PostSmile - ASPR 1.23 RC$ Registered ... how to find oep??
hi,
I was trying to help one friend of mine unpacking this program and I saw that it's different from other aspr I unpacked, last excepion is 009F309F 3100 XOR DWORD PTR DS:[EAX],EAX 009F30A1 EB 01 JMP SHORT 009F30A4 009F30A3 68 648F0500 PUSH 58F64 009F30A8 0000 ADD BYTE PTR DS:[EAX],AL 009F30AA 00EB ADD BL,CH 009F30AC 02E8 ADD CH,AL 009F30AE 0158 EB ADD DWORD PTR DS:[EAX-15],EBX 009F30B1 6A E8 PUSH -18 009F30B3 8DF4 LEA ESI,ESP ; Illegal use of register 009F30B5 FE ??? ; Unknown command 009F30B6 FF8B F08B0303 DEC DWORD PTR DS:[EBX+3038BF0] 009F30BC 45 INC EBP 009F30BD EC IN AL,DX ; I/O command 009F30BE 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 009F30C1 8B4B 04 MOV ECX,DWORD PTR DS:[EBX+4] 009F30C4 8BD6 MOV EDX,ESI 009F30C6 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 009F30C9 E8 CEFAFFFF CALL 009F2B9C and there's no ret.... it also give a MsgBox with Protection Error Error : 1 hxxp://www.PostSmile.com Thanks in advance loman |
i'll have a look at it ;)
|
maybe you are wrong? i see really no difference and came to the following:
OEP: 4EB139 Stolen bytes: 004EB139 >/$ 55 PUSH EBP 004EB13A |. 8BEC MOV EBP,ESP 004EB13C |. 83EC 14 SUB ESP,14 004EB13F |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX 004EB142 |. 51 PUSH ECX 004EB143 |. B8 C8AB4E00 MOV EAX,dumped_.004EABC8 IAT is attached. The program works fully registered then (Registered to tA, don't ask why). Edit: i was wrong, it only works registered with filename "dumped_.exe" |
nothing....... I always get Protection Error, can you tell me at what line you get last exception?
|
this is my last exception (the same as in all aspr-targets)
009E3D03 3100 XOR DWORD PTR DS:[EAX],EAX 009E3D05 64:8F05 00000000 POP DWORD PTR FS:[0] 009E3D0C 58 POP EAX 009E3D0D 833D BC7E9E00 00 CMP DWORD PTR DS:[9E7EBC],0 009E3D14 74 14 JE SHORT 009E3D2A 009E3D16 6A 0C PUSH 0C 009E3D18 B9 BC7E9E00 MOV ECX,9E7EBC 009E3D1D 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 009E3D20 BA 04000000 MOV EDX,4 009E3D25 E8 E6D2FFFF CALL 009E1010 009E3D2A FF75 FC PUSH DWORD PTR SS:[EBP-4] 009E3D2D FF75 F8 PUSH DWORD PTR SS:[EBP-8] 009E3D30 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 009E3D33 8338 00 CMP DWORD PTR DS:[EAX],0 009E3D36 74 02 JE SHORT 009E3D3A 009E3D38 FF30 PUSH DWORD PTR DS:[EAX] 009E3D3A FF75 F0 PUSH DWORD PTR SS:[EBP-10] 009E3D3D FF75 EC PUSH DWORD PTR SS:[EBP-14] 009E3D40 C3 RETN maybe your debugger isn't hidden? |
I use ollydgb and I patch the IsDebuggerPresent at 7FFDF002 from 1 to 0. Is there other more cool ways?
thanks |
Full ASPR tut
hxxp://www.woodmann.net/forum/showthread.php?t=5304 tut for download: hxxp://www.woodmann.net/forum/attachment.php?attachmentid=836
enjoy :D [Edit by JMI: LaBBa no clickable links outside the Forum please, even to Woodmann's site, because others can't seem to stop posting clickable links to software vendors sites.] |
Hi MaRKus-DJM,
i found all the OEP but i dont know where should i do the dump? Can you help me? Quote:
|
if you used the "tc eip<900000", you have to dump after this command (you should be at a jump-command, wich jumps into some code which executes a kernel32.GetModuleHandleA)
then edit the EP with LordPE or any other tool to real OEP :) but do not dump later or dump will crash (it does for me) Regards, MaRKuS TH-DJM |
Hello,
Thx for the fast help. But i get when i start the unpacked exe at 004EB154 an write error: 004EB139 > $ 55 PUSH EBP 004EB13A . 8BEC MOV EBP,ESP 004EB13C . 83EC 14 SUB ESP,14 004EB13F . 36:8945 EC MOV DWORD PTR SS:[EBP-14],EAX 004EB143 . 51 PUSH ECX 004EB144 . B8 C8AB4E00 MOV EAX,jmp_.004EABC8 004EB149 . 0FBBF1 BTC ECX,ESI 004EB14C . FF33 PUSH DWORD PTR DS:[EBX] 004EB14E . C055 68 E3 RCL BYTE PTR SS:[EBP+68],0E3 ; Shift constant out of range 1..31 004EB152 . B1 4E MOV CL,4E 004EB154 00 DB 00 004EB155 . 64:FF30 PUSH DWORD PTR FS:[EAX] 004EB158 . 64:8920 MOV DWORD PTR FS:[EAX],ESP 004EB15B . 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14] what is wrong? |
this code doesn't look good. after the last stolen byte should be a call!! seems you have overwritten this code. don't overwrite any code! try to change EP
|
i analysed the code, and i came to this:
004EB139 > 55 PUSH EBP 004EB13A 8BEC MOV EBP,ESP 004EB13C 83EC 14 SUB ESP,14 004EB13F 8945 EC MOV DWORD PTR SS:[EBP-14],EAX 004EB142 51 PUSH ECX 004EB143 B8 C8AB4E00 MOV EAX,fuckup.004EABC8 004EB148 E8 0FBBF1FF CALL fuckup.00406C5C <<< you overwrote this code!!! 004EB14D 33C0 XOR EAX,EAX 004EB14F 55 PUSH EBP 004EB150 68 E3B14E00 PUSH fuckup.004EB1E3 004EB155 64:FF30 PUSH DWORD PTR FS:[EAX] 004EB158 64:8920 MOV DWORD PTR FS:[EAX],ESP 004EB15B 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14] 004EB15E A1 10E54E00 MOV EAX,DWORD PTR DS:[4EE510] 004EB163 E8 3CB8F1FF CALL fuckup.004069A4 i saw, your bytes are different from mine @4EB13F MOV DWORD PTR SS:[EBP-14],EAX mine: 8945EC yours: 36:8945EC what have you done there? try to correct it and it will work :) |
Hi MaRKuS-DJM,
thx for your help. I found my error. I typed in hiew the asm code push ebp .... and that was wrong. Now work the app. Best Regards |
All times are GMT +8. The time now is 11:06. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX