#16
|
|||
|
|||
britedream either you got previous version or newer one? or the OEP from the attached tree is wrong
and maybe this IAT won't work with my dumped exe! i got Whereisit? v3.60.521 and right OEP is: 002FB5EC (006FB5EC) for any where is it version or just latest one look with W32dasm for the unique text string : AMAINICON go a little up where that piece of code start ( 558BEC83C4F0 .....)that's the OEP. would you confirm which exactly version you got? Regards |
#17
|
|||
|
|||
you are right my version is 3.59 , but by fixing the table it will not work, there are anti dumps you have to over come. I am also looking to make it works on other pces . so give some time .
note: I have to give you my unpacked to work with it ,becuase if you dump from your original, the doors to iat already changed to asprotect area. Last edited by britedream; 05-31-2004 at 15:59. |
#18
|
|||
|
|||
Hi,
More and more unAmrmadiloed, unAsproteced stuff refuse to run on non XP machines. RestoreLastError cannot be found in non XP kernel. I have fixed this replacing RestoreLastError with FlushFileBuffers Am I wrong? |
#19
|
|||
|
|||
To R@der and hobgoblin:
I sent you the unpacked target that should work on all xp pces, please feed back. sorry svensk I don't have your email. Last edited by britedream; 05-31-2004 at 20:15. |
The Following User Says Thank You to britedream For This Useful Post: | ||
Indigo (07-19-2019) |
#20
|
|||
|
|||
Quote:
|
#21
|
|||
|
|||
To britedream
Runs fine on my computer. thanks for the files. I'm about to start digging now.
regards, hobgoblin |
The Following User Says Thank You to hobgoblin For This Useful Post: | ||
Indigo (07-19-2019) |
#22
|
|||
|
|||
To hobgoblin
Thanks hobglobin for the feed back, now extools forum may be the first to unpack this lovable protector.
regards. |
The Following User Says Thank You to britedream For This Useful Post: | ||
Indigo (07-19-2019) |
#23
|
|||
|
|||
TARGET: http://www.jufsoft.com/badcopy
Protection: Latest ASProtect Used Britedream's Olly script for "ASPR 1.3b" and got to OEP Without using Ollyscript I did this to get to the OEP. Hit Shift+F9 26 times and here: 0115E56E 0156 00 ADD DWORD PTR DS:[ESI],EDX Put BP here: 0115E588 833D 6C3B1601 00 CMP DWORD PTR DS:[1163B6C],0 And hit Shift+F9 and Olly breaks. Then Alt+M and put BP on memory access on code. Then Set the debugging options and hit F9 once and you are at the OEP(Remove analysis) with no stolen bytes. 00501184 55 PUSH EBP 00501185 8BEC MOV EBP,ESP 00501187 83C4 F0 ADD ESP,-10 0050118A B8 240E5000 MOV EAX,BadCopy.00500E24 0050118F E8 105EF0FF CALL BadCopy.00406FA4 Dumped the target and there were no unresolved pointers and fixed IAT and then dump file. But target wont run Error: Access violation while reading [1181B34] 00407294 $- FF25 C841C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleFileNameA 0040729A 8BC0 MOV EAX,EAX 0040729C $- FF25 CC41C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleHandleA 004072A2 8BC0 MOV EAX,EAX 004072A4 $ FF25 341B1801 JMP DWORD PTR DS:[1181B34] 004072AA 8BC0 MOV EAX,EAX 004072AC $- FF25 D041C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetProfileStringA 004072B2 8BC0 MOV EAX,EAX 004072B4 $- FF25 D441C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetStdHandle How to fix this plz help. Regards, |
#24
|
|||
|
|||
IAT..
and how did you find the address for the IAT?
regards, hobgoblin |
The Following User Says Thank You to hobgoblin For This Useful Post: | ||
Indigo (07-19-2019) |
#25
|
|||
|
|||
Quote:
I have the "dump_.exe" Shall I upload? Regards, Last edited by ferrari; 06-01-2004 at 19:25. |
#26
|
|||
|
|||
Thanks
Thanks for the reply. How to find the place in aspr code where the iat table is created/written to memory somehow eludes me. Usually I use a bp GetProcAddress to find it, but this time I don't. I do find a place where this api is called to find the addresses to an iat, but I'm not sure whether this is the correct one.
Well, well. I have to dig deeper I guess. regards, hobgoblin |
The Following User Says Thank You to hobgoblin For This Useful Post: | ||
Indigo (07-19-2019) |
#27
|
|||
|
|||
Let me give you some help hobgoblin ... aspr IAT redirection code is all here... of course the memory address will be diff but i am sure you can figure out how to get there based on relative offset
Code:
0041555B next: ; CODE XREF: RedirectIATptr+C8j 0041555B ; RedirectIATptr+14Aj 0041555B ; RedirectIATptr+254j 0041555B ; RedirectIATptr+25Fj 0041555B ; RedirectIATptr+319j 0041555B ; RedirectIATptr+38Bj 0041555B ; RedirectIATptr+3FEj 0041555B ; RedirectIATptr+41Ej 0041555B ; RedirectIATptr+453j 0041555B ; RedirectIATptr+49Aj 0041555B ; RedirectIATptr+4ACj 0041555B mov eax, [ebx+8] 0041555E mov esi, [eax] 00415560 add dword ptr [ebx+8], 4 00415564 mov eax, [ebx+8] 00415567 mov al, [eax] 00415569 mov [esp+struct.RedirectionType], al 0041556D inc dword ptr [ebx+8] 00415570 test esi, esi 00415572 jnz short loc_415592 ; get RVA of IAT_ptr 00415574 jmp short loc_415577 00415577 loc_415577: ; CODE XREF: RedirectIATptr+E4j 00415577 mov eax, edi 00415579 call @System@@FreeMem$qqrv ; System::__linkproc__ FreeMem(void) 0041557E mov byte ptr [ebx+38h], 0 00415582 mov al, 1 00415584 jmp end 00415592 00415592 loc_415592: ; CODE XREF: RedirectIATptr+E2j 00415592 xor esi, [esp+struct.XOR_key] ; get RVA of IAT_ptr 00415596 add esi, [ebx+40h] ; add Image Base 00415599 mov eax, [ebx+8] 0041559C mov al, [eax] 0041559E inc dword ptr [ebx+8] ; get Dll Number 004155A1 xor edx, edx 004155A3 mov dl, al 004155A5 mov eax, edi ; edi => dll base table 004155A7 call GetDwordInTable ; Get Imported DLL base 004155AC mov [esp+struct.DLL_base], eax 004155B0 mov eax, [ebx+8] 004155B3 mov al, [eax] 004155B5 inc dword ptr [ebx+8] 004155B8 test al, al 004155BA jnz short loc_4155DF 004155BC 004155BC type_0: 004155BC push offset sub_414FF0 004155C1 push offset ????pGetProcAddress ; GetProcAddress 004155C6 push offset MemAlloc ; Decrypt 004155CB push esi ; IAT_ptr 004155CC lea eax, [ebx+8] 004155CF push eax ; API_ptr 004155D0 mov eax, [esp+(struct.DLL_base+14h)] 004155D4 push eax ; Dll_handle 004155D5 call sub_415018 004155DA jmp next 004155DF 004155DF loc_4155DF: ; CODE XREF: RedirectIATptr+12Aj 004155DF cmp al, 2 004155E1 jnz loc_4156F4 004155E7 004155E7 type_2: ; RIP API code into Aspr shell 004155E7 xor eax, eax 004155E9 mov [esp+struct.field_20], eax 004155ED mov eax, [ebx+8] 004155F0 mov al, [eax] 004155F2 inc dword ptr [ebx+8] 004155F5 jmp short loc_4155F8 004155F8 004155F8 loc_4155F8: ; CODE XREF: RedirectIATptr+165j 004155F8 sub al, 1 004155FA jnb short type_2_1 004155FC 004155FC type_2_0: 004155FC mov eax, [ebx+8] 004155FF movzx eax, byte ptr [eax] 00415602 inc dword ptr [ebx+8] 00415605 mov edx, [ebx+8] 00415608 mov edx, [edx] 0041560A add dword ptr [ebx+8], 4 0041560E lea ecx, [esp+struct.field_24] 00415612 push ecx 00415613 mov cl, [esp+(struct.RedirectionType+4)] 00415617 push ecx 00415618 mov ecx, edx 0041561A mov edx, ebx 0041561C xchg eax, edx 0041561D call sub_414E20 00415622 mov [esp+struct.field_20], eax 00415626 jmp short type_2_1 00415626 00415629 type_2_1: ; CODE XREF: RedirectIATptr+16Aj 00415629 ; RedirectIATptr+196j 00415629 mov eax, [ebx+8] 0041562C mov ebp, [eax] 0041562E add dword ptr [ebx+8], 4 00415632 mov eax, [esp+struct.field_10] 00415636 call @System@@GetMem$qqrv ; System::__linkproc__ GetMem(void) 0041563B mov [esp+struct.RippedAPIcodePtr], eax 0041563F mov edx, ebp 00415641 mov eax, [esp+struct.DLL_base] 00415645 call GetProcAddress_ ; eax == DLL_base 00415645 ; edx == API_hash 0041564A mov ebp, eax 0041564C test ebp, ebp 0041564E jnz short loc_41565A 00415650 push offset _str_10__.Text 00415655 call ErrMsg??? 0041565A 0041565A loc_41565A: ; CODE XREF: RedirectIATptr+1BEj 0041565A cmp [esp+struct.field_20], 0 0041565F jz short loc_4156A5 00415661 mov eax, [esp+struct.RippedAPIcodePtr] 00415665 mov edx, [esp+struct.field_20] 00415669 mov [eax], edx 0041566B mov eax, [esp+struct.field_20] 0041566F add eax, [esp+struct.field_24] 00415673 mov byte ptr [eax], 68h ; set up a Push 00415676 push 0 00415678 push offset pCheckBPX 0041567D lea ecx, [esp+(struct.field_18+8)] 00415681 mov edx, ebp 00415683 mov eax, ebx 00415685 call RipCodeFromAPI ; edx== original address of API 0041568A mov edx, [esp+struct.field_20] 0041568E add edx, [esp+struct.field_24] 00415692 inc edx 00415693 mov [edx], eax 00415695 mov eax, [esp+struct.field_20] 00415699 add eax, [esp+struct.field_24] 0041569D add eax, 5 004156A0 mov byte ptr [eax], 0C3h 004156A3 jmp short loc_4156CE 004156A5 004156A5 loc_4156A5: ; CODE XREF: RedirectIATptr+1CFj 004156A5 push 0 004156A7 push offset pCheckBPX 004156AC lea ecx, [esp+(struct.field_18+8)] 004156B0 mov edx, ebp 004156B2 mov eax, ebx 004156B4 call RipCodeFromAPI ; edx== original address of API 004156B9 mov edx, [esp+struct.RippedAPIcodePtr] 004156BD mov [edx], eax 004156BF lea ecx, [esp+struct.RippedAPIcodePtr] 004156C3 mov dl, [esp+struct.RedirectionType] 004156C7 mov eax, ebx 004156C9 call ???GenerateRandomRetCode 004156CE 004156CE loc_4156CE: ; CODE XREF: RedirectIATptr+213j 004156CE mov eax, esi 004156D0 sub eax, 2 004156D3 cmp word ptr [eax], 0 004156D7 jnz short loc_4156E9 004156D9 mov edx, [esp+struct.RippedAPIcodePtr] 004156DD mov edx, [edx] 004156DF call Patch_IAT_Call_ptr 004156E4 jmp next 004156E9 004156E9 loc_4156E9: ; CODE XREF: RedirectIATptr+247j 004156E9 mov eax, [esp+struct.RippedAPIcodePtr] 004156ED mov [esi], eax 004156EF jmp next 004156F4 004156F4 loc_4156F4: ; CODE XREF: RedirectIATptr+151j 004156F4 cmp al, 1 004156F6 jnz loc_4157AE 004156FC jmp short type_1 004156FF 004156FF type_1: ; CODE XREF: RedirectIATptr+26Cj 004156FF mov eax, [ebx+8] 00415702 mov eax, [eax] 00415704 mov [esp+struct.field_0], eax 00415707 add dword ptr [ebx+8], 4 0041570B cmp dword ptr [ebx+44h], 0 0041570F jz short loc_41571A 00415711 mov eax, [esp+struct.field_0] 00415714 call dword ptr [ebx+44h] 00415717 mov [esp+struct.field_0], eax 0041571A 0041571A loc_41571A: ; CODE XREF: RedirectIATptr+27Fj 0041571A mov eax, [ebx+8] 0041571D mov ax, [eax] 00415720 mov word ptr [esp+struct.API_name_length], ax 00415725 add dword ptr [ebx+8], 2 00415729 cmp [esp+struct.field_1C], 0 0041572E jz short loc_41573B 00415730 mov eax, [esp+struct.XOR_key] 00415734 mov [esp+struct.field_1C], 0 00415739 jmp short loc_415741 0041573B 0041573B loc_41573B: ; CODE XREF: RedirectIATptr+29Ej 0041573B mov eax, [esp+struct.field_18] 0041573F mov eax, [eax] 00415741 00415741 loc_415741: ; CODE XREF: RedirectIATptr+2A9j 00415741 mov ecx, eax 00415743 mov dx, word ptr [esp+struct.API_name_length] 00415748 mov eax, [ebx+8] 0041574B call DecryptBuffer ; eax == Buffer Address 0041574B ; dx == Buffer Size 0041574B ; ecx == Key 00415750 mov eax, [esp+struct.field_10] 00415754 call @System@@GetMem$qqrv ; System::__linkproc__ GetMem(void) 00415759 mov [esp+struct.RippedAPIcodePtr], eax 0041575D mov eax, [ebx+8] 00415760 push eax 00415761 mov eax, [esp+(struct.DLL_base+4)] 00415765 push eax 00415766 mov eax, ds:oGetProcAddress??? 0041576B mov eax, [eax] 0041576D call eax 0041576F mov ebp, eax 00415771 test ebp, ebp 00415773 jnz short loc_41577F 00415775 push offset _str_11__.Text 0041577A call ErrMsg??? 0041577F 0041577F loc_41577F: ; CODE XREF: RedirectIATptr+2E3j 0041577F mov eax, [esp+struct.field_0] 00415782 push eax 00415783 push offset pCheckBPX 00415788 lea ecx, [esp+(struct.field_18+8)] 0041578C mov edx, ebp 0041578E mov eax, ebx 00415790 call RipCodeFromAPI ; edx== original address of API 00415795 mov edx, [esp+struct.RippedAPIcodePtr] 00415799 mov [edx], eax 0041579B mov eax, [esp+struct.RippedAPIcodePtr] 0041579F mov [esi], eax 004157A1 movzx eax, word ptr [esp+struct.API_name_length] 004157A6 add [ebx+8], eax 004157A9 jmp next 004157AE 004157AE loc_4157AE: ; CODE XREF: RedirectIATptr+266j 004157AE cmp al, 4 004157B0 jnz loc_415893 004157B6 jmp short type_4 |
#28
|
|||
|
|||
@hobglobin:
O there was a misunderstanding. Now I understand, your question was addressed to britedream and I thought you were asking me Anyways britedream will you plz help me on this target I posted Regards, |
#29
|
|||
|
|||
no
It was for you.
I was looking at Badcopy... hobgoblin To crusader: I guess the code you listed is for BadCopy? Or maybe its a general code? Last edited by hobgoblin; 06-02-2004 at 00:20. |
The Following User Says Thank You to hobgoblin For This Useful Post: | ||
Indigo (07-19-2019) |
#30
|
|||
|
|||
nice bit of IDA work crusader
Quote:
each exception, u will see the data change once as aprs decodes / unpacks and then the data will change once more as the code crusader pasted does it stuff, u can count the number of exceptions from the 1st change to the second change, stop on the last one before the data changes again, look below and should be very close to the code crusader pasted. also its possible to set a bpm from within sice on the data address to stop when its written to. (not %100) - Darren |
The Following User Says Thank You to Darren For This Useful Post: | ||
Indigo (07-19-2019) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Anyone can help me with this one?? ASProtect | loman | General Discussion | 0 | 12-31-2003 16:37 |