Hacking Asprotect 1.31

[britedream]

Svensk post a target protected with the new 1.31, the name is dvdIdlepro Version 5.0.1.6 this is the Version as of today.I am not going to unpack it this time, for change, I will hack it. To avoid crc checks I will use the idea brought up by a gentleman called Saccopharynx,Thanks Saccopharynx, but similarity ends here, I will use a different approach.

I coded dll to do all the patches needed as follow:

1- check the first byte of code section for change as signal .

2- go and get the imagebase that be used in the pc from 45c64b for this target.

3- hold asprotect till my dll finishes its calculations of addresses needed to be patched.
4- patch , and let asprotect go on,wait for it to decrypt the location where I will
redirect the address to my name as registered.(this step is cosmetic).


send me pm if you need detail.
your version should be 5.0.1.6

unpack the files and replace yours.

this will probably only work on winxp because it crashes when it tries to access a static system dll address (possibly kernel32) pointer which doesn't jive with win2k. anyway, it doesn't work on win2k.

on a positive note, this app keeps intact its native iat. so it is easy to rebuild. when i first ran it i thought it was too fast for the new protection. now i know why cuz he didn't use the aspr import handler which adds way too much extra time if you ask me. good for the author and his customers.

[britedream]

bollygud, thanks for the feed back, I have no idea about w2k, but for the xp please make sure that you use version 5.0.1.6, and don't change target folder name, so keep it as:
XX:\program files\dvdidle pro\......

[britedream]

if it didn't work while you installed 5.0.1.6 on xp, please tell me what the error MSG.

[britedream]

the version has changed to 5.0.2.6, two versions changed in one day, they must be reading this forum. our patch will not work on the new version.

it is no longer protected with new asprotect 1.31, it went back to the old one

just so you know, i was using 5.0.1.6. but here's a little crash report:

Quote:

Access violation when executing [77E7D961]

stack:
0012FF74 00476FE1 RETURN to 00476FE1 from 77E7D961
0012FF78 00476FC8 ASCII "DvdIdlePro"
0012FF7C 0090D818
0012FF80 7FFD7BF8
0012FF84 0045C013 RETURN to 0045C013 from 0045C014
0012FF88 0012FF9C
0012FF8C 00400000 00400000

00476FD7 PUSH 00476FC8 ; ASCII "DvdIdlePro"
00476FDC CALL 77E7D961 ; offending caller
00476FE1 MOV ESI,EAX
00476FE3 PUSH 1
00476FE5 PUSH EAX
00476FE6 CALL 77E7B332
00476FEB CALL EAX
00476FED POPAD
00476FEE PUSH DWORD PTR SS:[EBP+9D5]
00476FF4 PUSH 0045C03F
00476FF9 RETN

00476FC8 44 76 64 49 64 6C 65 50 72 6F 00 00 00 00 60 68 DvdIdlePro....`h
00476FD8 C8 6F 47 00 E8 80 69 A0 77 8B F0 6A 01 50 E8 47 萶G.鑰i爓嬸j
P鐶
00476FE8 43 A0 77 FF D0 61 FF B5 D5 09 00 00 68 3F C0 45 C爓衋嫡...h?繣
00476FF8 00 C3 00 00 00 00 00 00 62 72 69 74 65 64 72 65 .?.....britedre
00477008 61 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 am..............

the way to fix this would be to call a pointer address to whatever api you're trying to use, instead of a direct call. this would fix the issue i'm sure. and, yes, this is still on my win2k system

if they went back to the older aspr, that's a good thing for them and their customers. i don't like the way the new aspr runs (which is too slow). programmers who use these protections should always opt for speed cuz even when they use these 'advanced' options it doesn't make it unbreakable for those of us who know the ways around this stuff. if they opt for a slower more heavily protected app you should expect complaints from your customers about sluggish performance. just my 2 cents.

[britedream]

But the call you refer to at address 476fdc is call LoadLibraryA, and it is called the way it should be but I don't know why isnot working on w2k.please try to change it to Call LoadLibraryA, and at address 476fe6 is call GetProcAddress, change these two, and see if it works for you.

luckily this app incorporates both of those api into its starting imports.
here is some fixed code for this routine:

Quote:

00476FD6 60 PUSHAD
00476FD7 68 C86F4700 PUSH 00476FC8 ; ASCII "DvdIdlePro"
00476FDC FF15 ECC94500 CALL DWORD PTR DS:[<&kernel32.LoadLibraryA>] ; kernel32.LoadLibraryA
00476FE2 8BF0 MOV ESI,EAX
00476FE4 6A 01 PUSH 1
00476FE6 50 PUSH EAX
00476FE7 FF15 E4C94500 CALL DWORD PTR DS:[<&kernel32.GetProcAddress>] ; kernel32.GetProcAddress
00476FED FFD0 CALL EAX
00476FEF 61 POPAD
00476FF0 FFB5 D5090000 PUSH DWORD PTR SS:[EBP+9D5]
00476FF6 68 3FC04500 PUSH 0045C03F
00476FFB C3 RETN

and this now works
nice approach

[britedream]

I did code it on the xp as call LoadLibraryA and call GetProcAddress, I don't understand why it isnot working on w2k. it is working on my xp. I think mapping these calls are different on w2k.

[britedream]

Quote:

Originally Posted by bollygud

luckily this app incorporates both of those api into its starting imports.
nice approach

If you follow asprotect, it always uses GetprocAddress,LoadlibraryA and GetModuleHandleA to set up iat. so these are always present.

yes, i realise that these are standard api's incorporated into aspr'd apps

the reason that your call isn't working is cuz it's pointing directly to an address that simply doesn't exist in win2k. perhaps your kernel32 (or all xp kernel32) is based at 77000000. where mine is based at 7C000000. this isn't a new concept and is the entire reason for the need of an import table and iat. cuz with each system or OS, the api simply do not reside in the same exact address. it seems that since you have the grasp of all these things, and i doubt i need to tell you this. but just in case you didn't know...

perhaps the fact that i copy/pasted from olly in haste that is shows the api names is confusing. but if you look what i really did was change the direct calls to indirect calls like so:

Quote:

00476FD6 PUSHAD
00476FD7 PUSH 00476FC8
00476FDC CALL DWORD PTR DS:[45C9EC]
00476FE2 MOV ESI,EAX
00476FE4 PUSH 1
00476FE6 PUSH EAX
00476FE7 CALL DWORD PTR DS:[45C9E4]
00476FED CALL EAX
00476FEF POPAD
00476FF0 PUSH DWORD PTR SS:[EBP+9D5]
00476FF6 PUSH 0045C03F
00476FFB RETN

anyway, just letting you know that this works this way and would work on any win platform and not just xp.

well... it was working, now i get a crc error (aspr virus error) coming from your hack file. strange cuz it was working. o well.

[britedream]

sorry, but you didnot understand my point , I didnot call the address directly I used call LoadLibraryA, and patched through ollydbg, I understand where the kernel base is,but my point is that calling LoadLibraryA should be resolved by w2k, and it didn't.(thanks for your clarification).

i see

the thing is, if you patch directly in olly 'call LoadLibraryA' it then codes a direct call to that api. i mean it IS a direct call here is the raw bytes for the two calls:

Quote:

00476FDC: E88069A077 call 077A40161
00476FE6: E84743A077 call 077A3DB32

it uses 'E8' which is a direct call. this is an honest oversight and nothing to argue about, cuz it is what it is... a direct call. this is why i fixed it to an indirect call 'FF15' and the address pointer to the appropriate api.

sorry mate

[britedream]

I see it now, ollydbg resolves LoadLibrary to its address in xp when I save the patch, when you run it on w2k the address sure will be different.so to go around it you went after LoadLibrary through the import.thanks fruitful discussion

[britedream]

Quote:

Originally Posted by bollygud

well... it was working, now i get a crc error (aspr virus error) coming from your hack file. strange cuz it was working. o well.

you are exiting and restarting the target faster than it should be , please give it few sconds to unload.