ASPR 1.2 question

[JMI]

gabri3l:

Have you downloaded R@dier's tut I mentioned and tried to follow his directions on rebuilding the IAT? There are many tuts on the net descussing rebuilding the IAT. There are also several good reference which discuss some of the routines ASPR renames. One can use the patterns of some of these routines to determine the name of the API. Here is one list, which is contributed by hobferret, over on the Woodmann Forum, and LaBBA. They give patterns of some which get moved or confused. Remember addresses are dependent on which OS you are using. Here's that list.

Aspr notes V1.4??

Redirected calls which cannot be auto resolved!

44B717 6513C4
6513C4 55 PUSH EBP
6513C5 8BEC MOV EBP,ESP
6513C7 5D POP ESP
6513C8 C20400 RET 04
Becomes Kernel32!FreeResource

44B724 65139C
65139C 6A00 PUSH 00
65139E E8B53DFFFF CALL Kernel32!GMHA
6513A3 FF35E46C6500 PUSH DWORD [00656CE4]
6513A9 58 POP EAX
6513AA 8B05F46C6500 MOV EAX, [00656CF4]
6513B0 C3 RET
Becomes Kernel32!GetCommandLineA

44B730 651388
651388 A1E86C6500 MOV EAX, [00656CE8]
65138D C3 RET
Becomes Kernel32!GetCurrentProcess

44B760 65133C
65133C Look it抯 GetModuleHandleA
Becomes Kernel32!GetModuleHandleA

44B770 650EE8
650EE8/F0E GetProcAddress
Becomes Kernel32!GetProcAddress

44B7A0 651358
651358 6A00 PUSH 00
65135A E8F93DFFFF CALL Kernel32!GMHA
65135F FF35E46C6500 PUSH DWORD [00656CE4]
651365 58 POP EAX
651366 C3 RET
Becomes Kernel32!GetCommandLineA

44B7D4 6513B4
6513B4 55 PUSH EBP
6513B5 8BEC MOV EBP,ESP
6513B7 8B05F46C6500 MOV EAX, [00656CF4]
6513BD B84508 MOV EAX, [EBP+08]
6513C0 5D POP EBP
6513C1 C20400 RET 04
Becomes Kernel32!LockResource

4753F8 - ED13D0
EDI3D0 6A00 PUSH 00
ED13D2 CALLKernel32!GMHA
ED13D7 FF35E86CED00 PUSH WORD [00ED6CE8]
ED13DD 58 POP EAX
ED13DE 8B05F86CED00 MOV EAX, [00ED6CF8]
ED13E4 C3 RET
Becomes Kernel32!GetCommandLineA

4573FC - ED13C0
ED13C0 55 PUSH EBP
ED13C1 8BEC MOV EBP,ESP
ED13C3 CALLKernel32!GetVersion
ED13C8 A1F46CED00 MOV EAX, [00ED6CF4]
ED13CD 5D POP EBP
ED13CE C3 RET
Becomes Kernel32!GetVersion

457444 - EE9E24
EE9E24 52 PUSH EDX
EE9E25 68369507C0 PUSH WORD [C0079536]
EE9E2A C3 RET
Becomes Kernel32!GlobalUnlock

475464 - ED13B8
ED13B8 A1EC6CED00 MOV EAX, [00ED6CEC]
ED13BD C3 RET
Becomes Kernel32!GetCurrentProcess

4754D0 - ED0EF0
ED0EF0\\ED0FI6
CALL Kernel32!GetProcAddress
RET 08
Becomes Kernel32!GetProcAddress

475518 - ED1360
ED1360\\ED1384
CALL Hernel32!GMHA
RET 04
Becomes Kernel32!GetModuleHandleA

LaBBa explanation!

PUSH EBP
MOV EBP,ESP
MOV EAX,[FF7E24] // DWORD VALUE 001522398
POP EBP
RETN4
EITHER LOCK RESOURCE or FREERESOURCE

PUSH DWORD PTR DS:[FF7E14]
POP EAX
RET
GET VERSION

PUSH EBP
MOV EBP,ESP
MOV EAX,DWORD PTR DS:[FF7E24]
MOV EAX,DWORD PTR SS:[EBP+8]
POP EBP
RETN4
EITHER LOCKRESOURCE or FREERESOURCE

MOV EAX,DWORD PTR DS:[FF7E20]
RETN
GETCURRENTPROCESSID

MOV EAX,DWORD PTR DS:[FF7E18]
RETN
GETCURRENTPROCESS - GETCURRENTPROCESSID works too!

PUSH EBP
MOV EBP,ESP
MOV EAX,DWORD PTR DS:[FF7E24]
POP EBP
RETN4
EITHER LOCKRESOURCE or FREERESOURCE

LaBBa's tut: ASPR 1.23 Unpacking "Step-By-Step" has methods of resolving APIs with Olly. One thing to remember is that it would be unusual to find an API from a different DLL among listings for a particular DLL. By that, I mean, you won't see user32.dll listings in the middle of kernel32.dll.

One recent thread here described the process in this sequence:

11) Loaded Imprec v1.6f
12) Selected DVDIdle Pro as Active Process
13) Pressed IAT Auto Search
14) Pressed Get Imports (left all values at default)
15) Pressed Show Invalid
16) Right clicked on invalid and selected: Trace Level 1 (disasm)
17) Pressed Show Invalid again
18) Right clicked on invalid and selected: Plugin Tracers-> aspr2

You can find the aspr2 tracer here:

http://www.exetools.com/forum/showthread.php?t=3594&page=2

If you post your target, I may have time to take a look to confirm your information.

Regards,

[gabri3l]

The program is sagebrush's recallpro v1.3. Its an interesting program, in version 1.2 if you were running XP it had a bug that would delete your license information from the registry when you closed it. It just took a quick NOP to the call and it worked perfectly after that. Well it turns out that they still didn't fix the problem for version 1.3. Though they did decide to start packing it. I was finally able to get the IAT to work. The R@ider tut helped me out. I had ollydump rebuilding the Imports by default. One thing that had me confused was in labbas, r@diers, and MrBarby's tutorial they all say to increase the size when using Imprecf. I was getting frustrated because I was finding a lot of imports to fix. and a good amount of them were ADD [EAX], AL. By keeping the size about the same and Using both the ASPR2 tracer (Thank you by the way) and the 1.2 tracer I was able to get a working IAT. I know I must have done something incorrectly because when i try and repack it ASprotect says that it is already packed. and i get a message in w32dasm about pe file not in windows format but it runs! and I can debug it now and get rid of that registry call.

just a quick question for reference, when looking at what imports are in my range i look at the ptr:xxxxxxxxx and make sure that that is in my program range? And when fixing them since it will only run on my system, can you (iN theory), dump it again and rebuld the import table to give you the correct calls?

While searching for references while working on this I was able to compile a lot of tuts on using Softice and a few on revirgin for ASPR. So I think I'll give this another try using those tools now knowing that I can actually do it. I really appreciate the help. Thank you JMI

I've attached my Imprec plugins folder. In addition to excellent tutorials by LaBBA, R@dier you may also refer another excellent tutorial by Britedream on Stolen bytes.

http://grinders.withernsea.com/tutorials/britedream.rar

Regards,
ferrari

[JMI]

A solid recommendation, as I believe Britedream was the ultimate source of much of the unpacking information I have reported here. I've downloaded your target, and, time permitting, will take a quick look at the unpacking issues. May I recommend that you not only read the tuts you've downloaded, but that you start making your own set of compiled notes on features of various versions of your protector targets.

For example, you could start collecting the patterns of stolen bytes reported and discovered. You could start recording patterns of code found at or around the stolen bytes. You could start studying, from the trace, the patterns from the ASPR DLL. For example the Huge loop at the start of the program which is followed by another loop which seems to match the number of times you passed an exception with F9 and/or SHIFT+F9; that your OEP is probably sitting naked in the trace, if you only know where to look and that it probably is listed in the trace in a PUSH DWORD PTR DS:[ADDRESS] instruction a couple of instructions above the PUSHAD and PUSHFD which occur shortly before the REP STOS BYTE PTR ES:[EDI] routine to erase all the code that got you there in the first place. In other words, the run trace is worth close study because it is the track of ASPR's unfolding of the path to the OEP.

Understanding what it's doing will help with the next target and you might note the differences you discover in the general pattern. In this effort it really helps to remove all the loop code repeats, simply noting the registers going into the start of the loop and coming out.

Once you get comfortable with the unpacking, you then have to move on to the issue of whether or not their is additional code in the target which has to be changed to make it actually run fully. But for the first step, you just want to master manual unpacking and then worry about the next phase.

ferrari: I've downloaded Britedream's tut both here and from somewhere else and, for some reason, I'm not seeing the illustrations. Yours has the first two only, and the other one I downloaded didn't have any. Maybe I'm just using the wrong file to open it. It's opening in Word and it's time to try something else.

Regards,

I dowloaded the file(.doc in word XP) to check and I'm able to see all the "9" illustrations. If you still got any problems then tell me. I've extracted all the images and I'll upload the file for you if needed, otherwise I might unnecessarily increase Aaron's database

Regards,
ferrari

[JMI]

Thanks for the offer ferrari, but for some reason which I can't explain at the moment, it is suddenly working. The first several times I opened it, there was only the graphics on the first page. Now, if I wait awhile, they slowly appear on the other pages as well.

Be careful of road rash out there and remember that the Diety gave you only one set of family jewels and did not intend that you use them to smash into handrails and other such solid metal objects.

Regards,

[gabri3l]

Thank you guys for the help. Good advice JMI! i have about 2 pages of notes just trying to unpack this program. (and a few more notes on a taco bell napkin) . Hopefully I will be able to figure out what I'm doing wrong so i can move on and compare them to another program.

Time willing, I hope to get a better unpack and rebuild of the program. And maybe work on cleaning the code up. I must have missed something if asprotect says that it is still packed. On Woodmanns forum there was some info on cleaning up an ASprotect unpack. I've bookmarked it to refer back to. Much Thanks Ferrari for your plugins folder. I only had aspr 1.2 and aspr2 did not even know there was one for aspr 1.23. And for the britedream tut. When im done working on this program I feel a target with stolen bytes calling me.

One good thing is that I feel like I'm getting a better idea of whats actually going on rather than just blindly following a tutorial.