Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Help with ASProtect 1.23 RC4 (https://forum.exetools.com/showthread.php?t=4407)

Perdition 06-07-2004 11:04
Help with ASProtect 1.23 RC4
 
I thought I would try my hand at unpacking an ASProtect target (hxxp://oemailrecovery.com/downloads/AddressBookRecovery.exe), but I can't get it to work. I used R@dier's excellent tutorial as a basis and managed to locate what seems to be the stolen bytes but not entirely sure exactly which are the stolen ones.

I got to this point at line 5618 in the trace window :

PUSH EBP
MOV EBP,ESP
SUB ESP,10
JMP SHORT 00ACE8AE
XOR WORD PTR DS:[ACE8B8],2A2
JMP SHORT 00ACE8BA
XOR WORD PTR DS:[ACE8C4],3EEE
JMP SHORT 00ACE8C7
PUSH DS
PUSH 2847F208
MOV DWORD PTR SS:[ESP+4],ECX

...

Is this the correct place and if so which are the stolen bytes?

I figured the OEP to be 575DFF but this may also be incorrect.

Any help would be much appreciated :)

britedream 06-07-2004 20:20
you are close enough , you are off by one byte for the oep:

00575E00 55 PUSH EBP
00575E01 8BEC MOV EBP,ESP
00575E03 83EC 10 SUB ESP,10
00575E06 B8 70575700 MOV EAX,AddressB.00575770

Perdition 06-08-2004 02:16
Hi britedream, thank you for the reply

I'm kicking myself for being so close to the OEP. The reason I got 575DFF was because I thought all the 0's counted as stolen and so I had 1 extra byte to fill in. Because of this these were the stolen bytes I was using :

PUSH EBP
MOV EBP,ESP
SUB ESP,10
PUSH EAX (needed to fill 1 byte and this looked like a stolen byte ;)
MOV EBX,AddressB.00575770 (because EAX was 0 and EBX contained the address)

Why is there one less stolen byte i.e. how do you know when not to fill in all the 0's?

Also even with your stolen bytes I can't get the program to run. I fixed the dump according R@dier's tut (and made sure Fix EP to OEP was unchecked) and also checked the EP with LordPE and it seems to be ok (175E00 = 575E00 - 400000). When I run the program it just does nothing, no error or anything. I think I'm close but I need a little more of your expert help :)

btw I like your method for finding stolen bytes, it's a lot quicker than the NOP method!

SvensK 06-08-2004 13:02
Did you rebuild and add the IAT?

britedream 06-08-2004 14:32
the zeroes are part of the address above the stolen, and eax has moved the value to ebx,if you followed the call right after the place for stolen , you would have seen that. you had stopped after this call has been executed.

Perdition 06-08-2004 20:26
Thanks for your replies,

britedream :

You are absolutely correct, I followed the call and indeed it moves eax into ebx right at the beginning of the proc! I should have checked that but I know now for next time :)

SvensK :

I'm sure I have but perhaps missing something, will explain in a moment.

All :

I apologise if I'm missing something simple (still learning) but I'm still not getting it right and I think I'm not doing something properly with ImpRec. I will break down exactly what I've done so far so you can kick me where I've missed something!


In Olly 1.10 before inserting stolen bytes :

00575DFE 57 PUSH EDI
00575DFF 0000 ADD BYTE PTR DS:[EAX],AL <--- This is why I thought OEP = 575DFF
00575E01 0000 ADD BYTE PTR DS:[EAX],AL
00575E03 0000 ADD BYTE PTR DS:[EAX],AL
00575E05 0000 ADD BYTE PTR DS:[EAX],AL
00575E07 0000 ADD BYTE PTR DS:[EAX],AL
00575E09 0000 ADD BYTE PTR DS:[EAX],AL
00575E0B E8 5C11E9FF CALL AddressB.00406F6C

In Olly after stolen bytes :

00575DFE 57 PUSH EDI
00575DFF 90 NOP <--- This is the extra byte I was talking about
00575E00 55 PUSH EBP
00575E01 8BEC MOV EBP,ESP
00575E03 83EC 10 SUB ESP,10
00575E06 B8 70575700 MOV EAX,AddressB.00575770
00575E0B E8 5C11E9FF CALL AddressB.00406F6C

Ok at this point I right click on 00575E00 and select New Origin Here.
Then Plugins -> OllyDump -> Dump debugged process, uncheck "Rebuild Import" and dump.


In ImpRec 1.6F :

Attach to addressbookrecovery.exe
Click IAT AutoSearch
Set Size to 1000
Click Get Imports
Click Show Invalid
Right click -> Trace Level1
Click Show Invalid
Right click -> Plugin Tracers -> aspr2
Click Show Invalid
Check for any remaining functions in ASProtect address space (none that I can see)
Right click -> Cut thunk(s)
Click Fix Dump and select dumped file.

These are my ImpRec option settings :

New Imports - All unchecked.
Fix EP to OEP - unchecked.
Use PE Header From Disk - checked.

Add new section (main screen) - checked.


After all this I run the fixed dump but the program doesn't load. All it does is generate a file called Err.log with the contents "Error ppp.03".
btw I'm running Windows 2003 server, the original program runs fine so I assume it should run fine when unpacked.

Once again I appreciate all the help, I'm learning a lot :)

britedream 06-09-2004 00:11
1 Attachment(s)
compare yours to this: [unpacked on xp]

Perdition 06-09-2004 01:48
Thanks britedream, your unpack works! I will take a closer look and try find out what the difference is. Hopefully I will see where I went wrong :)


All times are GMT +8. The time now is 23:13.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX