ASProtect SKE unpacking
Hi Everyone,
I have been trying to unpack a few programs protected with ASProtect SKE and having issues in resolving the numerous calls to the VM. The SKE versions range from version 2.2 Build 4.25 to 2.56 Build 3.17 according to ASPriNF v1.6 The programs neither have Stolen Bytes nor IAT redirection, hence there are no problems reaching the corresponding OEPs either manually or with scripts. Unfortunately I am not able to rebuild the Calls to the VM with the Script RebuildVM.osc from PE_Kill. The script always terminates with the Error message ¡°[Error!] Init failed!". This message can be triggered at 9 locations before and 1 after the prompt to "Enter new base of this code". As I am getting the error before the Prompt I had to debug the script to find where exactly the error is first triggered. Finally I was able to locate it to the routine @find_the_error111 Does it mean that all SKE protected programs must have this Error 111 and the script terminates because it is unable to locate it? If I comment this routine out, then the next init error is triggered @find eip,#2C027212743D# Tip hints for resolving this error or a link to alternative scripts for rebuilding the VM is highly appreciated. And just by the way the unpacking scripts from Volz are not working on these targets. All the affected programs throw the CRC error when the Volz¡¯s scripts are used. Thanks and best regards, TempoMat PS: I am RCEing on a VirtualPC with WinXP Pro SP3. |
AsProtect has been done to death with tons of automated packers :D
Just do a quick google search for "AsPrStripperXP" , "Stripper" (various versions) as well as "DecomAS" . For versions of AsProtec that you'd mentioned, these unpackers will do the job in a few seconds. If you are intrending to LEARN to unpack manually then its a different story. But if you just are looking for a quick way out, then the unpackers are the way to go. Didn't want to spoon-feed you further :D and hence leaving it to you to do a quick search for the unpackers .. Maybe I will share them if you truly cannot find them yourself. Cheers :) |
Quote:
Quote:
So yes I am at this moment more inclined in MUP. Quote:
If you check my first post, I didn't even mention a single name of a target software, which should indicate the contrary to the assumption that I am interested in being spoon-fed. Thanks for yours response though. Regards, TempoMat |
In some cases, you need a valid registration key to decrypt protected code blocks.
Another some cases, you need to repair the calls to ASProtect's API if the program uses SKE's SDK functions. |
Quote:
|
Quote:
At least it can be confirmed with the code flow of older versions except the calls to the VM or SKE SDK. Also all typical strings references can be seen clearly The only problem is the calls to the VM which the script is able to identify correctly by stops at the location it checks for the error 111. Quote:
Example at the OEP of an MS VC++8 application Code:
0040791F . E8 8D020000 CALL abcd.00407BB1 ; the OEP Code:
00407BB1 $ 55 PUSH EBP Quote:
|
@TempoMat :
I did not MEAN anything bad. Sorry if it SOUNDED like that . :) Thats the purpose of those "smileys" :) You must be knowing that the purpose of those smileys is to show that I am not saying it in a BAD sense of any kind :) I respect individuals like you who work towards getting their own programs "patched/unpacked" and in the process, want to learn Regards EDIT : Would you care to share the name of the app, so that we all can explore it better ? You got me curious and interested :) Once again , I want to stress that individuals like you who want to LEARN, are MORE of the guys that this forum needs, and I RESPECT people like you .. Cheers :) |
Quote:
Quote:
Also some of the Programs from http://boilsoft.com/ eg.mp4_converter_v1.22 and Resource Hunter_v1.32. Examples like AVI MPEG ASF WMV Splitter und AVI MPEG RM WMV Joiner are ASProtect SKE protected, but without the calls to the VM so they could easily unpacked manually. The Screen Recorder v1.05 for instance is Themida protected according to ProtectionID. There are few also armadillo protected applications there as well eg asf converter_v2.68. The Registration routine in some of the software (mostly without protections) from Boilsoft are custom + MD5 hash tables if you are interested. |
Dear Tempomat :
For your STUDY purpose, have unpacked and uploaded them here : Quote:
The patched versions have no nags also. ALL LIMITATIONS REMOVED.. The unpacked is just an unpatched version for your study. VERY SORRY that I do not have time or would have made DETAILED TUTS :( Really glad to see learners ! :) I am sure that you can study the unpacked and understand by yourself. Cheers and Good Luck ! :) P.S : The patches are very rudimentary and made VERY roughly, just to see if limitations and time-limit removed or not ! ;) |
Thanks TechLord.
At look at the disassembly of your unpacked Ramsaver I could see that I was totally wrong in saying that there is no IAT redirection I have now been able to trace to point where the decision is made whether to write an API in the IAT table or not. At that location whenever ESI=0xDC or 0x74 the IAT was written and with ESI=0xE6 it was skipped. So I was able to inject this code Code:
009E0000 8A43 3B MOV AL,BYTE PTR DS:[EBX+0x3B] Now I am trying to figure out how to fix those redirected calls to 01B00000 which are actually calls to the APIs that are redirected to the VM. I am still reading some tutorials and hoping I can make a break through soon. However any suggestion to the procedure for resolving this redirected calls will be very much appreciated. Thanks, TempoMat |
@TempoMat :
Two EXCELLENT papers that are a bit old but VERY relevant to your situation. Go through them carefully. When I FIRST read these a few years ago, they took a couple of days to fully understand. Read them carefully and attempt to comprehend the concept the authors are trying to demonstrate. Good luck ! :) Links : Quote:
Encourages me a lot ! |
All times are GMT +8. The time now is 19:23. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX