( .dll), Windows
8h , DLL 8h .
, DLL ,
. , ,
, :
.
Asprotect, ,
<2009> < >
98
, Asprotect
- IAT,
Universal Import Fixer v1.2.
, ,
, APIs
IAT. , IAT,
, . ,
Asprotect IAT, , , Armadillo,
.
:
-
(.idata) .osc.
2.10.2 Import
REConstructor
,
, Import REConstructor,
IAT APIs.osc
:
,
Borland Delphi, ,
(Stolen Code). ,
Asprotect .
.
, Microsoft Visual C++ | C/C++ (
,
APIs), ,
. ,
SpiderMan, .
, IAT APIs.
osc, APIs Asprotect, .osc,
(CRC) .osc
.osc,
dumped.exe dumped_control.exe.
dumped.exe, dumped_control.exe
<2009> < >
, Asprotect
99
. dumped.exe
Import Table -,
OllyDbg. ,
, (
004C67F0). ,
:
,
Import REConstructor APIs.
:
.
:
IAT, ,
OEP , :
<2009> < >
100
, Asprotect
Get Imports. Show Invalid,

APIs Asprotect ( ).
, Add New Section:
Fix Dump.
dumped.exe, :
Import REConstructor dumped_.exe.

, ,
:
.
:
<2009> < >
, Asprotect
101
APIs. , , ,
APIs, IAT,
:
, Import REConstructor
APIs .
, Borland Delphi,
APIs, IAT. ,
, Import REConstructor
IAT, IAT,
APIs ,
. Import REConstructor,
,
APIs.
2.11

INIT, APIs,
, APIs Asprotect,
.
dumped.exe dumped_control.exe,
. , ,
, (
).
, , :
<2009> < >
102
, Asprotect
01FC0623,
. ,
. 01FC0623,
:
, ,
. ,
.
,
. , .
2.11.1 Asprotect

Asprotect.dll
Asprotect.
, Asprotect.
:
, EBX
, ECX
:
<2009> < >
, Asprotect
103
: "MOV
BYTE PTR DS:[EBX],0E9" "LEA EDX,DWORD PTR DS:[EBX+1]".

Stolen Code ,
. ,
Stolen Code
.osc:
-
, Stolen
Code, .
: ,
Asprotect, Asprotect
v2.51 SKE build 09.22,
,

.
, ,
"table_JMP.bin". ,
, ,
,
. , , Asprotect 2.52
SKE build 12.08 12 2009 ., VM
, ,
.
? ,
<2009> < >
104
, Asprotect
,
,
.
, .
, Asprotect,
, .

,
, .
:
Stolen Code
- Stolen Code
.osc.
2.11.2
Asprotect
,
cracker's, .
CALL, JMP, Jcc (
) CMP+Jcc ( ).
( SBOEP
):
,
. ,
, ,
VM .
:
<2009> < >
, Asprotect
105
ImageBase ,
,
.
VM ,
CALL,
.
, . , , -
,
.
, ,
- , VM
, .
,
:

, ,
,
. -
.

:
: "MOV
ESI,EAX", "MOV DWORD PTR DS:[EBX+10],ESI", "MOV EAX,DWORD PTR DS:
[EBX+C]" "MOV DWORD PTR DS:[ESI+8],EAX".
, "8BF08973??8B43??89".
VM,
<2009> < >
106
, Asprotect
CALL, JMP, Jcc CMP+Jcc.

Stolen Code
.osc, :
-
Stolen Code,
;
- VM,
, ;
- VM,
,
- CALL, JMP, Jcc ( ) CMP+Jcc
( ).
Stolen Code
.
, VM, VM Asprotect
,
CALL, JMP, Jcc CMP+Jcc. VM,
VM
.
:
1.
Asprotect VM
, VM . , VM
. VM
, 74h
. 00h, VM,
01h, VM .
, , VM
, .
2.
Asprotect v1.41 build 04.01 Asprotect v2.41 SKE build 04.01,

CALL, JMP, Jcc ( ) CMP+Jcc
( ),
:
- 00h CALL;
- 01h JMP;
- 02h Jcc;
- 03h CMP+Jcc
Asprotect v1.41 build 04.01 Asprotect v2.41 SKE build 04.01
:
<2009> < >
, Asprotect
107
- 00h CMP+Jcc
- 01h CALL;
- 02h JMP;
- 03h Jcc;
3.

. Asprotect
:
ID
00
CMP DWORD [__1],__2
01
CMP DWORD __1,PTR DS:[__2]
02
CMP BYTE PTR DS:[__1],__2
03
CMP BYTE __1,[__2]
04
CMP DWORD __1,__2

:
ID
00
CMP DWORD __1,__2
01
CMP DWORD [__1],__2
02
CMP DWORD __1,PTR DS:[__2]
03
CMP BYTE PTR DS:[__1],__2
04
CMP BYTE __1,[__2]
,
VM .
, :
a) Asprotect:
<2009> < >
108
, Asprotect
b) Asprotect:
: , Asprotect

CALL, JMP, Jcc CMP+Jcc.
,
.
,
. VM
, - ,
Asprotect, RUN,
, VM.

Asprotect. Asprotect OEP,
SBOEP, SBOEP
SBOEP. :
,
.
. - RVA
(RVA + ImageBase_Programm = Address
JMP), RVA SBOEP
(RVA + SBOEP = Address JMP). , ,
RVA , :
000071F0 + 00400000 = 004071F0
<2009> < >
, Asprotect
109
, , :
, , SBOEP
. :
00000179 + 01FD04AA = 01FD0623
, ,
, SBOEP.
0Ch ,
Stolen Code ADATA.osc Stolen Code
RSRC.osc
.
, Stolen Code
.osc
IAT APIs.osc OEP .
, ,
Stolen Code .osc,
Stolen Code,
.
2.11.3 Stolen Code
, Stolen Code
.osc,
Stolen Code (
SBOEP, ). ,
Stolen Code.
OEP ( SBOEP) ,
Stolen Code ,
. Stolen Code

( .rsrc), ,
( .data).
,
Stolen Code.
:
<2009> < >
110
, Asprotect
SBOEP CALL.
, , .rsrc,
:
, CALL,
. ,

. Stolen Code
ADATA.osc Stolen Code RSRC.osc.

, ( .data).

( .rsrc). ,
.
Stolen Code .rsrc, ,
() , ,
. ,
.
:
- ,
Stolen Code;
- Stolen Code
;
- , , .
Stolen Code ADATA.osc Stolen
Code RSRC.osc ,
<2009> < >
, Asprotect
111
Stolen Code
.osc , .
, :
- table_JMP.bin Stolen
Code;
- table_massive_data.bin
;
- table_ImageBase_Stolen_Code.bin ImageBase
Stolen Code;
- section_ASPR_RSRC.bin section_ASPR_ADATA.bin
, Stolen Code,
;
- table_StolenCode_RSRC.bin table_StolenCode_ADATA.bin
Stolen Code .

Stolen Code . Stolen Code
.osc,
Jcc CMP + Jcc

Stolen Code. , , Stolen
Code 30% Stolen Code.
, Stolen Code ,
(.adata
), , .
(.
adata), , Stolen Code,
Stolen Code
(.adata), (.adata) Stolen
Code. Stolen
Code ADATA.osc Stolen Code RSRC.
osc, . Stolen
Code ADATA.osc Stolen Code RSRC.
osc , ,
, Asprotect.
:
Stolen Code
- Stolen Code ADATA.osc Stolen Code
RSRC.osc.
2.12

, ,
, :
1. dumped.exe dumped_control.exe, INIT,
<2009> < >
112
, Asprotect
( , IAT, DLLs
APIs), APIs ,
, APIs Asprotect,
(CRC).
2. section_ASPR_RSRC.bin section_ASPR_ADATA.bin,

