#1
|
|||
|
|||
System Cleaner 4.9.3.174
I'm really still coming to grips with unpacking Asprotected programs, but had a go at this one by myself, the OEP and stolen bytes I got were as follows, am I at least on the right track, the only API I had to add back in with Imprec was Free Resources:
0058074E > $ 55 PUSH EBP 0058074F . 8BEC MOV EBP,ESP 00580751 . 83EC 18 SUB ESP,18 00580754 . B8 B4FF5700 MOV EAX,SystemCl.0057FFB4 00580759 . 90 NOP 0058075A . E8 716EE8FF CALL SystemCl.004075D0 Now when I open the program, I get the attatched error, I tried tracing the code for a couple of hours tonight but cant get it to run, just wondering if the above is right before I continue playing around with it. |
#2
|
|||
|
|||
This error message is followed by the attatched.
|
#3
|
|||
|
|||
The error seems to start coming up here:
004AC5CA |. E8 9168FEFF CALL SystemCl.00492E60 Not the first time you get here, but if you trace into this call, eventually you get to here: 0057F991 FF92 EC000000 CALL DWORD PTR DS:[EDX+EC] Which leads back to the first mentioned call, and then the error message opens. |
#4
|
|||
|
|||
Hi there
I found a little more stolen bytes than you did. Here there are:
55 PUSH EBP 8BEC MOV EBP,ESP 83EC 18 SUB ESP,18 53 PUSH EBX 56 PUSH ESI 57 PUSH EDI 33C0 XOR EAX,EAX 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX 8945 EC MOV DWORD PTR SS:[EBP-14],EAX B8 B4FF5700 MOV EAX,dumped_.0057FFB4 After unpacking it, I also got the error message you did. But this error message is a blessing in disguise really.:-) The box ask you if you want to send a message to the author or not. And it aks you if you want to look at it. Take a look at it, and you'll find a referance to a call at the address 005807AA. By checking that out I quickly found out that by nop'ing it, the program runs fine. I dumped the program using LordPE, not Olly. regards, hobgoblin |
#5
|
|||
|
|||
Thanks a lot for that, I'll do it again from scratch, and figure out why I didn't get all the stolen bytes, appreciate your help mate.
|
#6
|
|||
|
|||
Yes, it works now, with the stolen bytes you mention, and looking in my runtrace data I can see them in there, and the program runs for me even without nopping the call which is odd, unless of course you mean running it in a debugger, now that I have problems with, then it brings up the error message, with an exception at 004052CB, which you can trace back to the call you mention, but many other calls lead to it too, so nopping the call you did doesn't fix that.
Now comes the dumb ass question, and unless I ask it, I'll always be a dumb ass, how do I know which entries in the runtrace data are the stolen bytes, I know the PUSH EBP, MOV EBP,ESP & the SUB whatever and how to get the MOV EAX whatever, but the other ones I'm scratching my head as to how you know which ones to use. |
#7
|
|||
|
|||
Do you have Britedream's tut on stolen bytes? I'll forward it to you if u want.
Last edited by ferrari; 03-18-2004 at 21:10. |
#8
|
|||
|
|||
I will do one more tut for the stolen bytes. which cover other case. that will make it very clear, hopefully.
|
#9
|
|||
|
|||
britedream, can you please post your tutorial for everyone this time? Thanks.
Regards, Satyric0n |
#10
|
|||
|
|||
My sincere apology for the poor images in the tut, I don't have good image capturing tool, and I don't know one.
please feel free to correct mistakes in typing or in concept. note: I didn't talk about the stolen but not erased, these are easy to find ,no need for explanation, just follow ecx to dump and choose disassemble option they will all be there , just lilttle up. here is the tut. Last edited by britedream; 03-19-2004 at 00:50. |
#11
|
|||
|
|||
Thanks, I'll have a good read through that, really appreciate it.
