|
New Asprotect?
1 Attachment(s)
I just found this one at the RCE forum. The poster asked for people to try to unpack it, so I figured I could post it here (without stepping on someones toes). Anybody capable of unpacking it?
|
1 Attachment(s)
yes i can... and i just did :)
93k -> 1MB and i see whoever protected it did not use the EP redirection. wouldn't have mattered tho. Please keep in mind that this will only work on my machine, or possibly only on the OS in which I unpacked it. As it contains the aspr envelope attached to the dump, I will not post it for possible security reasons, nor do I recommend anyone posting their own dump with the aspr envelope attached. ---edit--- oops, forgot to trim down the size of my aspr envelope :) had a bunch of 00's. once trimmed is only 229k. i'm not uploading another jpg. just thought i'd clear that up. |
this "unpackme" is protected with asprotect 1.31 beta, and the poster not using the option hide OEP (to make it unpack easier? :) ).
I've see nothing in your picture, just a lordpe screen. With lordpe i can dump it too, but can't fix the IAT, any ideal ? |
i'm not posting the file cuz it contains the aspr envelope, which could possible contain other info. but if you must know here is the unpacked oep:
Quote:
|
hi,
unpack is easy, but do you try to fixed iat yet ? This prog is small, and not contain many api, so you can solve it easily, but think when there's a lot of api, at that time, what can we do now :) |
Well
Hi guys,
Why don't you guys in a few words explain how you unpacked it and fixed the iat? regards, |
Quote:
Get to OEP as usual, break on many exceptions and jump over the last exception and RET which will eventually lead you to EP. Then you can dump, that's the easy part. Then what you must do is dump the ASPR envelope from memory and attach it to your dump. I have seen regular sized apps with big import tables and at the moment I have no way of fixing or creating and iat. Once you've attached your ASPR to your dump you need to fix the import table to point to the proper thunks. That's the extreme basic way of doing it There are things you can do to change the ASPR envelope's native address, etc. Plus lots of cleaner ways to rebuild your pe. But that right there is the basic idea. Also note that this approach will only allow the dump to run on your machine or possibly only the same os. It's definitely not a cross-platform solution with a generic iat/import table. But it works nonetheless. One other thing to mention. Since this version does not use the native iat to point to system apis or redirected apis it will be quite a task to create an iat and that, really, is the only stumbling block for a more 'pure' solution. The other things such as obfuscated redirected functions are quite a bit tougher with this version, but that can always be resolved by simply attaching the obfuscated code somewhere and redirecting the jump/call to it. I hope that answers some questions |
i cant get it to run in ollydebug... passed a lot of exceptions but after a
while and "illegal instruction" windows box pops up and my process is killed... i then set olly options to ingore most exceptions and restarted... it loads nicely and i get the debugge detect msgbox... and then it crashes i cant even click ok ... isdebuggerpresent plug did not help |
Yes,
Thank you for your input. It's a good starting point for further investigation.:-)
regards, |
As I indicated in my earlier post that I would look for unpacking the beta through traditional way, the key to this is to correct the code calls and jumps to asprotect area, the good news is the I found the locations that will correct calls and jumps, the only problem is time, I need to test it and unpack it through this method.I did run a program that I protected with the correction in place and it ran fine , which means these corrections are good.I did test this also on the unpackmenow, and it corrected all calls and jumps that I could see, but due to lack of time I couldn't pursue any further, but I will do that on the weekend if time permit.
regards. |
it detect debugger, but you can easily bypass it by using IsDebuggerPresent plugin.
I also use the get api call in Imprec, try to make valid range from 401000 to 401fff to get the emulate api. That's way i did, but the weak point is i must correct every emulate api ---> It's so bad because there're alot of them. |
Hi
Hi britedream,
I'm looking foreward to learn about your solution. :) BTW, has anyone found a program protected by this new version? |
why not find the part in the unpacker that cycles through all the imports and patches the calls in the app with addresses of the redirected api in the envolope section, make a little ollyscript to capture the true api address and use ollyscript to put in correct api address and then use imprec tool to search for call [xxxxxx] and rebuild u a import that directly patches the calls,
or capture the table out of memory aspr uses to create these redirected calls and build your own tool to build imports section and fix the call [xxxxxx] to point to a new IAT - Darren |
Quote:
I also look forward to hearing more about true iat direction fixing from britedream. From my observation, it appears that there is never an 'original' call structure that is then overwritten. It only seems that there are some basic distance bytes that are then calc'd and overwritten to the direct calls/jumps to the aspr env. If you have found something else that's truly be amazing. :) |
1 Attachment(s)
this is the internal import table i mean, aspr steps through this and decodes as it goes, patching the calls and jumps to the envolope. on my machine the address of the code that does this is 0xc1550a. its possible to hijack this code with a little ollyscript and avoid it pointing calls to envolope code but to the real api addresses in memory, also i suspect with a few tweaks to the script it should be possible to make the script create an IAT and all the patched jumps/calls will be pointing to this new IAT, then its a case of sniffing out any emulated api and fixing them up manually
- Darren |
well, i managed to do it, but the solution doesn't seem to fit every situation so i'll not post any real specifics yet. just wanted everyone to know that it is possible. it took a lot of rebuilding. rebuilding an iat, fixing jumps/calls, etc.
i do have one question, maybe someone can help me out. is there an api that acts the opposite of GetModuleHandleA? in other words, an api that can be feed in a number that is the modules handle, like 77000000, and it will spit out the module name? just curious, cuz something like that could help somewhat. |
Quote:
|
hehe, duh! :)
thanks. my brain is a little fried ;) |
Hi all,
On the last exception you will see anti softice sice too :). hmm still need time to find why the iat is not able to resolve using revirgin or imprec.... Regards |
because an IAT isnt used, aspr engine patches calls/jumps in the user code directly
|
i managed to make a working dump and found OEP for whereisit? 3.60 ... but can't fix IAT ..has anyone been able to find a solution for this?
|
@Crk: britedream just posted that he unpacked latest whereisit. I'm sure he'll tell you how.
Hmm, is the OEP at 006FB5EC ? |
since i couldn't fix IAT i deleted all files... i forgot which one is but manually you will be able to find it ... look with W32Dasm for the string : WHEREISIT.CHM
a little up is OEP where that piece of code start (558BEC......) there are not stolen bytes! :) i'm waiting for britedream tut about fixing IAT it looks new asprotect and armadillo are using almost same technique to protect IAT this time .. for how long? ;) Regards. |
@Crk: Ok, then at least I had found the OEP and dumped the exe.
|
in the new asprotect just use peid oep finder when checking the protection, it will give you the correct oep if not protected , in the two I checked it gave the correct oep.
|
Proposed solution for fixing IAT
1 Attachment(s)
Since no one has posted a solution for fixing IAT of new asprotect, i post here a simple solution. I do not know it works in any situation since i did not try it on commercial software but u can check it out. I think that my solution is just an application of different suggestions i find in this forum.
I took the Unpackmenow as an example. Regards deviljin |
| All times are GMT +8. The time now is 14:30. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX