The new asprotect 1.31
 

I did download this beta, it is getting closer to acprotect approach, the new beta and the older asprotect both almost have the same concept.I wrote script to find the oep and the last exception, the true oep is directed by jmp to the asprotect area , where the stolen reside,this is done within the few exceptions (2-3, I don't remember now) before the last exception reached, for the iat , the apies are emulated inside the asprotect area, this is my initial observation, I believe this observation won't be new to most of you, but I thought I should share it with others who may not have it. please share your input if you can. thanks.

I can find oep,about stolen bytes i use same compiler stubb approach and its working,but when i try to use imprec,imprec crash,can not fix iat.

To: el-KiWi

in this weekend I did look at the beta , and I did unpack it ,but I used non traditional way for speed due to lack of time, I will look into the normal way
used to unpack asprotect once I have the time,so play with it , I am sure you will unpack it.

this version makes it's a very difficult task to make a clean dump that you can use on any computer. however, it is extremely easy (but time consuming) to unpack the apps and have them run on your own machine (and possibly even the same OS on another machine). I may write a tutorial on the entire process and post it here, but the basic idea behind it is to dump and attach the aspr envelope to the dumped.exe file. This involves realigning dumped sections and playing with import functions. The biggest obstacle to overcome would be rebuilding an import table and IAT, since aspr now doesn't simply use redirection from withing the IAT.

And, if Alexey ever peers this forum (who knows) here's a little msg to him:

Just reconstruct the crime scene,the target will run in no time.

this time I did unpack the test target in the traditional way , just I patched three locations, and fixed the iat using importrec, the target ran , now I will test this on commercial target protected with registered version, as soon as time permit.

Hmm
 

Interesting.:-)
Try the newest version of WhereIsIt...

regards,
hobgoblin

To hobgoblin
Today I tried your target "whereisit" protected by the latest asprotect, I did unpack it ,it is running on my pc, I will up load it to you tomorrow.

Cool.
 

That's cool. I'm looking foreward to see how you resolved this. I have made a dump that I think will work. I just don't haven't figured out how to fix the iat trouble.

regards,
hobgoblin

To hobgoblin:

Sorry I couldn't upload it to the exetools, please pm with your email.

It is an asprotect beta,so I am not going to put detailed steps for unpacking it in the open forum, for the obvious reason,but there aren't that many steps anyway, just find where asprotect is directing the iat , force it to make the table for you, use ImportRec to fix the table.second , overcome the antidump.done.

in my unpacking I concentrated on the iat , so for time limitation, I didn't redirect the antidumps, I just used the same high memory as asprotect, and code small dll as finger saving for that purpose,Also I didn't redo the process for fixing the iat for the five or so left apies, I just code them directly, you will distinguish my direct adding form ImportRec adding.

since I am using a high memory, it may not work if your configuration is different than mine, I will try to redirect the antidumps in the future, to avoid that.
here is an image of some jumps to iat to show the ones I directly added and the imortRec adding:

no need for the image, the whole iat now is fixed by importrec: here itis:
this one should works on all xp now.{don't use it , just compare to}

hobgoblin, please check your email, target has been sent.

I wouldn't mind a copy of that as well :)

Hi britedream,
Please could you send a copy to me as well :D
Many Thanks
R@dier

To R@der and svensk:

please wait ,I am waiting for a feed back. regarding the unpacked to see how it works on other pc.

britedream either you got previous version or newer one? or the OEP from the attached tree is wrong

and maybe this IAT won't work with my dumped exe! :(

i got Whereisit? v3.60.521 and right OEP is: 002FB5EC (006FB5EC)

for any where is it version or just latest one look with W32dasm for the unique text string : AMAINICON go a little up where that piece of code start
( 558BEC83C4F0 .....)that's the OEP.

would you confirm which exactly version you got?

Regards

you are right my version is 3.59 , but by fixing the table it will not work, there are anti dumps you have to over come. I am also looking to make it works on other pces . so give some time .


note:
I have to give you my unpacked to work with it ,becuase if you dump from your
original, the doors to iat already changed to asprotect area.

Hi,
More and more unAmrmadiloed, unAsproteced stuff refuse to run on non XP machines. RestoreLastError cannot be found in non XP kernel.

I have fixed this replacing RestoreLastError with FlushFileBuffers

Am I wrong?

To R@der and hobgoblin:

I sent you the unpacked target that should work on all xp pces, please feed back.

sorry svensk I don't have your email.

In all instances, you should replace calls to RestoreLastError with SetLastError.

To britedream
 

Runs fine on my computer. thanks for the files. I'm about to start digging now. :)

regards,
hobgoblin

To hobgoblin
 

Thanks hobglobin for the feed back, now extools forum may be the first to unpack this lovable protector.


regards.

TARGET: http://www.jufsoft.com/badcopy

Protection: Latest ASProtect

Used Britedream's Olly script for "ASPR 1.3b" and got to OEP

Without using Ollyscript I did this to get to the OEP.

Hit Shift+F9 26 times and here:
0115E56E 0156 00 ADD DWORD PTR DS:[ESI],EDX

Put BP here:
0115E588 833D 6C3B1601 00 CMP DWORD PTR DS:[1163B6C],0

And hit Shift+F9 and Olly breaks. Then Alt+M and put BP on memory access on code. Then Set the debugging options and hit F9 once and you are at the OEP(Remove analysis) with no stolen bytes.

00501184 55 PUSH EBP
00501185 8BEC MOV EBP,ESP
00501187 83C4 F0 ADD ESP,-10
0050118A B8 240E5000 MOV EAX,BadCopy.00500E24
0050118F E8 105EF0FF CALL BadCopy.00406FA4


Dumped the target and there were no unresolved pointers and fixed IAT and then dump file.

But target wont run

Error: Access violation while reading [1181B34]

00407294 $- FF25 C841C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleFileNameA
0040729A 8BC0 MOV EAX,EAX
0040729C $- FF25 CC41C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleHandleA
004072A2 8BC0 MOV EAX,EAX
004072A4 $ FF25 341B1801 JMP DWORD PTR DS:[1181B34]
004072AA 8BC0 MOV EAX,EAX
004072AC $- FF25 D041C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetProfileStringA
004072B2 8BC0 MOV EAX,EAX
004072B4 $- FF25 D441C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetStdHandle

How to fix this plz help.

Regards,

IAT..
 

and how did you find the address for the IAT?

regards,
hobgoblin

err. spank me, I did not save the tree. I started Imprec, attached to the process and just hit IAT auto search (did not enter the OEP) and got the message found something, get imports, size was something around 7xx and there were no unresolved pointers, all import functions were valid. But now again when I do the same Imprec displays could not find anythng :confused:
I have the "dump_.exe" Shall I upload?

Regards,

Thanks
 

Thanks for the reply. How to find the place in aspr code where the iat table is created/written to memory somehow eludes me. Usually I use a bp GetProcAddress to find it, but this time I don't. I do find a place where this api is called to find the addresses to an iat, but I'm not sure whether this is the correct one.
Well, well. I have to dig deeper I guess. :)

regards,
hobgoblin

Let me give you some help hobgoblin :)... aspr IAT redirection code is all here... of course the memory address will be diff but i am sure you can figure out how to get there based on relative offset :)

@hobglobin:

O there was a misunderstanding. Now I understand, your question was addressed to britedream :D and I thought you were asking me :eek:

Anyways britedream will you plz help me on this target I posted ;)

Regards,

no
 

It was for you. :)
I was looking at Badcopy...

hobgoblin

To crusader: I guess the code you listed is for BadCopy? Or maybe its a general code?

nice bit of IDA work crusader :)

well let the app load into memory and find one the of call [xxxxxxxx] that points to the aspr memory, take a note of the address of the call opcode and add 2 to it so u have address of the offset, load your target into ollydebug and set the data window to the address u found, set olly to stop on exceptions and let the target run, keep an eye on the data window as u pass
each exception, u will see the data change once as aprs decodes / unpacks
and then the data will change once more as the code crusader pasted does it stuff, u can count the number of exceptions from the 1st change to the second change, stop on the last one before the data changes again, look below and should be very close to the code crusader pasted.

also its possible to set a bpm from within sice on the data address
to stop when its written to. (not %100)

- Darren

To Ferrari
 

This target is much easier than whereIsIt, just fix the iat and it will run fine,

here is the iat to compare to: (don't use it on yours, it will not work,just compare it to your iat.)

note: i have the target unpacked , if you want, I will be glad to send it to you.

To Ferrari
 

here is the same code in my unpacked target:

00407294 - FF25 C041C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetMod>; kernel32.GetModuleFileNameA
0040729A 8BC0 MOV EAX,EAX
0040729C - FF25 C441C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetMod>; kernel32.GetModuleHandleA
004072A2 8BC0 MOV EAX,EAX
004072A4 - FF25 7C47C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetPro>; kernel32.GetProcAddress
004072AA 8BC0 MOV EAX,EAX
004072AC - FF25 C841C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetPro>; kernel32.GetProfileStringA
004072B2 8BC0 MOV EAX,EAX
004072B4 - FF25 CC41C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetStd>; kernel32.GetStdHandle
004072BA 8BC0 MOV EAX,EAX
004072BC - FF25 D041C100 JMP NEAR DWORD PTR DS:[<&kernel32.GetStr>; kernel32.GetStringTypeExA

i don't get any knowledge getting an unpacked exe from someone .. i don't have fun like that.. i need some papel/notes about unpacking this latest Aspr. specially fixing IAT

regards
ferrari maybe your oep is wrong,i found oep on different way,fix iat and program is working,i m under xp. I attach file,and maybe can help you.
with best wishes

To el-kiwi
 

Hi

are you sure it is the same verion BadCopy pro 3.74 build 403.

Hi britedream

no it is not,now i see its 3.74 build 0531,but i download it yesterday,and now peid say aspack 1.07b! i dont get it. I apologize for misunderstanding.

To el-kiwi
 

Here is the unpacked Badcopy if you wish to tackle asprotect:

its working,I just delete this old one,and programs works fine on my machine.is there any chance to write tutorial about unpacking this version britedream?

@el-kiwi

OEP is right mate but from britedreams post I see where the problem is.

@britedream
Btw britedream I 'll check ur input and let you know :)..I want to know how u did it rather than downloading the unpacked exe ;)

Regards,

I just grabbed the latest (3.74 0531) version of BadCopy Pro from hxxp://www.jufsoft.com/badcopy/ and that's most definitely not asprotected.
Author must have given up on asprotect.

Edit: Build 0403 couldn't have been Asprotect 1.31, it was way more like 1.23 RC4. Lemme know if I'm mistaken.
Hence, easy to unpack.

Regards
SvensK