|
#12
|
|||
|
|||
Nice
Nice to see that you figured it out. But you write:
"now that I have problems with, then it brings up the error message, with an exception at 004052CB, which you can trace back to the call you mention, but many other calls lead to it too, so nopping the call you did doesn't fix that." I'm not sure I understand you right about this. After I nop'ed the call at address 005807AA, the program runs fine. As far as I could see the call made from 005807AA is the only one. The code later on sure is called several times, but nop'ing the call still solved my problems. Getting the exception error at address 004052CB surely was the problem, but by nop'ing the call the exception wasn't triggered, and the program continues. Another interesting problem pop's up later on. Run the program for a while and you get the code 411 error message. There is a "time bomb" in the program, probably triggered by the increased size of the unpacked file. To get around that you simply have to find the right call and put a ret instruction at the beginning of the called code. regards, hobgoblin |
#13
|
|||
|
|||
I am only talking about running it in Olly now, works fine outside of Olly:
Call at: 005807AA . E8 A9DAF3FF CALL SystemCl.004BE258 Leads to: 004BE258 /$ 53 PUSH EBX 004BE259 |. 8BD8 MOV EBX,EAX 004BE25B |. 8BC3 MOV EAX,EBX 004BE25D |. 8B15 54515800 MOV EDX,DWORD PTR DS:[585154] 004BE263 |. E8 5C70F4FF CALL SystemCl.004052C4 Leads to: 004052C4 $ 31C9 XOR ECX,ECX 004052C6 . 85D2 TEST EDX,EDX 004052C8 . 74 21 JE SHORT SystemCl.004052EB 004052CA . 52 PUSH EDX 004052CB > 3A0A CMP CL,BYTE PTR DS:[EDX] There are tons of calls to 004052C4, which then lead you to this access violation, nopping the call at 005807AA didn't help it to run in Olly, nopping the call to 004052C4 helps it run for a bit longer, the trial screen comes up, but keeps dissapearing because of access violations. I haven't hit that code 411 error message yet, guess I haven't run the program long enough. |
#14
|
|||
|
|||
004BDF78 . 6A 00 PUSH 0 ; /Arg1 = 00000000
004BDF7A . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] ; | 004BDF7D . 50 PUSH EAX ; |/Arg1 004BDF7E . A1 F0505800 MOV EAX,DWORD PTR DS:[5850F0] ; || 004BDF83 . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX ; || 004BDF86 . C645 EC 0B MOV BYTE PTR SS:[EBP-14],0B ; || 004BDF8A . 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18] ; || 004BDF8D . 33C9 XOR ECX,ECX ; || 004BDF8F . B8 70E04B00 MOV EAX,Copy_of_.004BE070 ; ||ASCII "Error 411 - CODE: %s" 004BDF94 . E8 3388F6FF CALL Copy_of_.004267CC ; |\Copy_of_.004267CC 004BDF99 . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; | 004BDF9C . 66:8B0D 88E04B>MOV CX,WORD PTR DS:[4BE088] ; | 004BDFA3 . B2 01 MOV DL,1 ; | 004BDFA5 . E8 5240F9FF CALL Copy_of_.00451FFC ; \Copy_of_.00451FFC If you scroll up, this routine starts at: 004BDEC4 /. 55 PUSH EBP If you search for references to this, you get: References in Copy_of_: to 004BDEC4, item 1 Address=004BE179 Disassembly=PUSH Copy_of_.004BDEC4 Here is the routine: 004BE143 . 73 43 JNB SHORT Copy_of_.004BE188 004BE145 . 33C9 XOR ECX,ECX 004BE147 . B2 01 MOV DL,1 004BE149 . A1 58334500 MOV EAX,DWORD PTR DS:[453358] 004BE14E . E8 8D78F9FF CALL Copy_of_.004559E0 004BE153 . A3 F8F45800 MOV DWORD PTR DS:[58F4F8],EAX 004BE158 . 33D2 XOR EDX,EDX 004BE15A . A1 F8F45800 MOV EAX,DWORD PTR DS:[58F4F8] 004BE15F . E8 047AF9FF CALL Copy_of_.00455B68 004BE164 . BA 60EA0000 MOV EDX,0EA60 004BE169 . A1 F8F45800 MOV EAX,DWORD PTR DS:[58F4F8] 004BE16E . E8 057AF9FF CALL Copy_of_.00455B78 004BE173 . A1 FCF45800 MOV EAX,DWORD PTR DS:[58F4FC] 004BE178 . 50 PUSH EAX ; /Arg2 => 00000000 004BE179 . 68 C4DE4B00 PUSH Copy_of_.004BDEC4 ; |Arg1 = 004BDEC4 004BE17E . A1 F8F45800 MOV EAX,DWORD PTR DS:[58F4F8] ; | 004BE183 . E8 007AF9FF CALL Copy_of_.00455B88 ; \Copy_of_.00455B88 004BE188 > C3 RETN Change this line to: 004BE143 . EB 43 JMP SHORT SystemCl.004BE188 No more code 411 error message!!!! |
#15
|
|||
|
|||
Also, if you change 0057FD45 from JE to JMP, you get rid of splash screen, still working on getting rid of the limit of only the first 30 files being deleted, otherwise program works fine, but wont run properly in Olly.
Quote:
|
|
|