|
ASPR not full tut
1 Attachment(s)
hi all
i have tried again and again so many time to unpack this new version of ASPR but no luck all the time it crashes so i made this tut about the new aspr .. this tut is yet not fully working so if anyone else wishes to finish this tut and fix my errors.. |
no replay ??
well i hope that some1 will come with a solotion why this app still crashes..
g00d luck (plz post u'r answer here) |
more info about the crash
well all that i have found out more about the Crashes of the App
is this : 00402262 . 83C0 03 ADD EAX,3 00402265 > C1F8 02 SAR EAX,2 00402268 . 8B15 24E65600 MOV EDX,DWORD PTR DS:[56E624] 0040226E . 8B5482 F4 MOV EDX,DWORD PTR DS:[EDX+EAX*4-C] 00402272 . 85D2 TEST EDX,EDX 00402274 . 74 79 JE SHORT Dump_.004022EF 00402276 . 8BF2 MOV ESI,EDX 00402278 . 8BC6 MOV EAX,ESI at : MOV EDX,DWORD PTR DS:[EDX+EAX*4-C] with an error of Read Access Violation and ther is more of those some with an Error of Write Access Violation.. at the Packed file at Olly u can see that DWORD PTR DS:[EDX+EAX*4-C] = 00000000 and at the unpacked file u can see that : DWORD PTR DS:[EDX+EAX*4-C] = ????????? realy wierd ! all other places are like that .. well at ASPR Stripper i saw it doing somtimes those lines at some other unpacked apps : i.e : ApiEntry RVA :0001e984 *esp = (00a738fd, 00a63861, 0012ffe0) ApiEntry RVA :000181dc *esp = (00a739f1, 00000010, 00000010) ApiEntry RVA :000012cc *esp = (00a73b2f, 004012c8, 0012ffe0) what those lines are for ??? i think this could help to solve this thing... |
try to write down the register values at the OEP when you debug the protected app.
then check them on the dump. some of them must be match. (eg: EBP,...) |
Hi labba !
I unpacked it correctly, nothing new, just recheck your It. Britedream |
Hi
I also noticed strange thing , When I unpacked it , it took out the time limit too. britedream |
I have got it correctly, there are something new !
|
Hi jingulong !
are you talking about the CryptHashPublicKeyInfo dll , I did not notice any new stuff. will you please explain.Thanks Britedream |
Thanks Labba for tut
paul333 |
HMMM...
Well as i can see no one has post a real reply for why the app is crashing or posted a FIX for the TUT .. or Continued it..
TOO BAD.. that way no one will lern anything... |
1 Attachment(s)
In my earlier post I indicated that the problem is in your IAT,
however, I don't have the version you refer to in my pc anymore, but I did download the new version 4.92-147, so with the following info. you should be able to see what was wrong, and correct accordingly: oep=00577b64 stolen bytes=55 8B EC 83 C4 F0 B8 04 74 57 00 IAT= |
Hi labba !
I noticed in your tut. that you used: add esp,-10: as a pattern but I would like to bring to your attention that isn't always true ,if you look at advanced registry tracer ,you would see :add esp,-0C:, So I thought you may want to make a note of it in your tut. Regards! britedream |
hi .. yea i notice that long time ago.. but we need to findout how we can find those stolen bytes that are now emulate..
BTW ... i re-checked my IAT and all was just fine the app still crash.. BUT NOW i KNOW WHY .. the full tut is comming ! :D |
Great !
I am glad that you found out what was wrong. the reason I suggested that the problem is with your IAT, is that there are three variables: oep, stolen bytes, and IAT, two of those are correct as I saw from your tut. so the only thing is left is your IAT. of course there are other things that can go wrong such as dumping, and oep correct positioning, but those have nothing to do with asprotect specific unpacking. britedream |
Full Tut Is Finished
1 Attachment(s)
hi .
yea u where right .. the dumping was wrong.. here the tut and lil improved... |
Hi Labba !
Thanks for the effort you put into this tut.,it is nice tut. but I would like to add slightly a shorter approach.At the point where it says "It's time now to set a trace...": 1- ALT+M , and choose "set memory breakpoint on access" 2- Shif+F9,will break on program code,press K on toolbar 3- double click on the second address u see there. 4- this is the place u should be dumping from, also u see the place where stolen bytes should be placed. for freeresource or lockresource you should be able to determine from names above and below. Britedream. |
Maybe I have not GOOD BRAIN..
Hi Labba and britedream !
Thanks for your the effort you create this great tut and advise. However, I couldn't get the correct unpacked executable file with this tut. Maybe I don't have GOOD Brain for understanding this.:( I have tried with same example(SystemCleaner 4.91d). My final targets are DropToCD and Recordius those are CD/DVD burning application. But I can't pass the TUT course. English is not first language for me. So maybe I've misunderstood tut procedure. If you have a chance to update tut, would you please explain procedure step by step with number(as like britedream's reply)? Thanks and regards, HotPepper |
Something strange!!!