CALL, JMP, Jcc ( ) CMP+Jcc (
).
dumped.exe section_ASPR_RSRC.
bin section_ASPR_ADATA.bin (
). dumped_control.exe .
2.12.1 dumped.exe
, , dumped.exe
, ASProtect, .rsrc,
section_ASPR_RSRC.bin section_ASPR_ADATA.bin.
: , .rsrc .data (
Asprotect) ,
.
dumped_control.exe,
dumped.exe .
PE Tools v1.5 RC7:
<2009> < >
, Asprotect
113
, Optional
Header, ,
:
<2009> < >
114
, Asprotect
Directory Editor,
Base Relocation Table, TLS Directory:
Base
Relocation Table, TLS Directory (
.data,
Asprotect).
, ,
,

. OllyDbg,
DUMP 0060EBD4, Base
Relocation Table ( TLS Directory):
<2009> < >
, Asprotect
115
Base Relocation Table,

TLS Directory, .data,
Asprotect.
Base
Relocation Table Memory Map,
0057289C:
, TLS
Directory, 00588000:
Base Relocation Table TLS Directory

( ImageBase
):
2.12.2 dumped.exe
section_ASPR_RSRC.bin
( ,
.rsrc):
<2009> < >
116
, Asprotect
( .aspr):
2.12.3 .rsrc
, .rsrc,
.data.
.rsrc,
RVA,
.
Resource Binder v3.1. , ,
RVA . .
,
, VirtualSize , <2009> < >
, Asprotect 117
VirtualOffset . , VirtualOffset .
rsrc :
0019D000 + 00001000 = 0019E000
Resource Binder v3.1,
dumped_control.exe,
, ,
VirtualOffset .rsrc:
,
dumped_control0019E000.rsrc.
dumped.exe,
:
<2009> < >
118
, Asprotect
Directory Editor:
2.12.4
.aspr

.aspr.
.osc,
. , ,
:
-
table_JMP.bin Stolen
Code;
table_StolenCode_RSRC.bin table_StolenCode_ADATA.bin
Stolen Code .aspr
.
,
Stolen Code,
. ,
- .
, RUN,
.
, dumped.exe :
. :
<2009> < >
, Asprotect
119
,
Copy to executable 0 Selection.
, ,
:
. ,
.
:

-
.osc.
2.12.5
, , . ,
(
),
(CRC) .osc:
,
. :
00556A64 + 7Ch = 00556AE0
ESI.
, ,
<2009> < >
120
, Asprotect
. :
48068748 + B7F978B8 = 0000000
ESI, .

:
:
B1E8008B + B7F978B8 = 69E17943
69E17943 ESI,
ESI, .
Asprotect v2.51 SKE build 09.22 11 .
,
:
,
.
<2009> < >
, Asprotect
121
00550D66. ESI.
, , , LEA ESI,DWORD PTR DS:
[ESI+ECX+F067B3A2] POP EDX SUB ESI,ECX.
:
, 004A5909.

. : 8D??????????5
?EB, 8D????????????5?EB, 8D???????????03??5?EB, 8D????????????03??5?
EB, 8D????????????2B??5?EB, 8D????????????2B??03??5?EB.
, ,
, . ,
NOP (
JMP, ,
, ):
2.13
Stolen Code
, ,
, .
<2009> < >
122
, Asprotect
Stolen Code ,
. Stolen Code bronco
, ,
.
Stolen Code.osc .
,
NOP.
Stolen Code, ,
,
:
,
,
Asprotect. , Asprotect.dll,
, ,
. SBOEP,
, APIs Asprotect, ..,
.
<2009> < >
, Asprotect
123
, ,
Stolen Code.osc.
, , ,
Stolen Code:
, ,
. ,
, .
.
, ,
, . ,
,
. ,
. ,
,
.
:
Stolen Code -
Stolen Code.osc.
<2009> < >
Top Level Intro

Part
III
125

, ,
, .
,
Asprotect. ,
. ,
, , ,
, .
3.1
Sticky Password v4.0.0.148

Sticky Password
v4.0.0.148, http://www.stickypassword.com/files/SP40/
stpsinst400148.exe.
ASProtect v2.5 build 03.31 Release.
3.1.1

,
- ,
. PEiD v0.95:
, Asprotect. ,
ASPrINFO v1.6 Beta:
<2009> < >
126
, Asprotect
Asprotect 2.5 SKE build 03.31

Release. ,
. DiE v0.64:
, Borland Delphi.
3.1.2

,
. OllyDbg,
OEP (SBOEP).osc. ,
,
:
<2009> < >
127
, .
APIs APIs
Asprotect. INIT OEP ,
(Stolen
Code). . OEP
:
, OEP.
3.1.3
IAT APIs
! .
, IAT APIs.osc.
: , INIT,
,
INIT.osc,
XXh .,
INIT,
..
:
-
IAT, , ;
APIs;
,
;
INIT (
table_INIT.bin);

.osc,
(CRC) .osc,
APIs Asprotect, .osc
(.idata) .osc.
,
, OEP.
<2009> < >
128
, Asprotect
OEP , IAT,
.
3.1.4
CRC)
, ,
(CRC) .osc:
, CRC..
3.1.5
APIs Asprotect,
, ,
APIs Asprotect, .osc,
:
APIs Asprotect GetRegistrationInformation,

CheckKey GetTrialDays.
3.1.6

,
(.idata) .osc.
:
<2009> < >
129
,
, APIs Asprotect,
(CRC) - "dumped.exe" "dumped_control.exe".
, (.
idata) .osc, "dumped.exe"
( - , "dumped.
exe" ):
OEP, DLL. ,
Entry Point :
<2009> < >
130
, Asprotect
, PE Tools v1.8.800.2006 RC7:
"dumped.exe" :
, - , . , ,
(.idata)
.osc, PE-
Entry Point .
<2009> < >
3.1.7
131
Stolen Code
, , OEP (SBOEP).osc, ,
Stolen Code, -
Stolen Code .osc,
, :
, Stolen Code,
.
3.1.8
dumped.exe
, , dumped.exe
, ASProtect, .rsrc, , ,
.
PE Tools v1.5 RC7:
<2009> < >
132
, Asprotect
, Optional
Header, ,
:
<2009> < >
133
Directory Editor, Base

Relocation Table, TLS Directory:
Base
.data,
Asprotect).
, ,
,

. OllyDbg,
DUMP 0098BBD4, Base
<2009> < >
134
, Asprotect

Asprotect.
Base
0098BBD4, .. , Asprotect. ,
.
, TLS Directory,
006FC000:

( ImageBase
):
3.1.9
.rsrc
, .rsrc,
.data.
.rsrc.
Resource Binder v3.1, ,
. Resource Binder v3.1,
dumped_control.exe,
, ,
<2009> < >
135
,
dumped_control0032C000.rsrc.
dumped.exe,
:
3.1.10 JCLDEBUG
PE Tools v1.5 RC7,
dumped_control.exe,
:
<2009> < >
136
, Asprotect
dumped.exe:
3.1.11
.
, :
.
dumped.exe - stpass.exe, ,
, , ,
stpass_orig.exe.
<2009> < >
3.2
137
LanAgent v3.0.0.0
, Asprotect.
LanAgent v3.0.0.0,
http://www.lanagent.ru.
ASProtect v1.35 build 04.25 Release.
3.2.1

, ,
- ,
. PEiD
v0.95:
, Asprotect. ,
ASPrINFO v1.6 Beta:
Asprotect 1.35 build

04.25 Release. ,
<2009> < >
138
, Asprotect
. DiE v0.64:
, Borland Delphi.
3.2.2

,
. OllyDbg,
OEP (SBOEP).osc. ,
,
:
, , ,
APIs, APIs Asprotect,
INIT, SBOEP ( OEP ).
SBOEP :
<2009> < >
139
CALL, JMP, Jcc

( ) CMP+Jcc ( ).
CALL 01B80000, VM,
.
3.2.3
INIT
! .
, INIT.osc.
:
-
INIT;
table_INIT.bin,
IAT APIs.osc.
,
, SBOEP:
SBOEP , INIT,
<2009> < >
140
, Asprotect
.
3.2.4
IAT APIs
,
IAT APIs.osc.
:
-
IAT, , ;
APIs;
,
;
INIT (
table_INIT.bin);

.osc,
(CRC) .osc,
APIs Asprotect, .osc
(.idata) .osc.
,
, SBOEP.
:
INIT, SBOEP ,
<2009> < >
141
IAT, . , ,
7 APIs Asprotect, Asprotect.dll.
APIs Asprotect GetHardwareID GetRegistrationInformation,
APIs Asprotect GetTrialDays, GetTrialExecs, ExecuteApplication ExecuteTrial,
.
3.2.5
CRC)
, ,
(CRC) .osc:
.
3.2.6
APIs Asprotect,
Asprotect ,
APIs Asprotect ,
3.2.7

, ,
(.idata) .osc.
:
,
, APIs Asprotect,
INIT - "dumped.exe" "dumped_control.exe". ,
(.idata)
<2009> < >
142
, Asprotect
.osc, "dumped.exe"
( - , "dumped.exe"
):
OEP,
. , .
3.2.8
Stolen Code
, OEP (SBOEP).osc, ,
Stolen Code, ,
Stolen Code
.osc.
:
-
Stolen Code,
, table_JMP.bin;
CALL,
JMP, Jcc ( ) CMP+Jcc ( ),
, table_massive_data.
bin;
Stolen Code,

CALL, JMP, Jcc CMP+Jcc, ,
table_ImageBase_Stolen_Code.bin;
, VM,
CALL, JMP, Jcc CMP+Jcc,
Stolen Code;
, VM,
CALL, JMP, Jcc CMP+Jcc
Stolen Code, recovery_emul_inst.bin.
, Stolen
Code ADATA.osc Stolen Code
RSRC.osc.
, ,
:
<2009> < >
143
, ,
Stolen Code SBOEP.
3.2.9
SBOEP .rsrc
, Stolen Code
- .rsrc. ,
, Stolen Code RSRC.osc.
:
-
,
Stolen Code. ,
SBOEP;
CALL, JMP, Jcc
CMP+Jcc .rsrc Stolen Code;
Stolen
Code , .rsrc ;
, ,
Stolen Code,
section_ASPR_RSRC.bin.

.
3.2.10 dumped.exe
, , dumped.exe
.
PE Tools v1.5 RC7:
<2009> < >
144
, Asprotect
, Optional
Header, ,
:
<2009> < >
145

Base
.data,
Asprotect).
, ,
,

. OllyDbg,
DUMP 009C49DC, Base
<2009> < >
146
, Asprotect

Asprotect.
Base
009C49DC, .. , Asprotect. ,
.
, TLS Directory,
00761000:

( ImageBase
):
3.2.11 dumped.exe
:
<2009> < >
147
( .aspr):
3.2.12 .rsrc
, .rsrc,
.data.
.rsrc,
RVA,
.
RVA . .
,
, VirtualSize , VirtualOffset . , VirtualOffset .
<2009> < >
148
, Asprotect
rsrc :
00398000 + 00002000 = 0039A000
dumped_control.exe,
, ,
,
dumped_control0039A000.rsrc.
dumped.exe,
:
Directory Editor:
<2009> < >
149
3.2.13
.aspr

.aspr.
.osc,
. , ,
:
-
Code;
Stolen Code .aspr
.
,
Stolen Code,
.
, dumped.exe :
. :
,
, ,
:
<2009> < >
150
, Asprotect
. , - ,
. ,
, .
3.2.14 .aspr
.aspr ,

Stolen Code.osc. ,
. ,
:
, .aspr ,
. ,

.osc, .
Searh for 0 User-defined
comment , BreakPoint,
, :
3.2.15
, :
<2009> < >
151
OllyDbg, ,
Stolen Code
.osc, SBOEP CALL
DWORD PTR DS:[759440]. BreakPoint,
:
, dumped.exe, 00759440
00745080:
, , F9
, :
<2009> < >
152
, Asprotect
, .
, 00745080?
, API Asprotect
GetRunApplicationFunction. API
API ExecuteApplication ExecuteTrial,
. , ,
IAT APIs.osc,
Asprotect.dll ,
API GetRunApplicationFunction, 00759440, .
, Stolen Code
.osc, API GetRunApplicationFunction
, 00759440 00745080,
:
, dumped.exe LanAgent.exe, , ,
, , LanAgent_orig.exe.
3.3
Asprotect v2.5 SKE build 04.08 Demo

, Asprotect.
, ,
<2009> < >
153
, ,
. , ,
.
Asprotect, , , Asprotect
, . , ,
Asprotect v2.5 SKE build 04.08 Demo,
http://www.aspack.com/files/aspr25_demo.zip.

, Asprotect.dll,
,
.
Asprotect v2.5 SKE build 04.08 Release.
3.3.1

, ,
- ,
. PEiD
v0.95:
, Asprotect. ,
ASPrINFO v1.6 Beta:
<2009> < >
154
, Asprotect
Asprotect v2.5 SKE build 04.08

Release. ,
. DiE v0.64:
, Borland Delphi.
3.3.2

,
. OllyDbg,
OEP (SBOEP).osc. ,
,
:
<2009> < >
155
, , ,
APIs, APIs, APIs Asprotect
, INIT,
. .
SBOEP :
CALL, JMP, Jcc

( ) CMP+Jcc ( ).
CALL 01E60000, VM,
.
3.3.3
INIT
! .
, INIT.osc.
:
-
INIT;
table_INIT.bin,
IAT APIs.osc.
,
, SBOEP:
<2009> < >
156
, Asprotect
SBOEP , INIT,
.
3.3.4
Asprotect.dll
, ,
IAT,
, Asprotect.dll.
VM
.
Asprotect.dll,
IAT APIs.osc, main_parameters.bin,

Asprotect_dll OEP (SBOEP).osc.
,
SBOEP,
Asprotect_dll OEP (SBOEP).osc,
Asprotect.dll. ,
:
, :
<2009> < >
157
,
. , ,
Asprotect_dll.osc,
(.idata) Asprotect_dll.osc. ,
Asprotect.dll, Asprotect_250_0408.dll,
Asprotect ( 5, 2)).
3.3.5
VM

Asprotect.dll Asprotect_250_0408.dll Asprotect_241_0226.dll.
5 , , .
,
. ,
Asprotect.dll VM
. VM
Asprotect.dll, VM
. VM ,
VM:
XOR EAX,A74AD28A, ,
. VM
, :
<2009> < >
158
, Asprotect
hex- 00h 0Fh:

Hex-

0h
D4h
2Ah
1h
E0h
31h
2h
4Eh
E0h
3h
8Dh
4Bh
4h
07h
EFh
5h
5Bh
3Bh
6h
5Eh
5Fh
7h
99h
06h
8h
C7h
28h
9h
FCh
8Eh
Ah
A0h
BAh
Bh
49h
EAh
Ch
8Bh
FBh
Dh
93h
18h
Eh
4Ah
00h
Fh
9Ah
FDh

Asprotect.dll (
ASProtect 2.41 SKE build 02.26 Beta ASProtect SKE 2.5 build 04.08
Demo):

<2009> < >
DWORD_00h
+ 00h
+ 00h
DWORD_04h
+ 04h
+ 18h
DWORD_08h
+ 08h
+ 0Ch
DWORD_0h
+ 0h
+ 04h
DWORD_10h
+ 10h
+ 10h
DWORD_14h
+ 14h
+ 14h
DWORD_18h
+ 18h
+ 08h
DWORD_1Ch
+ 1Ch
+ 1Ch
159

DWORD_00h
+ 00h
+ 0Ah
DWORD_04h
+ 04h
+ 12h
BYTE_08h
+ 08h
+ 10h
BYTE_09h
+ 09h
+ 00h
BYTE_0Ah
+ 0Ah
+ 16h
BYTE_0Bh
+ 0Bh
+ 09h
BYTE_0Ch
+ 0Ch
+ 01h
DWORD_0Dh
+ 0Dh
+ 05h
BYTE_11h
+ 11h
+ 17h
BYTE_12h
+ 12h
+ 0Eh
BYTE_13h
+ 13h
+ 0Fh
BYTE_14h
+ 14h
+ 02h
BYTE_15h
+ 15h
+ 03h
BYTE_16h
+ 16h
+ 04h
BYTE_17h
+ 17h
+ 11h

, VMDelay (
ADD, SUB MOV):
<2009> < >
160
, Asprotect

BYTE_00h
+ 00h
+ 0Ch
BYTE_01h
+ 01h
+ 02h
BYTE_02h
+ 02h
+ 01h
BYTE_03h
+ 03h
+ 07h
BYTE_04h
+ 04h
+ 00h
BYTE_05h
+ 05h
+ 08h
BYTE_06h
+ 06h
+ 09h
BYTE_07h
+ 07h
+ 0Ah
BYTE_08h
+ 08h
+ 0Bh
BYTE_08h
+ 09h
+ 03h
BYTE_0Ah
+ 0Ah
+ 04h
BYTE_0Bh
+ 0Bh
+ 05h
BYTE_0Ch
+ 0Ch
+ 06h

VMDelay:
3.3.6

CMP BYTE [EBP-1D],0
00h
05h
CMP BYTE [EBP-1D],6
06h
04h
CMP BYTE [EBP-1D],8
08h
02h
CMP BYTE [EBP-1D],5
05h
06h
CMP BYTE [EBP-1D],9
09h
09h
VM

, VM
.
VM
.osc.
VM_recovery_main_code.exe ( 5-
<2009> < >
161
), . ,
, .
, .
VM,
recovery_emulate_inst_main_code_250_0408.bin, ,
VM:
3.3.7

VM
, ,
-
VM. :
, IAT APIs.osc.
,
.osc, BreakPoint
RUN:
, VM,
BreakPoint, S, RUN.
004A3FF2, , -
. ,
<2009> < >
162
, Asprotect
BreakPoint, ,
.
:
3.3.8
APIs Asprotect,
Asprotect , APIs Asprotect
. , ,
, ,
:
API Asprotect CheckKey.

3.3.9

, ,
(CRC) .osc,
.
:
3.3.10
, , ,
(.idata) .osc.
:
<2009> < >
163
APIs
Asprotect,
INIT,

"dumped.exe" "dumped_control.exe". ,
(.idata)
.osc, "dumped.exe" (
- , "dumped.exe"
):
OEP,
. , .
3.3.11 Stolen Code
, OEP (SBOEP).osc, ,
Stolen Code, ,
Stolen Code
.osc.
:
-
Stolen Code,
, table_JMP.bin;
CALL,
JMP, Jcc ( ) CMP+Jcc ( ),
, table_massive_data.
bin;
<2009> < >
164
, Asprotect
Stolen Code,

CALL, JMP, Jcc CMP+Jcc, ,
table_ImageBase_Stolen_Code.bin;
, VM,
CALL, JMP, Jcc CMP+Jcc,
Stolen Code;
, VM,
CALL, JMP, Jcc CMP+Jcc
Stolen Code, recovery_emul_inst.bin.
, Stolen
Code ADATA.osc Stolen Code
RSRC.osc.
, ,
:
, ,
Stolen Code SBOEP.
3.3.12 SBOEP .rsrc
, Stolen Code
- .rsrc. ,
, Stolen Code RSRC.osc.
:
-
,
Stolen Code. ,
SBOEP;
CALL, JMP, Jcc
CMP+Jcc .rsrc Stolen Code;
Stolen
Code , .rsrc ;
, ,
Stolen Code,
section_ASPR_RSRC.bin.

<2009> < >
165
.
3.3.13 dumped.exe
, , dumped.exe
.
PE Tools v1.5 RC7:
, Optional
Header, ,
:
<2009> < >
166
, Asprotect

Base
.data,
Asprotect).
, ,
,

. OllyDbg,
DUMP 009C49DC, Base
<2009> < >
167

Asprotect.
Base
0055076C:
, TLS Directory,
00567000:

( ImageBase
):
3.3.14 dumped.exe
:
<2009> < >
168
, Asprotect
( .aspr):
3.3.15 .rsrc
, .rsrc,
.data.
.rsrc,
RVA,
.
RVA . .
,
, VirtualSize , VirtualOffset . , VirtualOffset .
rsrc :
0017A000 + 00002000 = 17C000
dumped_control.exe,
, ,
<2009> < >
169
,
dumped_control0017C000.rsrc.
dumped.exe,
:
Directory Editor:
<2009> < >
170
, Asprotect
3.3.16
.aspr

.aspr.
.osc. ,
, :
-
Code;
Stolen Code .aspr
.
,
Stolen Code,
.
, dumped.exe .
:
,
, ,
:
. ,
.
UnASProtect_250_0408.exe.
<2009> < >
171
, ( ) ,
:
<2009> < >
Top Level Intro

Part
IV
173
Asprotect.
- ASProtect 1.5 build 04.08
Demo, http://www.aspack.com/
files/aspr15demo.zip. ,
VM,
.
<2009> < >
174
, Asprotect
Endnotes 2... (after index)
<2009> < >
Back Cover

SD

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

SD

Diunggah oleh

Hak Cipta:

Format Tersedia

,

Special thanks to:

<2009> < >

<2009> < >

<2009> < >

This is just another title page

<2009> < >

Top Level Intro

<2009> < >

<2009> < >

Top Level Intro

ASProtect SKE v2.51 build 09.22

<2009> < >

, ASProtect 1.2x - 1.3x [Registered].

<2009> < >

, , RDG Packer Detector v0.6.6:

, DiE v0.64 RDG Packer Detector v0.6.6

<2009> < >

, plugin PhantOm v1.54:

<2009> < >

<2009> < >

<2009> < >

MOV EAX,DWORD PTR DS:[CB1CB8]

<2009> < >

<2009> < >

<2009> < >

<2009> < >

<2009> < >

<2009> < >

REG : EAX, ECX, .. ,

<2009> < >

<2009> < >

<2009> < >

<2009> < >

<2009> < >

<2009> < >

<2009> < >

<2009> < >

<2009> < >

"INC EAX", "MOV

<2009> < >

APIs RaiseException GetProcAddress

JMP SHORT 00F06471, :

<2009> < >

, CALL 02270000, CALL 02300004

<2009> < >

CALL EBP CALL EDX,

<2009> < >

APIs Asprotect ASProtect ( 2.xx

APIs Asprotect, 13:

<2009> < >

API RemoveKey, API CheckKey, API CheckKeyAndDecrypt:

<2009> < >

API GetTrialDays, API GetTrialExecs:

API GetHardwareID, API GetHardwareIDEx:

<2009> < >

00584A5C ( APIs Asprotect

<2009> < >

APIs Asprotect ASProtect ( 1.xx)

<2009> < >

<2009> < >

<2009> < >

API APIs ExecuteApplication ExecuteTrial.

CMP DWORD [1],2

CMP DWORD 1,PTR DS:[2]

CMP BYTE PTR DS:[1],2

CMP BYTE 1,[2]

CMP DWORD 1,2

CMP DWORD 1,2

CMP DWORD [1],2

CMP DWORD 1,PTR DS:[2]

CMP BYTE PTR DS:[1],2

CMP BYTE 1,[2]