ASProtect SKE unpacking
 

Hi Everyone,

I have been trying to unpack a few programs protected with ASProtect SKE and having issues in resolving the numerous calls to the VM.
The SKE versions range from version 2.2 Build 4.25 to 2.56 Build 3.17 according to ASPriNF v1.6
The programs neither have Stolen Bytes nor IAT redirection, hence
there are no problems reaching the corresponding OEPs either manually or with scripts.

Unfortunately I am not able to rebuild the Calls to the VM with the Script RebuildVM.osc from PE_Kill. The script always terminates with the Error message ¡°[Error!] Init failed!". This message can be triggered at 9 locations before and 1 after the prompt to "Enter new base of this code". As I am getting the error before the Prompt I had to debug the script to find where exactly the error is first triggered. Finally I was able to locate it to the routine @find_the_error111

Does it mean that all SKE protected programs must have this Error 111 and the script terminates because it is unable to locate it?

If I comment this routine out, then the next init error is triggered @find eip,#2C027212743D#

Tip hints for resolving this error or a link to alternative scripts for rebuilding the VM is highly appreciated.

And just by the way the unpacking scripts from Volz are not working on these targets.
All the affected programs throw the CRC error when the Volz¡¯s scripts are used.

Thanks and best regards,
TempoMat

PS: I am RCEing on a VirtualPC with WinXP Pro SP3.

AsProtect has been done to death with tons of automated packers :D

Just do a quick google search for "AsPrStripperXP" , "Stripper" (various versions) as well as "DecomAS" .

For versions of AsProtec that you'd mentioned, these unpackers will do the job in a few seconds.

If you are intrending to LEARN to unpack manually then its a different story.

But if you just are looking for a quick way out, then the unpackers are the way to go.

Didn't want to spoon-feed you further :D and hence leaving it to you to do a quick search for the unpackers ..

Maybe I will share them if you truly cannot find them yourself.

Cheers :)

I have tried both Stripper(various versions) and DecomAS v1.7 without success.

I've already unpack several regular versions (unpackmes and shareware programs) and now trying my hands on the SKEs.
So yes I am at this moment more inclined in MUP.

Sorry but I didn't in any way hint or asked to be spoon-fed.
If you check my first post, I didn't even mention a single name of a target software, which should indicate the contrary to the assumption that I am interested in being spoon-fed.

Thanks for yours response though.

Regards,
TempoMat

In some cases, you need a valid registration key to decrypt protected code blocks.

Another some cases, you need to repair the calls to ASProtect's API if the program uses SKE's SDK functions.

And unpacked was registered.

After reaching the OEP and analysing the code, I could see no sign of encrypted code sections.
At least it can be confirmed with the code flow of older versions except the calls to the VM or SKE SDK.
Also all typical strings references can be seen clearly
The only problem is the calls to the VM which the script is able to identify correctly by stops at the location it checks for the error 111.

These are what I am trying to repair.

Example at the OEP of an MS VC++8 application
If you enter the call at the OEP you will see

The CALL 01B00000 is called 60 times in this application


The programs runs with small restrictions unregistered. It also does not used the ASProtect registration but its own pretty simple CRC32 routine.

@TempoMat :

I did not MEAN anything bad. Sorry if it SOUNDED like that . :)

Thats the purpose of those "smileys" :)

You must be knowing that the purpose of those smileys is to show that I am not saying it in a BAD sense of any kind :)

I respect individuals like you who work towards getting their own programs "patched/unpacked" and in the process, want to learn

Regards

EDIT : Would you care to share the name of the app, so that we all can explore it better ? You got me curious and interested :)

Once again , I want to stress that individuals like you who want to LEARN, are MORE of the guys that this forum needs, and I RESPECT people like you ..

Cheers :)

Don't worry I am not thin-skinned and didn't take your comment in any bad sense.

The latest versions of WinTools.Net (viz. Classic, Professional and Premium) and the Ramsaver from http://www.wintools.net/

Also some of the Programs from http://boilsoft.com/ eg.mp4_converter_v1.22 and Resource Hunter_v1.32.


Examples like AVI MPEG ASF WMV Splitter und AVI MPEG RM WMV Joiner are ASProtect SKE protected, but without the calls to the VM so they could easily unpacked manually.

The Screen Recorder v1.05 for instance is Themida protected according to ProtectionID.
There are few also armadillo protected applications there as well eg asf converter_v2.68.

The Registration routine in some of the software (mostly without protections) from Boilsoft are custom + MD5 hash tables if you are interested.

Dear Tempomat :

For your STUDY purpose, have unpacked and uploaded them here :

I have made for WinTools Premium and RamSaver for now...

The patched versions have no nags also.

ALL LIMITATIONS REMOVED..

The unpacked is just an unpatched version for your study.

VERY SORRY that I do not have time or would have made DETAILED TUTS :(

Really glad to see learners ! :)

I am sure that you can study the unpacked and understand by yourself.

Cheers and Good Luck ! :)

P.S : The patches are very rudimentary and made VERY roughly, just to see if limitations and time-limit removed or not ! ;)

Thanks TechLord.

At look at the disassembly of your unpacked Ramsaver I could see that I was totally wrong in saying that there is no IAT redirection

I have now been able to trace to point where the decision is made whether to write an API in the IAT table or not. At that location whenever ESI=0xDC or 0x74 the IAT was written and with ESI=0xE6 it was skipped. So I was able to inject this code to resolve the IAT.

Now I am trying to figure out how to fix those redirected calls to 01B00000 which are actually calls to the APIs that are redirected to the VM.

I am still reading some tutorials and hoping I can make a break through soon.

However any suggestion to the procedure for resolving this redirected calls will be very much appreciated.

Thanks,
TempoMat

@TempoMat :

Two EXCELLENT papers that are a bit old but VERY relevant to your situation.

Go through them carefully.

When I FIRST read these a few years ago, they took a couple of days to fully understand.

Read them carefully and attempt to comprehend the concept the authors are trying to demonstrate.

Good luck ! :)

Links :

P.S : Thank you to everyone else who is following these posts of mine as well :)

Encourages me a lot !