I have apply this tut to DropToCD, but I got a strange thing. After unpacked, unpacked file does not run correctly. NOT crash... Process is just terminated without any error.
What should I do? And, in this program, stolen bytes is not 11 or 14 bytes. I believe that is 12 bytes. Thanks, HotPepper |
that target has an old trick, checking if app was unpacked...
look for exceptions after OEP... try olly... and, if you didn't succeed with the target that belongs to the tut, then the knowledge in that tut will not be enough for you, certainly not if you tackle an unrellated target. :) /Manko |
Re: Something strange!!!
Quote:
I will download this and see if I can get it to work. Which DropToCD is it you are trying to unpack? DataCD or AudioCD? And which version? (Meaning, for DataCD there is 2.0 and 2.0 beta 3, and for AudioCD there is 1.0 and 1.1 beta 2) |
Hi HotPePPer!
The info for DropToCd(Audio) Oep=5647dc stolenbytes=55 8B EC 83 C4 F0 53 B8 84 41 56 00 IATrva=7bf190 size~900 the stolen bytes are not erased so when u stop at address 5647e8 go to ecx and follow to dump, change dump pane from hex to disassemble, go up one or two lines then u see all your stolen bytes. |
britedream, can you try your hand at DropToCD DataCD 2.0? I was able to do AudioCD easily, but I am having some problems with DataCD that I cannot find a way around. I found OEP and stolen bytes easily; OEP = 585465, stolen bytes = 55 8B EC 83 C4 EC B8 DC 4D 58 00. I think the problem is some SEH, but I can't get around it. Maybe it is easy and I am missing something obvious, I don't know. Anyway, if you have time, please try DataCD.
|
Hi!
Satyricon, my good man! Have you no trust in me? As I said it IS a common trick with ASPR. Have you never seen it? Anyway... When you have unpacked it as normal, run it with Olly and make sure it is set to record/pause at all exceptions... You will notice it will break twice on the same address... Reverse it! :) (Too be honest, I just used my app as normal to get this address... Can't unpack every file every time...) Ohh, and yes, delphi will often do exceptions, but you can see if that is the case... code/address will be quite different usually... Just get the address of that exception and do the work... :) cya /Manko |
Hi!
Hehe... SORRY! There were more tricks perhaps... must examine further tomorrow... maybe just tired? ... CYA! /Manko |
Manko, I do trust you! :D But, I don't think this program is so simple... I have seen exceptions in AsProtected programs before that are simply testing to see if certain APIs (usually emulated kernel32 functions) are writeable, and those are easy to get around. Indeed, there is one of those in this application (and that is what you saw in your asprdebugger). But, there is more here than just that. I have done all the usual things, but it still doesn't work.
Debugging packed program, you see internal exception 0EEDFADE raised four times total, two before messagebox displaying remaining number of trial days, two after the messagebox. Debugging unpacked program, you see the exception SIX times total, three before messagebox code (messagebox no longer pops up for some reason), three after messagebox code. So it seems there was some other SEH in place here, so that the exception was only raised 4 times instead of 6 in the packed code... What happens is, when you run the program (while packed), you see the application in the taskbar for 3 or so seconds, then after those 3 seconds, the program's form pops up. When unpacked, you still see the application in the taskbar for those three seconds, but once the three seconds have elapsed, instead of the form popping up, the application just closes. It looks like the program (which appears to be written in C++ Builder) terminates early from some loop in TApplication->Run, maybe a message handling loop?. :confused: |
Hi All,
Thanks for all of you reply the messages.:) I mean a DropToCD DataCD 2.0 final. It is using the ASProtect 1.23 RC4 for pack. I will try again with all of advise from yours. :D Thanks, |
Something NEW is comming....
Hi All,
I am sorry if I'm bother you with these..... I just download 'Recordius 1.03b'. And try to unpack, but I can't. Yes, I am BEGINNER~!. However I have really GOOD time to learn about unpacking from this board. Here is what I did... DropToCD(Data) 2.0 , Recordius 1.02b - Stripper V203 can remove the trial limits from registry, so I can use over 7 days. - PE-ID can scan the version of ASPR and searched OEP (even that is not correct!) - ASPRdbgr 1.0 can found IATrva and found OEP - with the Olly, I can found OEP of DropToCD but not Recordius Recordius 1.03b - Stripper V203 can remove the trial limits, but invoke the error when try the unpack. After remove the trial limit, I can not run the app because app invoke the Protection Error 0000001 - PE-ID can scan OEP and ASPR version. - ASPRdbgr 1.0 can not found IATrva and OEP, just finished run. - with the Olly, I found the dumping point(but I am sure because that is not similar with TUT), but I can not trace for finding OEP because trace get a error after several F8. Thanks, HotPepper:confused: :confused: |
to Hotpepper
the asprotect in recordius 1.03 is new breed to me so with only 13 tries it will be hard to know it,we should check it in a program with no such limit.however I think I found the signature bytes . mov edi,[starting address for erasing] move ecx,285e ;this will change in some programs,but as far as yours it is 285e=# of bytes to erase rep stos byte ptr es:[edi] ; erase popfd pop edi pop ecx retn these last 4 bytes you can use as signature p.s. ollydbg isn't working well with it,and ds3 isn't functioning in my pc. |
Hi satyricon!
with only 13 tries I think it will be wise to try to find the location to disable try limit each time u run the original, then it would be easy to go to the original prog. to check errors and correct them.otherwise u will come to the limit soon . regards! |
britedream,
DataCD stupidly stores the number of times it has been executed in some hashed data in registry. After executing it only once, I exported that registry key, and by importing that registry key now, I can reset the number of executions. So, the 13 execution limit does not matter! Effectively, all that is left is the 7 day limit. BUT... I know exactly where in code it checks the number of executions and days elapsed. It is very easy to bypass, I think. Try looking at the subroutine at RVA 57D590-57D603. That is the procedure that generates the messagebox. In that routine, check for calls to 573640 (routine that returns number of days total and number of days remaining) and 5736A4 (routine that returns number of executions total and number of executions remaining). Those routines can easily be patched, allowing you to run the program as many times as you want. With that information, I would greatly appreciate if you could try your hand at unpacking it. You seem very competent, much moreso than myself, and I am greatly interested in what else needs to be done to get this application to work correctly. Thanks! |
1 Attachment(s)
To Satyric0n
by no means I am more competent than you in anyway, however I did download the program, with few nops and it is running.if you see the program starting, then goes away,you are almost there. just make sure that you nop the call at 5735f7 from push ebx to pop ebx inclusively,also make sure that your Iat is correct ,imporRec failed to detect freeresource in this program.this is my Iat to compare to: |
to staryic0n:
I just noticed that your oep isn't correct, and your stolen bytes is missing one byte, here is the working info: oep=55 8B EC 83 C4 F0 53 B8 DC 4D 58 00 IAT is attached above. addresses to patch: are almost the same so start nopping from: xor eax,eax to mov xxxxxx,edx 5789d9 5735eb ;check my post above 578a1a 578a5b 578a9c 57d8c3 57d904 the last is jnz : 578ae4 nop ---------------------------------------------------------- Thanks to Hotpepper , it is a nice program! |
to Hotpepper
for you to practice ,try the new recordius 1.04,protection is the same as above ,it will take you no more than five min. , here some info to help you oep=11f674 Iatrva=777230 size~900 stolen bytes are the same as above.except eax value . good luck. britedream |
britedream,
I had the exact same IAT as you, so I guess I did at least that much correctly :p. But, you are absolutely correct on the OEP and stolen bytes; I missed the PUSH EBX, but at least had the correct distance between EBP and ESP... I am reviewing the rest of the information you posted, of the addresses to patch. Thank you very much for looking into this :D, it is nice to see the solution to this after as much time as I spent trying to figure it out, unsuccessfully. |
britedream,
I looked over the addresses you said to NOP, and NOPing those did work perfectly. But I have found a different solution that has considerably less NOPing, and appears to work correctly. I agree with you on NOPing the procedure at 5735EC (PUSH EBX through POP EBX), but I think all the others you listed are unnecessary. Simply NOP the CALLs at 573782 and 57389B, and everything seems to work just fine. Again, thanks for your help. I would not have found any solution, yours or mine, without your input. |
it may very well be, I didnot test it ,so nopping some of those may prevent going to the others.,I think I did
try to nop the 573782,but had some errors.so check it in the original program, and see if it works. |
NOPing 573782 definately works as long as you also NOP 57389B. Doing one or the other but not both does not work properly, but NOPing both seems to work great.
I know I have thanked you already for your help, but thank you again :D. It made me very happy to finally get this working, after so much frustration at being unsuccessful. I spent a pathetically long time trying to get it to work, when I knew it had to be a simple solution, and in the end it was. But, I learned a lot (about SEH especially) from working on it. From what I learned from this, I was able to get Recordius 1.04 unpacked and working without even thinking about it, so it was worth it. Maybe one day I can return you the favor. |
My pleasure , and I am glad that my info was any benefit
to you. regards |
Thanks for all of you helping solve the problem.
Currently I am on the biz trip to out of my country. When I back to home, I will try that. Thanks, again HotPepper:p PS] I believe DropToCD and Recordius are really nice program. That is really small and have almost functionality that I want. |
anyone knows oep and stolen bytes of anydvd? can't find it...
TIA |
| All times are GMT +8. The time now is 02:44. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX