How to use vnekrilov's asprotect scripts?

[bunion]

hello all,

im trying to unpack a program that aspinf says is asprotect v1.4 lest wilson version...

been at it for days and days...

found scripts by russian guru vnekrilov but cant translate scripts seem to show ascii instead of russian

there is 4 scripts

Stolen Code .osc
APIs.osc
INIT.osc
OEP_SBOEP.osc

after running they create 3 files>>

table_JMP.bin
add_table_IAT.bin
table_IAT.bin

the jmp.bin is the 9 jumps from original code to aspr code where the stolen code bytes are

How do i use these files?

ive searched crack@labs forum where i see posts by vnekrilov and progopis etc but no info about how these files are meant to be used

someone asked vnekrilov a qusetion and I THINK he said a dump was needed in order to run his scripts..that true?

ive also tried dumping and copying code froman older versions oep but stack eventually messes up

thanks

bunion

[Git]

If you can post a link to the scripts somebody will better be able to help you.

Git

[progopis]

First of all you need try OEP_SBOEP script. If it works fine and you stoped on OEP or SBOEP (Stolen Bytes OEP) you can try next steps.

If the app Delphi protected you should try to correct INIT table. If it was stolen and it's a really Delphi application you will get "table_INIT.bin" dump. This dump is necessary for Emulation API and IAT repair script.

So next step is for all apps (Delphi and other languages). Try to use "Repair IAT and APIs calls.osc" script. If no errors you can make dump of the target. PE Dumper plug-in by FKMA is recommended. Press "Get EIP as OEP" button and check "Fix raw sizes" and "Make header size 0x1000" options then press "Dump" button.

Then you need delete all asprotect sections. Don't delete original dump! You need it to repair Resources.

Next step is repairing TLS and Reallocation directories. You need find right bytes in the unpacked file (right bytes you can see in the protected apps) and change invalid addresses to the right.

Next step is Resource directory. You need make dump of ".rsrc" section from unpacked file (original dump) with Resource Binder and merge it with dump (that already hasn't asprotect sections and TLS & relloc repaired) in the PE Tools.

Then you can repair IAT using ImpREC.

There are more hard examples. When developer used CRC checks, Envelope checks, Polymorphic Markers, Encryption sections (you can't do anything if you haven't valid or blacklisted key). For this cases I can't explain what's to do in the "two words". You need read tuts and understand all schema of protector's work.

I started work on translations comments in the scripts and then I will try to translate all tuts by vnekrilov. If someone has a lot of time and knows English well - you can help me.

[5Alive]

Hi progopis,
Can you tell where I can find the latest version of PE Dumper plug-in by FKMA? I currently have v3.03 and would be interested get a more up to date release if it exists.

Thanks,
5aLIVE.

[bunion]

Sounds like your spot on progopis!!...ill try everything you say and report back

If you need help translating then ill help out if you want...times no problem

bunion

[progopis]

5Alive
I not heared about new versions. Last version that I use is 3.03 too.

bunion
I have problem with English grammar So, I don't want publish some shit. I can make english variant with some grammatic errors. Correction is all what I need. So, are you ready?

[bunion]

yep no probs progopis...give me rough copies and ill make it so its nice and fluent ...even if u just did copy n paste your russian into a russian-english translator ill fill the gaps bro no probs and we'll have all the tuts in english!

progopis...im newbie at unpacking so..

think i managed to sort out the TLS table

ie..orig dumped.exe when loaded into lordPE listed TLS=007999F0, bytes at that location = 00D0B200B4D0B2

the newer dumped file with 2 sections removed showed those bytes at location 0072e00
so in lordePE i changed TLS=007888FO >0072E00 that right?

i then tried sorting the .relocation addresses but couldnt find the bytes referred to in original dumps .relocation address...those bytes are 0020000008 which means when i deleted 2 sections i also deleted those bytes...if i leave the section containing those bytes in then theres no point changing TLS and relocations addresses coz there already correct...obviously im doing something wrong or missing something..

i carried on anyway and dumped .rsrc section from the orig dumped.exe using lordPE but found out theres no way to add or merge that section using resource binder?? binder i found is v2.3 and it only allows 2 things..load an exe and recover..no choices to load or choose a section etc ??

also i know my targets oep is 00401684 but script...."Repair IAT and APIs calls.osc" ie..one i use to make dump gives me oep 0173027C

obviously ill need to read more and itll be great when i can read vnekrilov's tutorials in english

my target has 11 sections

00400000 00001000 target PE header Imag R RWE
00401000 00499000 target code Imag R RWE
0089A000 00293000 target code,data Imag R RWE
00B2D000 00001000 target code Imag R RWE
00B2E000 00001000 target code Imag R RWE
00B2F000 00003000 target code Imag R RWE
00B32000 00003000 target code,exports Imag R RWE
00B35000 00008000 target .rsrc code,resources Imag R RWE
00B3D000 0005C000 target code Imag R RWE
00B99000 00029000 target .data code,imports,relocations Imag R RWE
00BC2000 00001000 target .adata code Imag R RWE
010CC000 00001000 Priv RW Guar RW
010CD000 00003000 stack of main thread Priv RW Guar RW
010D0000 00009000 Priv RW RW
015D0000 00167000 Map R E R E
019AF000 00021000 Priv RW Guar RW


what ones do i remove??

ps..when i couldn't find the relocation "bytes" after deleting sections from orig dump i created a new section and added the bytes manually but still nowhere near a working dump lol

bunion

[progopis]

that right
Maybe. But better to verify. In the EXE targets rellocation table is a garbage. It's often exists but it's useless.

Maybe you can delete all sections from .rsrc but then you should add repaired RSRC to the end of dump and repair Resource directory value. But you should verify references to sections from CODE sections. Sections which you can delete is different on various compilers and compiler's options.

What's error exactly you see when you try to load dump?

[bunion]

Progopis i need to learn more so im going to pause for moment and follow vnekrilov's tut dated 10/04/2009 ...as target is still current...its a diff aspro version but itll let me get accustomed to pe structure and tools used..THEN ill go back to my original target and hopefully move it on a bit

Errors i get are failing to initialise etc..also the oep gets me errors too as its jumping outside code section...i know my target has 10 jumps to recover stolen code...i have the code for first 2 ..ie...oep code and a section thats jumped to after oep routine BUT when running the stack lets me down so i know my pe structure is wrong...this was before you taught me about TLS,Relocations etc ...I thought it be a simple matter of going somewhere and copying stolen bytes back to dumped.exe but its not looking as easy as that...the project im working on has 2 exes,target above and another one which was packed with exeshield and contained around 8 secured sections which i managed to unpack successfully after a while

bunion

[bunion]

ack...after translating half of vnekrilov's tut dated 10/04/2009 and creating my 2 dumps ..repaired .tls and .relocations addys i realise its missing the scripts needed to carry on

the tut uses about 5 diff scripts..

checking the integrity of the [program's] code (CRC).osc
aSProtect emulation of API from the code region of [program].osc
the correction of the leaps from code region into the new section .osc
the search for leaps from code into the region Of stolen Of code and the restoration of [emulated] [instructions].osc
transfer of the code from the stolen code regions into the new section .osc


i have the other 3 think

OEP-SBOEP.osc
Stolen Code .osc thiscreates the table_JMP.bin for me
restoration of table IAT and calls Of aPIs.osc creates add_table_IAT.bin + table_IAT.bin

thats why vnekrilov is the guru...he created scripts for readjusting all the jumps to stolen code in memory so that they could be added to normal code section ..not just the jumps but data too

progopis can u help me out bro and send me the scripts needed to carry on with the tutorial and itll let me complete translating the tut i got at mo ?

i found resource blender 3 .1 which has the section adding options

bunion

[progopis]

Could you please give me your target and describe your steps of unpacking?

I need talk with V. Nekrilov about translating scripts. Some modifications in scripts (both russian and english versions) will be good to improve work. Also I want get sources of tuts to have possibility compile new (translated) versions.

[bunion]

See email progopis ..cheers

maybe its best if u unpack it then i can work backwards and learn how u did it ,that way we know exactly where we're at

bunion

[bunion]

SUCCESS!!!

Finally managed to completely unpack my original target.exe,and found out its the little things that can make or break you

ie..after dumping your file you need to "zero" the resource & import addresses in pe tools before you can load it back in olly successfuly..if u dont you'll get c0000005 errors

ive downloaded every one of vnekrilov's tutorials and after translating will make them available on 4 shared..also once ive cracked my target ill go back and write a tutorial in english on how to use vnekrilov's tutorial and add the little things he probably assumes we already know like in what order you dump.repair pe,fix imports add sections etc the little things that us novices need to know in order to follow papers from likes of

vnekrilov << RESPECT!!!

bunion

[progopis]

Quote:

Originally Posted by bunion

See email progopis ..cheers

maybe its best if u unpack it then i can work backwards and learn how u did it ,that way we know exactly where we're at

bunion

Yea, I've got your mail. I translated already 3 scripts but stoped this work: vnekrilov promised update scripts but he can't do it now. Also I request to vnekrilov make block structured format of scripts: get_pe_info, get_oep, get_iat, etc.

Also some tuts are too old: scripts was updated, tuts not.