New Asprotect?

[hobgoblin]

Hi guys,
Why don't you guys in a few words explain how you unpacked it and fixed the iat?

regards,

Quote:

Originally Posted by hobgoblin

Hi guys,
Why don't you guys in a few words explain how you unpacked it and fixed the iat?

regards,

To keep it as few words as possible, I'll simply explain the method by which you can unpack and run this version. If you're not familiar with aspr or the pe file format then the following will not help you.

Get to OEP as usual, break on many exceptions and jump over the last exception and RET which will eventually lead you to EP. Then you can dump, that's the easy part. Then what you must do is dump the ASPR envelope from memory and attach it to your dump. I have seen regular sized apps with big import tables and at the moment I have no way of fixing or creating and iat. Once you've attached your ASPR to your dump you need to fix the import table to point to the proper thunks.

That's the extreme basic way of doing it

There are things you can do to change the ASPR envelope's native address, etc. Plus lots of cleaner ways to rebuild your pe. But that right there is the basic idea.

Also note that this approach will only allow the dump to run on your machine or possibly only the same os. It's definitely not a cross-platform solution with a generic iat/import table. But it works nonetheless.

One other thing to mention. Since this version does not use the native iat to point to system apis or redirected apis it will be quite a task to create an iat and that, really, is the only stumbling block for a more 'pure' solution. The other things such as obfuscated redirected functions are quite a bit tougher with this version, but that can always be resolved by simply attaching the obfuscated code somewhere and redirecting the jump/call to it.

I hope that answers some questions

i cant get it to run in ollydebug... passed a lot of exceptions but after a
while and "illegal instruction" windows box pops up and my process is killed...

i then set olly options to ingore most exceptions and restarted... it loads nicely and i get the debugge detect msgbox... and then it crashes i cant even click ok ... isdebuggerpresent plug did not help

[hobgoblin]

Thank you for your input. It's a good starting point for further investigation.:-)

regards,

[britedream]

As I indicated in my earlier post that I would look for unpacking the beta through traditional way, the key to this is to correct the code calls and jumps to asprotect area, the good news is the I found the locations that will correct calls and jumps, the only problem is time, I need to test it and unpack it through this method.I did run a program that I protected with the correction in place and it ran fine , which means these corrections are good.I did test this also on the unpackmenow, and it corrected all calls and jumps that I could see, but due to lack of time I couldn't pursue any further, but I will do that on the weekend if time permit.

regards.

[Computer_Angel]

it detect debugger, but you can easily bypass it by using IsDebuggerPresent plugin.
I also use the get api call in Imprec, try to make valid range from 401000 to 401fff to get the emulate api. That's way i did, but the weak point is i must correct every emulate api ---> It's so bad because there're alot of them.

[hobgoblin]

Hi britedream,
I'm looking foreward to learn about your solution.

BTW, has anyone found a program protected by this new version?

[Darren]

why not find the part in the unpacker that cycles through all the imports and patches the calls in the app with addresses of the redirected api in the envolope section, make a little ollyscript to capture the true api address and use ollyscript to put in correct api address and then use imprec tool to search for call [xxxxxx] and rebuild u a import that directly patches the calls,
or capture the table out of memory aspr uses to create these redirected calls
and build your own tool to build imports section and fix the call [xxxxxx] to point to a new IAT

- Darren

Quote:

Originally Posted by hobgoblin

BTW, has anyone found a program protected by this new version?

WhereIsIt 3.59

I also look forward to hearing more about true iat direction fixing from britedream. From my observation, it appears that there is never an 'original' call structure that is then overwritten. It only seems that there are some basic distance bytes that are then calc'd and overwritten to the direct calls/jumps to the aspr env. If you have found something else that's truly be amazing.