Unpacked ASPR file - signature not recognised

[5Alive]

I unpacked an app protected with ASPR 1.3x using syd's Stripper 2.13 beta 9.
The unpacked exe runs fine although it still requires registration, I patched this without to much trouble.

I know that the app was coded in Delphi having looked at the Resource section, but neither PEiD or IDA recognise it as a Delphi compiled exe.

What do I need to do to fix this? Does it have something to do with the EP being outside of the code section?

Can anyone tell me the registration algo used by ASPR 1.3x and if it is can be keygenned. I have never seen a keygen (or patch for this app after a certain version) so I'm guessing it is not possible?

Thanks for any help you can offer.

5aLIVE.

[Jupiter]

What for do you need to fix that exe? If you need to apply Delphi signatures in IDA, you can always do it manually (Shift-F5, select required signature from list).
If your protected app is fully unpacked/decrypted and you are sure that there is no code blocks crypted via key, then don't worry about keygen.
are you sure that app protected by ASProtect 1.3? it may be packed with ASProtect 2 SKE. anyway there are keygens for ASProtect 1.35 (protected by ASProtect 2 SKE) and ASProtect 2.2 by TMG and ECLiPSE. if you can find weakness in public keys generator, you can create bruteforcer.

ASProtect 1.3 uses RSA
ASProtect 2.x uses ECC

[5Alive]

Quote:

Originally Posted by 5Alive

I cannot manually apply FLIRT signatures as I don't have a FLIRT library for Delphi Client/Server Enterprise. Do you know where I can find this? I can't attach to the process with DeDe either, I was wondering if there is anyway to fix this problem?

I've tested the program through normal use and it runs well so I don't think that it has any crypted code blocks remaining.

I'm only basing my assumption that it is packed with ASPR1.3x based on what PEiD reports (1.2x- 1.3x). Stud_PE reports 1.2x[new strain] (I think I may need to update signature library for this).

Okay, So I could identify the vesion of ASP by checking what crypto algo is used in the registration scheme. How else can I reliably identify the version of ASPR used?

Thanks for your help.

[Jupiter]

Some tools/sigs for IDA:
http://www.wasm.ru/toollist.php?list=20

Signs for Delphi:
http://www.wasm.ru/baixado.php?mode=tool&id=377

You can dump ASProtect.dll and analyze it with any crypto analyzer, if you find ECC routines then it's SKE.

[5Alive]

It appears to be protected with ASProtect 2.1x SKE when using an updated signature file with PEiD. Doesn't this use RSA1024 rather than ECC?

Thanks.

[Jupiter]

Q: how to detect exact ASProtect version?
A: extract TASP object and analyze it.

Q: What is TASP object?
A: TASP object - it's ASProtect DLL used in protected application to perform all protection tasks (e.g. license keys managment). You can extract it from ASProtect.exe (ASProtect itself) resources (RCData -> TASP).

When ASProtect protects an executable, it attaches TASP to protected exe. TASP is packed by aPLib and ASPack, PE structure replaced by own (much easy).

Q: How to extract TASP from protected application?
A: Method 1: Execute protected app under debugger, wait until TASP is unpacked by ASPr stub and dump TASP to disk, place correct PE header (read tutorials about it - there are good old articles for v1.2x by crUsAdEr).
Method 2: Find compressed TASP in .aspr section, decompress and reconstruct it.
Method 3: Use tool for automatic TASP extraction like asdd tool by seeQ or VerA plugin for PEiD/DiE by PE_Kill
So, when you'll get unpacked TASP (ASProtect.dll), you can analyze it with any crypto ananlyzer (for ex. KANAL).

Attached:
VerA 0.15 (PEiD Plugin)
ASProtect v2.3 06.26 ASProtect.dll [TASP] (ready to ananlyze)
ASProtect v2.3 06.26 TASP (from resources, packed)

[5Alive]

Thankyou for your very informative reply. I shall have a look at your attachments and see what I can learn from them.

when you unpack files with stripper - and oep is stolen, that stolen code would be recovered, but it's still morphed, so peid cant recognise any signatures on ep..
--
aspr dont use rsa..just ecc, and some signature scheme.. there are some bugs in generation of numbers, TMG and ECL found them, and succefully keygenned aspr..

[5Alive]

I think I'm probably a little over my head on this one, I realise I have much to learn.
I should be happy that I was at least able to unpack and patch the app in the meantime.

Perhaps I shall return to this when my skills improve and time permits. Thanks for all the help offered.

direct link please

i cant download it from the attachements

sorry.

[jump]

You should read FAQ before posting this...!

--
Jump

Maroc-OS You want to be answered on a 3-years old discussion...

[ahmadmansoor]

hehe I think he didn't read the time of this post ..hehe he still new so no problem ...
this is the file :
hXXp://rapidshare.com/files/195488593/Ahmadmansoor-exetools_Team.rar
play good and then u can download the Attached Files ..