Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Team Project: PHP Processor v1.2??? (https://forum.exetools.com/showthread.php?t=3475)

padawan 02-21-2004 03:57

Team Project: PHP Processor v1.2???
 
Hello,

I'd like to propose a team project that hopefully will take to writing a tutorial. The target I've been taking a look at is PHP Processor v1.2 (hxxp://www.gridinsoft.com/downloads/phppro12.zip).
It's an asprotected target. I have unpacked it using the latest version of stripper. It would be nice if we could work on it from unpacking to cracking it so to write a complete tutorial.
I believe the application also uses the asprotect APIs, since once unpacked it behaves as if trial period has expired.

Having found no way around the "expire" status I was thinking of making a loader. One that deletes the trial period registry entry, patches the target to hide the starting nag screen, programmatically clicks the "continue" button on the nag, and deletes all signs of the application being unregistered (10 files project limit).

I'd love to be able to work with someone more expert and I'd like to see if someone is able to identify a better solution. Is anyone willing to work on it with me?


padawan

[Edit by JMI: this doesn't belong in the "Software Releasing Forum" until you are actually "releasing" software.]

padawan 02-21-2004 05:53

Sorry JMI, I didn't notice I placed the post in the Software Releases forum ... I thought I posted in the Crack Tutorials forum for I wanted the people posting there to join. I must be more tired than I thought. Sorry again.

padawan

JMI 02-21-2004 06:43

No big deal. There isn't a "Mini-Projects Forum" like at Woodmann's to put it in anyway.

Regards,

crusader 02-21-2004 12:54

well it wont be much of a project if u use stripper to unpack for u... if u want to do things manually i would join in n help out...

padawan 02-21-2004 18:30

crusader, I have done for what I know. Not knowing how to unpack it manually I used an unpacker.

But as you can see from my initial post, I'd like to write a tutorial that goes from unpacking the target to cracking/keygenning it and I'm more then willing to contribute for what I can or to follow when I can be of no help.

The application can be downloaded here hxxp://www.gridinsoft.com/downloads/phppro12.zip (1.37MB).

Now, PEiD identifies the target as protected by ASProtect 1.2 / 1.2c. Where do I start from wanting to unpack the application manually?

padawan

crusader 02-21-2004 19:34

erm ok, i am not sure how much you know abt cracking, asm or aspr... but if you havent done this, search and find a couple of tutorial about aspr, written within 2 years or so... read n gather as much info as possible abt aspr...

then i hope u got all the tools needed, just refer to the tutorials for tools required...

once u sort all that out... dump aspr.dll... how do u do that? the tutorials explain a bit but u will have to explore also... post questions as u encounter them...

cheers,
crUs

PS : i have already downloaded the prog...

padawan 02-21-2004 20:07

Tools and reading shouldn't be a problem.
Crusader, I'll be back in a couple of days with questions.


padawan

MaRKuS-DJM 02-21-2004 20:44

padawan, you used stripper??? then i understand. look here:

005996BA |. 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX ; |
005996BD |. C645 D8 0B MOV BYTE PTR SS:[EBP-28],0B ; |
005996C1 |. 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C] ; |
005996C4 |. 33C9 XOR ECX,ECX ; |
005996C6 |. B8 74975900 MOV EAX,_PHPProc.00599774 ; |ASCII "Can't load language library: %s.lng"
005996CB |. E8 7016E7FF CALL _PHPProc.0040AD40 ; \_PHPProc.0040AD40
005996D0 |. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
005996D3 |. E8 A4B8E6FF CALL _PHPProc.00404F7C
005996D8 |. 8BD0 MOV EDX,EAX
005996DA |. B9 98975900 MOV ECX,_PHPProc.00599798 ; ASCII "Error!"
005996DF |. A1 D0735A00 MOV EAX,DWORD PTR DS:[5A73D0]
005996E4 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005996E6 |. E8 9162EDFF CALL _PHPProc.0046F97C
005996EB |. E8 48B2E6FF CALL _PHPProc.00404938
005996F0 |> FF15 2C6F5A00 CALL DWORD PTR DS:[5A6F2C] if you use stripper, this DWORD will be 00598F3C. this means: program expired (this dword is set by aspr). you have to modify this offset to 00598E28 and all works perfect.
005996F6 |. A1 D0735A00 MOV EAX,DWORD PTR DS:[5A73D0]
005996FB |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005996FD |. E8 EA60EDFF CALL _PHPProc.0046F7EC
00599702 |. 33C0 XOR EAX,EAX
00599704 |. 5A POP EDX
00599705 |. 59 POP ECX
00599706 |. 59 POP ECX
00599707 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0059970A |. 68 24975900 PUSH _PHPProc.00599724
0059970F |> 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00599712 |. BA 05000000 MOV EDX,5
00599717 |. E8 D4B3E6FF CALL _PHPProc.00404AF0
0059971C \. C3 RETN
0059971D .^E9 0AADE6FF JMP _PHPProc.0040442C
00599722 .^EB EB JMP SHORT _PHPProc.0059970F

MaRKuS TH-DJM / SnD TeaM

PS: it doesn't use any APIs like you mentioned. but all the parameters (or lets say: DWORDS) for the program are set while ASProtect unpacks the target. so it is able to lead the code to other location (like here) where the program says: unregistered. so you can't find a way to crack it. but as you see, it is possible.

padawan 02-21-2004 21:46

MaRKuS-DJM, you are indeed right.
Still, doesn't asprotect provide a library that developers may utilize inside their code??? Otherwise how could the initial nag screen print the remaining days to the trial.

Just a curiosity, did you already know such global variable needs setting to a given value or did you discover it on this specific target??? Also, how many of such global variables are there around that asprotect usually sets???

padawan

MaRKuS-DJM 02-21-2004 22:42

maybe there's a small library. haven't thought about this...

i know it because i saw many other ASPr-Targets with this technique before... AnyDVD is such a target, if you manual unpack, the value is right, if you unpack with stripper, the value is empty and AnyDVD does nothing more like showing errors.
it belongs to the programmers how many variables they set... it depends of registered/unregistered status of the program how they are set.

crusader 02-22-2004 12:51

sigh... how do u expect them to learn if u feed them like that Markus? so much for a project heh Padawan... u will not learn anything if u only listen n follow exactly what others tell you to...

padawan 02-22-2004 18:34

crusader, don't think MaRKuS lead me away from my intent of getting back here with questions. He just explained one of the mysteries ...

padawan

crusader 02-22-2004 19:20

lol.. tt is good to hear ... nice to see u so willing to learn... well if u actually finish the project as u set out to... u will be able to explain exactly why the is a difference between manual dump n asprstripper dump...

MaRKuS-DJM 02-22-2004 23:02

sorry crusader, you are right... but there's a easy way to find the right value for this... if your program is expired, go into that DWORD-Call, and scroll up... above should be the code for registered or not expired program :)

padawan 02-23-2004 07:29

Hello,

first of all a few generic questions on asprotect:

1) Does asprotect implement anti-debug, anti-tool or anti-dump code??? Does it remove memory and HW breakpoints???
2) Stolen bytes: when did asprotect (what version) introduce this further difficulty. What is the theory or rationale behind their "rescue"???

Now, from what I've read the following should be a reasonable approach to manually unpack the asprotected application:

Code:

1) Locate the OEP
2) when the application is completely decrypted (execution on the OEP) dump it
3) Fix the PE
  a) correct the dump EP
  b) find stolen bytes
  c) reconstruct the IAT
      c1) correct sections characteristics
      c2) set PSIZE == VSIZE and OFFSET == RVA

I'd like to investigate each step at a time.

As the first step I started looking for the OEP.
BTW, I'm sorry but on my machine softice just can't run (video adapter driver problems) so I'm using OllyDbg.

To find the OEP I used a process that seems to be effective, the "exception counting approach" (I don't know if someone has given it a name but if not this is its new name).
1) I counted the number of exceptions to the application showing up. I rerun the application stopping one exception before and getting into the exception this time. I ended up into winnt.dll.
2) I set a memory breakpoint on access of the application code section and continued the application execution ending up at 00599600:

00599600 PUSH EBP
00599601 MOV EBP,ESP
00599603 ADD ESP,-2C

Since this seems the typical prolog to a function I believe this could very well be the OEP.

Questions:
1) is this the correct OEP?
2) to find the OEP, counted the 19 exceptions, before resorting to placing a memory breakpoint on the application code section I tried to use OllyDbg's trace feature setting a stop condition such as EIP<500000. Well, this condition never stops the tracing!!! OllyDbg just goes on running even if the OEP should indeed stop the tracing (OEP is < 900000). I repeated this step tens of times thinking I was doing something wrong and in the end, frustrated, I just tried a different approach. Still, I'd like to know WHY is this happening??? Why is tracing not working??? BTW, I'm using a window 2000 OS.


MaRKuS-DJM, when you talk of scrolling up from the dword-call you are refering to the call at 005996F0 to the function starting at 00598E28??? I have taken a look up from that memory location but I don't see anything "interesting" ... or at least no clue to code dealing with the application being registered or not expired.


padawan


All times are GMT +8. The time now is 10:29.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX