Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Still need help with Asprotect (https://forum.exetools.com/showthread.php?t=3599)

Pompeyfan 03-06-2004 17:32

Still need help with Asprotect
 
Wondering if someone could help me with this target, I thought I'd learned a lot from the Wtm CD Protect V1.54 tut of LaBBas, but I cant seem to get the OEP for the following, PEid reports OEP at 00417338, but nothing leads me there by tracing:

Registry Defragmentation for Windows 95-XP
Version 5.0b
Authors: Nick Nifontov
Alexander Berezovsky
Copyright © Elcor Software 2001-2004
hxxp://www.elcor.net/

This is what I tried so far:

Shift & F9 26 times, breakpoint on RETN then shift & F9, trace TC EIP<900000, Ctrl & A (analyse), then here:

0040531C $-FF25 44B24100 JMP DWORD PTR DS:[41B244]
00405322 8BC0 MOV EAX,EAX
00405324 $-FF25 40B24100 JMP DWORD PTR DS:[41B240]
0040532A 8BC0 MOV EAX,EAX
0040532C $-FF25 3CB24100 JMP DWORD PTR DS:[41B23C]
00405332 8BC0 MOV EAX,EAX
00405334 $-FF25 38B24100 JMP DWORD PTR DS:[41B238]
0040533A 8BC0 MOV EAX,EAX
0040533C /$ 50 PUSH EAX
0040533D |. 6A 40 PUSH 40
0040533F |. E8 E0FFFFFF CALL RegDefra.00405324
00405344 \. C3 RETN

F8 one time, and you are here:

009A1C64 55 PUSH EBP
009A1C65 8BEC MOV EBP,ESP
009A1C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
009A1C6A 85C0 TEST EAX,EAX
009A1C6C 75 13 JNZ SHORT 009A1C81
009A1C6E 813D A47A9A00 00>CMP DWORD PTR DS:[9A7AA4],400000 ; ASCII "MZP"
009A1C78 75 07 JNZ SHORT 009A1C81
009A1C7A A1 A47A9A00 MOV EAX,DWORD PTR DS:[9A7AA4]
009A1C7F EB 06 JMP SHORT 009A1C87
009A1C81 50 PUSH EAX
009A1C82 E8 3135FFFF CALL 009951B8 ; JMP to kernel32.GetModuleHandleA
009A1C87 5D POP EBP
009A1C88 C2 0400 RETN 4

Press F8 to RET command and you are here:

004053F1 . A3 10A74100 MOV DWORD PTR DS:[41A710],EAX ; RegDefra.00400000
004053F6 . A1 10A74100 MOV EAX,DWORD PTR DS:[41A710]
004053FB . A3 8C904100 MOV DWORD PTR DS:[41908C],EAX
00405400 . 33C0 XOR EAX,EAX
00405402 . A3 90904100 MOV DWORD PTR DS:[419090],EAX
00405407 . 33C0 XOR EAX,EAX
00405409 . A3 94904100 MOV DWORD PTR DS:[419094],EAX
0040540E . E8 C1FFFFFF CALL RegDefra.004053D4
00405413 . BA 88904100 MOV EDX,RegDefra.00419088
00405418 . 8BC3 MOV EAX,EBX
0040541A . E8 9DE5FFFF CALL RegDefra.004039BC
0040541F . 5B POP EBX
00405420 . C3 RETN

Dump full with Loredpe, then F8 till after the RETN, and you are at the Fake OEP I thought:

00418E88 E8 DB E8

Tried fixing the Import table here without success, Imprec gives me message nothing good here, tried IAT autosearch, and also tried entering the OEP I thought I had found.

Brightdreams OEP finder script ends here:

0040531C FF DB FF

After Ctrl & A:

0040531C $-FF25 44B24100 JMP DWORD PTR DS:[41B244]
00405322 8BC0 MOV EAX,EAX
00405324 $-FF25 40B24100 JMP DWORD PTR DS:[41B240]
0040532A 8BC0 MOV EAX,EAX
0040532C $-FF25 3CB24100 JMP DWORD PTR DS:[41B23C]
00405332 8BC0 MOV EAX,EAX
00405334 $-FF25 38B24100 JMP DWORD PTR DS:[41B238]
0040533A 8BC0 MOV EAX,EAX
0040533C /$ 50 PUSH EAX
0040533D |. 6A 40 PUSH 40
0040533F |. E8 E0FFFFFF CALL RegDefra.00405324
00405344 \. C3 RETN

Has anyone else tried this target, and can they give me a few tips on where to go from here?

britedream 03-06-2004 19:34

Hi,
my script is stopping at the right place, but please read the msg that it displays , it says" click on the 'k' at the toolbar , if it is not empty then duoble click on the last address you see there" , then the stolen bytes place and oep are above where you land. or follow the recent tut made by R@der.
Regards.
note:
here is the oep+stolen on my pc:

00418E78 55 PUSH EBP
00418E79 8BEC MOV EBP,ESP
00418E7B 83C4 F0 ADD ESP,-10
00418E7E B8 808D4100 MOV EAX,RegDefra.00418D80


Note2:

Please remove analysis if it is done , otherwise the address you will see inside the K, if any, will not be the correct one.

ferrari 03-07-2004 00:34

@Pompeyfan
If u followed R@dier's tut and after writing the stolen bytes, New Origin here, dumping the process, if u get the above error then i think u have not entered the OEP-->18E78 and then click IAT Search. I got it that way.

@Britedream

PEiD scan shows that there are total four exe's which are ASPR'd
viz.
RegDefrag.exe , RegBackup.exe, RegDfrgSch.exe, SysBackup.exe

As per R@dier's tut and ur instructions i unpacked RegDefrag.exe
but it won't run. I don't get any messages. Nothing happens if i double click it. Is it right britedream? If yes, that means i unpacked it correctly. So i thought that for the app to run I have to unpack the other 3 also. I unpacked RegBackup.exe, RegDfrgSch.exe correctly, i guess, coz same thing if i try to run them. But when i load SysBackup.exe in Olly it fails and give me some DLL not found error. Do u get the same error. Can u explain why?

R@dier 03-07-2004 00:51

1 Attachment(s)
Hi ferrari,
the programs have aspr's check sum protection

you are going to need to debug the proggy to get it to run,
I have had a quick go at it and currently get the attached error message,
I will try to have a closer look tomorrow

Best Wishes

R@dier

Pompeyfan 03-07-2004 03:05

Thanks for the replies guys, I'll try this again later today:)

Pompeyfan 03-07-2004 03:17

Quote:

Hi,
my script is stopping at the right place, but please read the msg that it displays , it says" click on the 'k' at the toolbar , if it is not empty then duoble click on the last address you see there" , then the stolen bytes place and oep are above where you land. or follow the recent tut made by R@der.
Regards.
note:
here is the oep+stolen on my pc:

00418E78 55 PUSH EBP
00418E79 8BEC MOV EBP,ESP
00418E7B 83C4 F0 ADD ESP,-10
00418E7E B8 808D4100 MOV EAX,RegDefra.00418D80


Note2:

Please remove analysis if it is done , otherwise the address you will see inside the K, if any, will not be the correct one.

Starnge, but I've tried it quite a few times, and when I press on the K, I have a blank call stack window, no analysis done either.:confused:

britedream 03-07-2004 10:44

please right click on cpu pane and check the analysis option , if it says remove analysis,please do so.

britedream 03-07-2004 12:09

Hi ferrari,
no need to unpack those files for regdefrag exe to startup correctly. just try to overcome the protection in the regdefrag exe.(it should display the msg that R@der posted).

Regards.

ferrari 03-07-2004 15:53

1 Attachment(s)
R@dier and Britedream:

Okay i think i unpacked it correctly this time. When i run 'RegToolkit.exe' and from there if i try to run 'RegDefrag.exe' i get the same error message like R@dier. I have attached the IAT tree. Plz check if it's correct. And also plz explain how to get rid of this checksum thing.
Thank you.

britedream 03-07-2004 16:49

iat start at 1b168

Pompeyfan 03-07-2004 20:31

Quote:

please right click on cpu pane and check the analysis option , if it says remove analysis,please do so.
Okay, sorted that out now, sorry about that:)

Pompeyfan 03-07-2004 20:35

1 Attachment(s)
I get the attached message when I try to do any tracing with this program, whether by the TC<900000, or by tracing as per R@dier's latest tut, why would that be?

britedream 03-08-2004 12:04

Hi,
if you are refering to regdefrag, it is not the best program you can tackle , when I looked at it the first time , I saw 16 times check to the error R@der posted, which will consume your time trying to fix that,if you would like to see that, just bp on ShowWindow , look at the stack and go to the Msg , take reference, you will see those references to the R@der posted error msg.
(not only that but there are more things to fix).
my advise to you is to go with less protection till you firmly grasp unpacking ,and work your way up to that.

Ragards.

Pompeyfan 03-08-2004 18:52

Interesting, sounds like I did pick a hard one didn't I, not sure what went wrong last time, but tried it again this arvo, and got to the same stage as R@dier and Ferrari no probs, guess I'd better decide whether in light of what you said whether I want to leave this one go for a while, kinda depends on what the others decide I think.
Thanks for your help anyway, I think I have learned a bit out of this thread so far anyway.:)

Pompeyfan 03-08-2004 18:58

One interesting thing, if you unpack with Stripper, you get this info on import table:

16:31:08 - processing import table..
ImportAddressTable RVA :0001b168 - kernel32.dll
ImportAddressTable RVA :0001b204 - user32.dll
ImportAddressTable RVA :0001b218 - advapi32.dll
ImportAddressTable RVA :0001b228 - oleaut32.dll
ImportAddressTable RVA :0001b238 - kernel32.dll
ImportAddressTable RVA :0001b24c - advapi32.dll
ImportAddressTable RVA :0001b284 - kernel32.dll
ImportAddressTable RVA :0001b36c - version.dll
ImportAddressTable RVA :0001b37c - gdi32.dll
ImportAddressTable RVA :0001b400 - user32.dll
ImportAddressTable RVA :0001b52c - shell32.dll
ImportAddressTable RVA :0001b534 - ole32.dll
ImportAddressTable RVA :0001b540 - comctl32.dll
ImportAddressTable RVA :0001b548 - shell32.dll
ImportAddressTable RVA :0001b558 - comctl32.dll
ImportAddressTable RVA :0001b568 - winmm.dll
ImportAddressTable RVA :0001b570 - advapi32.dll
16:31:09 - fixing import table..
ImportAddress RVA :0001b1ac - kernel32.dll!GetModuleHandleA
ImportAddress RVA :0001b1bc - kernel32.dll!GetCommandLineA
ImportAddress RVA :0001b244 - kernel32.dll!GetModuleHandleA
ImportAddress RVA :0001b304 - kernel32.dll!GetModuleHandleA
ImportAddress RVA :0001b32c - kernel32.dll!GetCurrentProcess
ImportAddress RVA :0001b330 - kernel32.dll!GetCommandLineA

Whereas when I manually upack it, I get the same result as Ferrari, noting that Brightdream states that IAT starts at 0001b168, rather than 0001b238.


All times are GMT +8. The time now is 20:38.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX