Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-14-2006, 01:30
Kameo Kameo is offline
Friend
 
Join Date: Mar 2004
Posts: 86
Rept. Given: 3
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 10
Thanks Rcvd at 1 Time in 1 Post
Kameo Reputation: 1
ASPR v2.1x SKE - SEEKING HELP

Hi there...
Until now i've used Stripper 2.07/2.11 to speed up the work or some Olly script to get to the oep to dump aspr files.
However, I'm running into a little problem with some lately asprotected applications.

PEID v0.94 scan returns to be ASProtect v2.1x SKE and RDG v0.98 returns ASProtect v2.0

Stripper fails, complaining about not reaching the last SEH and some protection error 85.
Plus none of the ollyscript i've tried was working.
So i decided to go on and MUP these files, with such a bad result: none of the regular method was working.
I tried to catch the last seh, used the int3 exceptions trick, the memory breakpoint into target's code and several other methods.
Nothing worked, so i was just wondering if anybody succeeded to get a valid dump of such targets.

Please keep in mind that i am just focusing on unpacking technic, since i managed to defeat the target's protection scheme.
I'm not seeking help on reversing a specific target, i'm doing this just for fun/knowledge.
So i've enclosed a little keygenme that uses this asprotect version, thus those who which to help can get their hands on a real
example.

Any help will be appreciated, thanks
Kameo.
Attached Files
File Type: rar ASPR211packed.rar (153.4 KB, 34 views)
Reply With Quote
  #2  
Old 03-14-2006, 03:04
scherzo
 
Posts: n/a
Hi Kameo!!!
I can't open your file to study so I only have a tutorial for you:
http://s54.yousendit.com/d.aspx?id=2T1C3NGZBOTU30X4GQXSPSDF25
Have fun!
scherzo
Reply With Quote
  #3  
Old 03-14-2006, 16:14
hosiminh hosiminh is offline
Friend
 
Join Date: Aug 2004
Posts: 203
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
hosiminh Reputation: 1
This unpackme was packed with "protect original entry point" aspr feature.
Last Seh is reachable after 2nd Int3 exception...
Reply With Quote
  #4  
Old 03-14-2006, 23:36
Kameo Kameo is offline
Friend
 
Join Date: Mar 2004
Posts: 86
Rept. Given: 3
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 10
Thanks Rcvd at 1 Time in 1 Post
Kameo Reputation: 1
@scherzo:
Yep you must have at least 5 or 10 post to be allowed to donwload from the board. Thx for the link i'm give a glance to your tut.

@hosiminh:
Thx for the tip
Reply With Quote
  #5  
Old 03-14-2006, 23:58
typed
 
Posts: n/a
Good tut- http://www.cracklab.ru/rar/dl/CRACKLAB.rU_32.rar
decompiling VM by PE_Kill
Reply With Quote
  #6  
Old 03-16-2006, 20:12
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
Hi Kameo

at 401416 is a jmp to the stolen bytes , put bp on the address that 401416 is jumping to, that is the start of your stolen.

Last edited by britedream; 03-16-2006 at 20:15.
Reply With Quote
  #7  
Old 03-16-2006, 23:03
scherzo
 
Posts: n/a
Hi Kameo!
If you want find the correct OEP in stolen code, you can use this script:

Code:
// ASProtect 1.32 and greater (except ASProtect 2.0 alpha) OEP finder
by sanniassin::REVENGE Crew
// Ignore all exceptions
// Clear all breakpoints
// Tested on WinXP only

var x
var y
var is_DLL

mov x,esp
sub x,48
bphws x,"r"
mov y,[eip]
and y,000000FF
cmp y,60
jne zzz
mov is_DLL,1

zzz:
run
mov y,[eip]
cmp y,01B80875
jne zzz
bphwc x
find edi,#83C404010424C3#
mov x,$RESULT
add x,6
bp x
run
bc x
sto
mov x,eip

findcall:
dec x
mov y,[x]
cmp y,5B5E5F5D
jne findcall
sub x,8
go x
sti
rtr
sto
mov x,eip
and x,0000FFFF
cmp x,0
je no_VM_on_OEP

VM_on_OEP:
msg "OEP found! OEP stolen."
jmp pause

no_VM_on_OEP:
mov x,esp
cmp is_DLL,1
jne is_exe
add x,10
jmp label_9
is_exe:
add x,8
label_9:
bphws x,"r"
run
mov y,eip
dec y
mov y,[y]
and y,000000FF
cmp y,5C
jne label_9
bphwc x
cmp is_DLL,1
jne is_exe2
find eip,#8944241C61FFE0#
add $RESULT,5
bp $RESULT
run
bc $RESULT
sto
jmp msg
is_exe2:
mov x,eax
go x
msg:
msg "OEP found! OEP not stolen."

pause:
pause
scherzo
Reply With Quote
  #8  
Old 03-18-2006, 01:07
Kameo Kameo is offline
Friend
 
Join Date: Mar 2004
Posts: 86
Rept. Given: 3
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 10
Thanks Rcvd at 1 Time in 1 Post
Kameo Reputation: 1
@britedream:
How do you know how to get to this address ???

@typed:
Seems to be a nice tut. I can read english, french, arabic, spanish, italian and german... but definitely not russian. However i'mma gonna see if i can not get a translation tool to work out this tut.

--------

So let's sum up a little bit, what i did:

Scan through PEID and RDG appears that the target is packed with ASProtect v2.11 SKE.
Load it into OllyDebug (v1.10), cleared all breakpoints and ignored all exceptions.
Used script provided by scherzo few lines before (with OdbgScript v1.47) to reach the stolen oep.

Then "Search for -> All intermodular calls".
Sorted results by 'Destination' and i saw several 'CALL 00B30000', so i guess that this
target uses Advanced Import Protection.
Double-clicked on the first 'CALL 00B30000' to get back to CPU window, performed a
"Find references to -> Call destination", now i've got all my AIP addresses!
The first one being, 00AD0352, and the last one, 00AD1C59.

Back to CPU window and to OEP: Scrolled down a bit searchinf for a valid call in order
to retrieve informations about the IAT section. And i found these ones:

00AD0396 FF15 40504000 CALL DWORD PTR DS:[405040] ; kernel32.GetStartupInfoA
00AD03A9 FF15 60504000 CALL DWORD PTR DS:[405060] ; kernel32.FreeEnvironmentStringsA

So i guess that IAT is stored in 00405xxx section.
Let's check into memory-map, ALT-M give me this:
Memory map
00400000 00001000 ASPR211p PE header
00401000 00004000 ASPR211p code
00405000 00001000 ASPR211p data <-- this section contains iat?
00406000 00001000 ASPR211p
00407000 00001000 ASPR211p .rsrc resources
00408000 00024000 ASPR211p .data imports,...
0042C000 00001000 ASPR211p .adata

So ok, i've got all my informations now:
stolen oep: 00AD02C2 (yours might be different...)
code section: 401000
code size: 4000
iat section: 405000
iat size: 1000
AIP call destination: 00B30000
first call to AIP: 00AD0352
last call to AIP: 00AD1C59

Let's resolve the broken iat with:
'ASProtect 2.0x Fix IAT with Import Elimination #4b.txt' script by Pnluck.

"Is the IAT of this PE corrupt?", i answered yes.
"Enter the address of code section", i put '401000'.
"Enter the address of the section where is the IAT", i put '405000'.
"Enter the size of same section", i put '1000'.
The script pops this message: "The iat start at 000405000".
"Enter the AIP call destination", i put '00B30000'.

and i ended with this message box "Error: eax or edi value is 0, do you want to continue?"
no matter what i decide, the target either crashes or exit without any call being resolved...

I tried with other iat fixer's scripts, sometimes is resolves 1 or 2 pointer, but right after,
it ends crashing olly.
But what really bothers me, is that, when some calls are resolved they become
'CALL 01210004' instead of 'CALL 00xx0000', shouldn't it be something like 'CALL DWORD PTR DS:[405xxx]' ?

I'm realy wondering what i'm doing wrong.
Reply With Quote
  #9  
Old 03-18-2006, 04:40
al-kaiser
 
Posts: n/a
The reason is that 00B30000 is not the AIP. Got to address 00401000 and search for all intermodular calls and there you can see the real AIP destination. But AIP is on this target the smallest problem, the OEP protection and the VM is really hard to defeat.
Reply With Quote
  #10  
Old 03-18-2006, 06:07
Jay Jay is offline
VIP
 
Join Date: Feb 2002
Posts: 249
Rept. Given: 31
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 15
Thanks Rcvd at 13 Times in 5 Posts
Jay Reputation: 3
Quote:
Originally Posted by al-kaiser
The reason is that 00B30000 is not the AIP. Got to address 00401000 and search for all intermodular calls and there you can see the real AIP destination. But AIP is on this target the smallest problem, the OEP Protection and the VM is really hard to defeat.
Lets try and stick to the facts, under normal circumstances the method of protection is difficult defeat, not so in this particular target, to quote fkw "try and think out of the box" I posted (and removed as it wasn't relevant to the question) a working dump of the target.
Reply With Quote
  #11  
Old 03-18-2006, 08:02
Kameo Kameo is offline
Friend
 
Join Date: Mar 2004
Posts: 86
Rept. Given: 3
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 10
Thanks Rcvd at 1 Time in 1 Post
Kameo Reputation: 1
I already have a working dump of the target, however it's not really accurate to understand how to unpack a regular packed file.
Reply With Quote
  #12  
Old 03-18-2006, 08:26
Jay Jay is offline
VIP
 
Join Date: Feb 2002
Posts: 249
Rept. Given: 31
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 15
Thanks Rcvd at 13 Times in 5 Posts
Jay Reputation: 3
Quote:
Originally Posted by Kameo
it's not really accurate to understand how to unpack a regular packed file.
I know, thats why I removed my dump. My response was to al-kaiser's statement regarding this target. Oh f*ck it I'm probably misinterpreting what he meant anyway, sorry for going o/t carry on .
Quote:
But AIP is on this target the smallest problem, the OEP protection and the VM is really hard to defeat
Reply With Quote
  #13  
Old 03-22-2006, 01:27
Kameo Kameo is offline
Friend
 
Join Date: Mar 2004
Posts: 86
Rept. Given: 3
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 10
Thanks Rcvd at 1 Time in 1 Post
Kameo Reputation: 1
Quote:
Originally Posted by al-kaiser
the OEP protection and the VM is really hard to defeat.
Yep, you're right, however the tutorial provided by typed in his link is quite impressive since it deals with the actual topic:
Defeating the VM protection of an Asprotected target, and also the RSA serial checking routine provided by Asprotect...
It would be the perfect tutorial, but the main problem of this tutorial is its language... Russian.

I know that most of the best reversers around are either Chinese, Japanese or Russian, that's a fact, but, man... it would be a nice thing if they would release their tut, at least in english.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Aspr anyone know this one? hobferret General Discussion 16 05-13-2015 22:54
More Aspr 1.31 SvensK General Discussion 0 06-09-2004 22:52


All times are GMT +8. The time now is 23:24.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )