ASPR 1.2 question

[gabri3l]

I've done the tutorials on Asprotect, and was excited when I found a program that i could apply the tutorials to. Using Olly and running the code until the last instruction before it starts I am presented with this code


00A60019 3100 XOR DWORD PTR DS:[EAX],EAX
00A6001B 64:8F05 00000000 POP DWORD PTR FS:[0]
00A60022 58 POP EAX
00A60023 833D D839A600 00 CMP DWORD PTR DS:[A639D8],0
00A6002A 74 14 JE SHORT 00A60040
00A6002C 6A 0C PUSH 0C
00A6002E B9 D839A600 MOV ECX,0A639D8
00A60033 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00A60036 BA 04000000 MOV EDX,4
00A6003B E8 30C4FFFF CALL 00A5C470
00A60040 FF75 FC PUSH DWORD PTR SS:[EBP-4]
00A60043 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00A60046 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00A60049 8338 00 CMP DWORD PTR DS:[EAX],0
00A6004C 74 02 JE SHORT 00A60050
00A6004E FF30 PUSH DWORD PTR DS:[EAX]
00A60050 FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00A60053 FF65 EC JMP DWORD PTR SS:[EBP-14] <--- THIS JUMP IS NOT IN ADDRESSED IN ANY TUTORIALS
00A60056 5F POP EDI
00A60057 5E POP ESI
00A60058 5B POP EBX
00A60059 8BE5 MOV ESP,EBP
00A6005B 5D POP EBP
00A6005C C3 RETN

Anyway i tried two ways, One i nop'ed the jump and traced which killed my prog and the other way i followed the jump which dropped me into the main thread and then i traced and found the OEP, Its is the same as the Entry point so I'm assuming there are no stolen bytes. Mind you i have not rebuilt the program successfully. I already unpacked it using asprstripper just for reference that my OEP was correct. So now I'm working on rebuilding the import tables now. even though

00A60056 5F POP EDI
00A60057 5E POP ESI
00A60058 5B POP EBX

Looks very suspicious in reference to everything i read on stolen bytes. I however put a breakpoint on them and ran the code and the program never ran that address? I'm just curious as to what the jump is for? when nothing i read ever mentioned it, They only said that there were two RET's that i had to execute before tracing.

[JMI]

gabri3l:

You need to review R@dier's tut, found here:

http://www.exetools.com/forum/showthread.php?t=3594

Now, if you look at the first graphic, you will find a section of code that looks remarkably like yours, except that it has an extra RETN where I indicate:

00A60019 3100 XOR DWORD PTR DS:[EAX],EAX
00A6001B 64:8F05 00000000 POP DWORD PTR FS:[0]
00A60022 58 POP EAX
00A60023 833D D839A600 00 CMP DWORD PTR DS:[A639D8],0
00A6002A 74 14 JE SHORT 00A60040
00A6002C 6A 0C PUSH 0C
00A6002E B9 D839A600 MOV ECX,0A639D8
00A60033 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00A60036 BA 04000000 MOV EDX,4
00A6003B E8 30C4FFFF CALL 00A5C470
00A60040 FF75 FC PUSH DWORD PTR SS:[EBP-4]
00A60043 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00A60046 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00A60049 8338 00 CMP DWORD PTR DS:[EAX],0
00A6004C 74 02 JE SHORT 00A60050
00A6004E FF30 PUSH DWORD PTR DS:[EAX]
00A60050 FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00A60053 FF65 EC JMP DWORD PTR SS:[EBP-14] <--- THIS JUMP IS NOT IN ADDRESSED IN ANY TUTORIALS
ADDRESS RETN <-----------------------
00A60056 5F POP EDI
00A60057 5E POP ESI
00A60058 5B POP EBX
00A60059 8BE5 MOV ESP,EBP
00A6005B 5D POP EBP
00A6005C C3 RETN

In R@dier's tut he says to mark the "last" RETN with F2 THEN hit Shift+F9, one more time, which takes you to the RETN.

THEN you are supposed to go to the Memory window [you can click the "M" button at the top of Olly or ALT M] and highlight the ".code" section of your target. Then Right Click and choose "Set Memory Breakpoint on Access." You then go back to the CPU window and hit CTRL+F11. You are now at the EIP, somewhere in the 00400000+ range. Here you should do a CTRL +A to "Analyse" code.

To determine how many stolen bytes you may need, also follow the tut and look in the stack window. Sitting at the EIP [after your CTRL+F11] you should have something which looks like:

ADDRESS $-FF25 18E36300 JMP DWORD PTR DS:[ADDRESS]

Now another R@dier reported trick (don't know who started this technique): Remove the analysis. "Right Click" in the CPU window, Analysis--> Remove Analysis. Now do Alt+K to bring up the STACK window. If you did not remove the Analysis, you will probably have no entries or only one entry. If you did remove the Analysis, you will probably have one entry or two.

If you Double click on the last address [or the only one if Analysis Removed], it will open the CPU window again at that location. This may be kind of tricky, because if it's at an odd address, and if you scroll up, the view shifts to an even address. [In OllyDBG you can move the display up or down, one bit at a time by using the CTRL + up or down arrow.] Generally your Stolen Bytes go right above this address and you can count the number of total bytes which need to be placed there.

Now finding the Stolen Bytes can be accomplished by tooking in the Trace Window. View --> Run Trace. If you set your Debugging Options in the TRACE tab to check "Log Commands" and "Show ESP," when you open the TRACE by going to Window --> Run Trace, the window will open. Next Right Click on the window --> Highlight Register --> EBP.

Now if you scroll down to the bottom of the TRACE Window, you will see alot of "REP STOS BYTE PTR ES:[EDI]" code which was used to erase the Stolen Bytes and other things. Now if you look above this section, you should have a red section in the command window. Keep looking up and you will eventually see a red highlighted EBP (Generally around 600 or less) which is identical to ESP. Look into the Command Window side, opposite the ESP, which is immediately above the highlited EBP.

Here you may need some basic understanding of start-up code for various compilers, but in general, the Stolen Bytes you need are "limited" by the amount of "empty" space available above the ADDRESS you found in the bottom call in the STACK Window [look at the example in R@dier's tut if this isn't clear]. It would be a good idea to start a file of "Stolen Byte" Sequences you see in the tuts and in your efforts and save them for use at this point, as described by R@dier.

Now in figuring out what the Stolen Bytes might be, you must remember that [at the moment] the last "stolen" instruction seems to usually be:

MOVE EAX, target,ADDRESS

This ADDRESS is generally to be found in "either" the EAX or EBX register, when the program first breaks in the EIP, after executing the proper number of SHIFT+F9's and the CTRL+F11 described in R@dier's tut.

So, knowing that your "last" Stolen Byte group is probably:

MOVE EAX, target,[the address shown in "either" EAX or EBX when break at EIP] or B8 ADDRESS [and remember the address is reversed, if the ADDRESS is 0063516C, it would be written in as B8 6C516300]. So this sequence takes 5 BYTES of the available space.

Since you did not identify your target, this is a general approach, not necessarily specific for the target you are working on, but it should be generally correct.

Regards,

[gabri3l]

Thank you for the response. I've been working on this for the past few days. And been getting a little turned around on it. I have made a dump that will load the program but my import table is all screwed up so any menu function etc... will crash the prog, I was using ImportREC to do the IAT but I think it may take a little more of a hands on approach because it just will not rebuild properly.

I have come to the conclusion that there are no stolen bytes. The trace confirms it as does ASPRstripper. (honestly, a little dissapointed i was hoping to work with stolen bytes when i saw the three pops) I suppose where you indicated a RET, since there are no stolen bytes I immediately JMP rather than returning and stealing bytes. I could not figure out why I was not hitting any returns after my last exception. And getting curious because none of my dumps seemed to work correctly. Thank you JMI for the help.

[JMI]

gabri3l:

Have you downloaded R@dier's tut I mentioned and tried to follow his directions on rebuilding the IAT? There are many tuts on the net descussing rebuilding the IAT. There are also several good reference which discuss some of the routines ASPR renames. One can use the patterns of some of these routines to determine the name of the API. Here is one list, which is contributed by hobferret, over on the Woodmann Forum, and LaBBA. They give patterns of some which get moved or confused. Remember addresses are dependent on which OS you are using. Here's that list.

Aspr notes V1.4??

Redirected calls which cannot be auto resolved!

44B717 6513C4
6513C4 55 PUSH EBP
6513C5 8BEC MOV EBP,ESP
6513C7 5D POP ESP
6513C8 C20400 RET 04
Becomes Kernel32!FreeResource

44B724 65139C
65139C 6A00 PUSH 00
65139E E8B53DFFFF CALL Kernel32!GMHA
6513A3 FF35E46C6500 PUSH DWORD [00656CE4]
6513A9 58 POP EAX
6513AA 8B05F46C6500 MOV EAX, [00656CF4]
6513B0 C3 RET
Becomes Kernel32!GetCommandLineA

44B730 651388
651388 A1E86C6500 MOV EAX, [00656CE8]
65138D C3 RET
Becomes Kernel32!GetCurrentProcess

44B760 65133C
65133C Look it抯 GetModuleHandleA
Becomes Kernel32!GetModuleHandleA

44B770 650EE8
650EE8/F0E GetProcAddress
Becomes Kernel32!GetProcAddress

44B7A0 651358
651358 6A00 PUSH 00
65135A E8F93DFFFF CALL Kernel32!GMHA
65135F FF35E46C6500 PUSH DWORD [00656CE4]
651365 58 POP EAX
651366 C3 RET
Becomes Kernel32!GetCommandLineA

44B7D4 6513B4
6513B4 55 PUSH EBP
6513B5 8BEC MOV EBP,ESP
6513B7 8B05F46C6500 MOV EAX, [00656CF4]
6513BD B84508 MOV EAX, [EBP+08]
6513C0 5D POP EBP
6513C1 C20400 RET 04
Becomes Kernel32!LockResource

4753F8 - ED13D0
EDI3D0 6A00 PUSH 00
ED13D2 CALLKernel32!GMHA
ED13D7 FF35E86CED00 PUSH WORD [00ED6CE8]
ED13DD 58 POP EAX
ED13DE 8B05F86CED00 MOV EAX, [00ED6CF8]
ED13E4 C3 RET
Becomes Kernel32!GetCommandLineA

4573FC - ED13C0
ED13C0 55 PUSH EBP
ED13C1 8BEC MOV EBP,ESP
ED13C3 CALLKernel32!GetVersion
ED13C8 A1F46CED00 MOV EAX, [00ED6CF4]
ED13CD 5D POP EBP
ED13CE C3 RET
Becomes Kernel32!GetVersion

457444 - EE9E24
EE9E24 52 PUSH EDX
EE9E25 68369507C0 PUSH WORD [C0079536]
EE9E2A C3 RET
Becomes Kernel32!GlobalUnlock

475464 - ED13B8
ED13B8 A1EC6CED00 MOV EAX, [00ED6CEC]
ED13BD C3 RET
Becomes Kernel32!GetCurrentProcess

4754D0 - ED0EF0
ED0EF0\\ED0FI6
CALL Kernel32!GetProcAddress
RET 08
Becomes Kernel32!GetProcAddress

475518 - ED1360
ED1360\\ED1384
CALL Hernel32!GMHA
RET 04
Becomes Kernel32!GetModuleHandleA

LaBBa explanation!

PUSH EBP
MOV EBP,ESP
MOV EAX,[FF7E24] // DWORD VALUE 001522398
POP EBP
RETN4
EITHER LOCK RESOURCE or FREERESOURCE

PUSH DWORD PTR DS:[FF7E14]
POP EAX
RET
GET VERSION

PUSH EBP
MOV EBP,ESP
MOV EAX,DWORD PTR DS:[FF7E24]
MOV EAX,DWORD PTR SS:[EBP+8]
POP EBP
RETN4
EITHER LOCKRESOURCE or FREERESOURCE

MOV EAX,DWORD PTR DS:[FF7E20]
RETN
GETCURRENTPROCESSID

MOV EAX,DWORD PTR DS:[FF7E18]
RETN
GETCURRENTPROCESS - GETCURRENTPROCESSID works too!

PUSH EBP
MOV EBP,ESP
MOV EAX,DWORD PTR DS:[FF7E24]
POP EBP
RETN4
EITHER LOCKRESOURCE or FREERESOURCE

LaBBa's tut: ASPR 1.23 Unpacking "Step-By-Step" has methods of resolving APIs with Olly. One thing to remember is that it would be unusual to find an API from a different DLL among listings for a particular DLL. By that, I mean, you won't see user32.dll listings in the middle of kernel32.dll.

One recent thread here described the process in this sequence:

11) Loaded Imprec v1.6f
12) Selected DVDIdle Pro as Active Process
13) Pressed IAT Auto Search
14) Pressed Get Imports (left all values at default)
15) Pressed Show Invalid
16) Right clicked on invalid and selected: Trace Level 1 (disasm)
17) Pressed Show Invalid again
18) Right clicked on invalid and selected: Plugin Tracers-> aspr2

You can find the aspr2 tracer here:

http://www.exetools.com/forum/showthread.php?t=3594&page=2

If you post your target, I may have time to take a look to confirm your information.

Regards,

[gabri3l]

The program is sagebrush's recallpro v1.3. Its an interesting program, in version 1.2 if you were running XP it had a bug that would delete your license information from the registry when you closed it. It just took a quick NOP to the call and it worked perfectly after that. Well it turns out that they still didn't fix the problem for version 1.3. Though they did decide to start packing it. I was finally able to get the IAT to work. The R@ider tut helped me out. I had ollydump rebuilding the Imports by default. One thing that had me confused was in labbas, r@diers, and MrBarby's tutorial they all say to increase the size when using Imprecf. I was getting frustrated because I was finding a lot of imports to fix. and a good amount of them were ADD [EAX], AL. By keeping the size about the same and Using both the ASPR2 tracer (Thank you by the way) and the 1.2 tracer I was able to get a working IAT. I know I must have done something incorrectly because when i try and repack it ASprotect says that it is already packed. and i get a message in w32dasm about pe file not in windows format but it runs! and I can debug it now and get rid of that registry call.

just a quick question for reference, when looking at what imports are in my range i look at the ptr:xxxxxxxxx and make sure that that is in my program range? And when fixing them since it will only run on my system, can you (iN theory), dump it again and rebuld the import table to give you the correct calls?

While searching for references while working on this I was able to compile a lot of tuts on using Softice and a few on revirgin for ASPR. So I think I'll give this another try using those tools now knowing that I can actually do it. I really appreciate the help. Thank you JMI

I've attached my Imprec plugins folder. In addition to excellent tutorials by LaBBA, R@dier you may also refer another excellent tutorial by Britedream on Stolen bytes.

http://grinders.withernsea.com/tutorials/britedream.rar

Regards,
ferrari