Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-23-2016, 03:02
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 64
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 15 Times in 12 Posts
TempoMat Reputation: 6
ASProtect SKE unpacking

Hi Everyone,

I have been trying to unpack a few programs protected with ASProtect SKE and having issues in resolving the numerous calls to the VM.
The SKE versions range from version 2.2 Build 4.25 to 2.56 Build 3.17 according to ASPriNF v1.6
The programs neither have Stolen Bytes nor IAT redirection, hence
there are no problems reaching the corresponding OEPs either manually or with scripts.

Unfortunately I am not able to rebuild the Calls to the VM with the Script RebuildVM.osc from PE_Kill. The script always terminates with the Error message ¡°[Error!] Init failed!". This message can be triggered at 9 locations before and 1 after the prompt to "Enter new base of this code". As I am getting the error before the Prompt I had to debug the script to find where exactly the error is first triggered. Finally I was able to locate it to the routine @find_the_error111

Does it mean that all SKE protected programs must have this Error 111 and the script terminates because it is unable to locate it?

If I comment this routine out, then the next init error is triggered @find eip,#2C027212743D#

Tip hints for resolving this error or a link to alternative scripts for rebuilding the VM is highly appreciated.

And just by the way the unpacking scripts from Volz are not working on these targets.
All the affected programs throw the CRC error when the Volz¡¯s scripts are used.

Thanks and best regards,
TempoMat

PS: I am RCEing on a VirtualPC with WinXP Pro SP3.
Reply With Quote
  #2  
Old 08-23-2016, 03:59
TechLord TechLord is offline
Banned User
 
Join Date: Mar 2005
Location: 10 Steps Ahead of You
Posts: 786
Rept. Given: 389
Rept. Rcvd 247 Times in 112 Posts
Thanks Given: 806
Thanks Rcvd at 2,056 Times in 596 Posts
TechLord Reputation: 200-299 TechLord Reputation: 200-299 TechLord Reputation: 200-299
AsProtect has been done to death with tons of automated packers

Just do a quick google search for "AsPrStripperXP" , "Stripper" (various versions) as well as "DecomAS" .

For versions of AsProtec that you'd mentioned, these unpackers will do the job in a few seconds.

If you are intrending to LEARN to unpack manually then its a different story.

But if you just are looking for a quick way out, then the unpackers are the way to go.

Didn't want to spoon-feed you further and hence leaving it to you to do a quick search for the unpackers ..

Maybe I will share them if you truly cannot find them yourself.

Cheers
Reply With Quote
The Following User Says Thank You to TechLord For This Useful Post:
ZeNiX (08-23-2016)
  #3  
Old 08-23-2016, 04:38
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 64
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 15 Times in 12 Posts
TempoMat Reputation: 6
Quote:
Originally Posted by TechLord View Post
AsProtect has been done to death with tons of automated packers
Just do a quick google search for "AsPrStripperXP" , "Stripper" (various versions) as well as "DecomAS" .
I have tried both Stripper(various versions) and DecomAS v1.7 without success.

Quote:
If you are intending to LEARN to unpack manually then its a different story.
I've already unpack several regular versions (unpackmes and shareware programs) and now trying my hands on the SKEs.
So yes I am at this moment more inclined in MUP.

Quote:
Didn't want to spoon-feed you further and hence leaving it to you to do a quick search for the unpackers ..
Sorry but I didn't in any way hint or asked to be spoon-fed.
If you check my first post, I didn't even mention a single name of a target software, which should indicate the contrary to the assumption that I am interested in being spoon-fed.

Thanks for yours response though.

Regards,
TempoMat
Reply With Quote
  #4  
Old 08-23-2016, 09:35
ZeNiX's Avatar
ZeNiX ZeNiX is offline
Administrator
 
Join Date: Feb 2009
Posts: 712
Rept. Given: 172
Rept. Rcvd 767 Times in 256 Posts
Thanks Given: 193
Thanks Rcvd at 694 Times in 220 Posts
ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899
In some cases, you need a valid registration key to decrypt protected code blocks.

Another some cases, you need to repair the calls to ASProtect's API if the program uses SKE's SDK functions.
Reply With Quote
The Following 2 Users Say Thank You to ZeNiX For This Useful Post:
TechLord (08-24-2016), tonyweb (09-02-2016)
  #5  
Old 08-23-2016, 13:53
user1's Avatar
user1 user1 is online now
Family
 
Join Date: Sep 2012
Location: Romania
Posts: 776
Rept. Given: 402
Rept. Rcvd 111 Times in 59 Posts
Thanks Given: 462
Thanks Rcvd at 422 Times in 253 Posts
user1 Reputation: 32
Quote:
In some cases, you need a valid registration key to decrypt protected code blocks.
And unpacked was registered.
Reply With Quote
  #6  
Old 08-23-2016, 16:37
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 64
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 15 Times in 12 Posts
TempoMat Reputation: 6
Quote:
Originally Posted by ZeNiX View Post
In some cases, you need a valid registration key to decrypt protected code blocks.
After reaching the OEP and analysing the code, I could see no sign of encrypted code sections.
At least it can be confirmed with the code flow of older versions except the calls to the VM or SKE SDK.
Also all typical strings references can be seen clearly
The only problem is the calls to the VM which the script is able to identify correctly by stops at the location it checks for the error 111.

Quote:
Another some cases, you need to repair the calls to ASProtect's API if the program uses SKE's SDK functions.
These are what I am trying to repair.

Example at the OEP of an MS VC++8 application
Code:
0040791F    .  E8 8D020000        CALL abcd.00407BB1            	; the OEP
00407924    .^ E9 80FEFFFF        JMP abcd.004077A9
00407929   /$  55                 PUSH EBP
0040792A   |.  8BEC               MOV EBP,ESP
0040792C   |.  A1 04304200        MOV EAX,DWORD PTR DS:[0x423004]
00407931   |.  83E0 1F            AND EAX,0x1F
00407934   |.  6A 20              PUSH 0x20
00407936   |.  59                 POP ECX                       	; 009D19A6
00407937   |.  2BC8               SUB ECX,EAX                   	; abcd.0040791F
00407939   |.  8B45 08            MOV EAX,DWORD PTR SS:[EBP+0x8]	; abcd.00449833
0040793C   |.  D3C8               ROR EAX,CL
0040793E   |.  3305 04304200      XOR EAX,DWORD PTR DS:[0x423004]
00407944   |.  5D                 POP EBP                       	; 009D19A6
00407945   \.  C3                 RETN
If you enter the call at the OEP you will see

Code:
00407BB1    $  55                 PUSH EBP
00407BB2    .  8BEC               MOV EBP,ESP
00407BB4    .  83EC 14            SUB ESP,0x14
00407BB7    .  8365 F4 00         AND DWORD PTR SS:[EBP-0xC],0x0
00407BBB    .  8365 F8 00         AND DWORD PTR SS:[EBP-0x8],0x0
00407BBF    .  A1 04304200        MOV EAX,DWORD PTR DS:[0x423004]
00407BC4    .  56                 PUSH ESI
00407BC5    .  57                 PUSH EDI
00407BC6    .  BF 4EE640BB        MOV EDI,0xBB40E64E
00407BCB    .  BE 0000FFFF        MOV ESI,0xFFFF0000
00407BD0    .  3BC7               CMP EAX,EDI
00407BD2    .  74 0D              JE SHORT abcd.00407BE1
00407BD4    .  85C6               TEST ESI,EAX                  	; abcd.0040791F
00407BD6    .  74 09              JE SHORT abcd.00407BE1
00407BD8    .  F7D0               NOT EAX                       	; abcd.0040791F
00407BDA    .  A3 00304200        MOV DWORD PTR DS:[0x423000],EAX                   ;  abcd.0040791F
00407BDF    .  EB 66              JMP SHORT abcd.00407C47
00407BE1    >  8D45 F4            LEA EAX,DWORD PTR SS:[EBP-0xC]
00407BE4    .  50                 PUSH EAX                      	; abcd.0040791F
00407BE5    .  E8 16846F01        CALL 01B00000                 	; Call to ASPR VM/SKE SDK
00407BEA    .  9B                 WAIT
00407BEB    .  8B45 F8            MOV EAX,DWORD PTR SS:[EBP-0x8]
00407BEE    .  3345 F4            XOR EAX,DWORD PTR SS:[EBP-0xC]
00407BF1    .  8945 FC            MOV DWORD PTR SS:[EBP-0x4],EAX	; abcd.0040791F
00407BF4    .  E8 07846F01        CALL 01B00000                 	; Call to ASPR VM/SKE SDK
00407BF9    .  4E                 DEC ESI
00407BFA    .  3145 FC            XOR DWORD PTR SS:[EBP-0x4],EAX	; abcd.0040791F
00407BFD    .  E8 FE836F01        CALL 01B00000                 	; Call to ASPR VM/SKE SDK
00407C02    .  DA31               FIDIV DWORD PTR DS:[ECX]
00407C04    .  45                 INC EBP
00407C05    .  FC                 CLD
00407C06    .  8D45 EC            LEA EAX,DWORD PTR SS:[EBP-0x14]
00407C09    .  50                 PUSH EAX                      	; abcd.0040791F
00407C0A    .  E8 F1836F01        CALL 01B00000                 	; Call to ASPR VM/SKE SDK
The CALL 01B00000 is called 60 times in this application


Quote:
Originally Posted by user1 View Post
And unpacked was registered.
The programs runs with small restrictions unregistered. It also does not used the ASProtect registration but its own pretty simple CRC32 routine.
Reply With Quote
The Following User Says Thank You to TempoMat For This Useful Post:
ZeNiX (08-24-2016)
  #7  
Old 08-23-2016, 18:13
TechLord TechLord is offline
Banned User
 
Join Date: Mar 2005
Location: 10 Steps Ahead of You
Posts: 786
Rept. Given: 389
Rept. Rcvd 247 Times in 112 Posts
Thanks Given: 806
Thanks Rcvd at 2,056 Times in 596 Posts
TechLord Reputation: 200-299 TechLord Reputation: 200-299 TechLord Reputation: 200-299
@TempoMat :

I did not MEAN anything bad. Sorry if it SOUNDED like that .

Thats the purpose of those "smileys"

You must be knowing that the purpose of those smileys is to show that I am not saying it in a BAD sense of any kind

I respect individuals like you who work towards getting their own programs "patched/unpacked" and in the process, want to learn

Regards

EDIT : Would you care to share the name of the app, so that we all can explore it better ? You got me curious and interested

Once again , I want to stress that individuals like you who want to LEARN, are MORE of the guys that this forum needs, and I RESPECT people like you ..

Cheers

Last edited by TechLord; 08-23-2016 at 18:41.
Reply With Quote
  #8  
Old 08-23-2016, 20:31
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 64
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 15 Times in 12 Posts
TempoMat Reputation: 6
Quote:
Originally Posted by TechLord View Post
@TempoMat :

I did not MEAN anything bad. Sorry if it SOUNDED like that .

Thats the purpose of those "smileys"

You must be knowing that the purpose of those smileys is to show that I am not saying it in a BAD sense of any kind
Don't worry I am not thin-skinned and didn't take your comment in any bad sense.

Quote:
Would you care to share the name of the app, so that we all can explore it better ? You got me curious and interested
The latest versions of WinTools.Net (viz. Classic, Professional and Premium) and the Ramsaver from http://www.wintools.net/

Also some of the Programs from http://boilsoft.com/ eg.mp4_converter_v1.22 and Resource Hunter_v1.32.


Examples like AVI MPEG ASF WMV Splitter und AVI MPEG RM WMV Joiner are ASProtect SKE protected, but without the calls to the VM so they could easily unpacked manually.

The Screen Recorder v1.05 for instance is Themida protected according to ProtectionID.
There are few also armadillo protected applications there as well eg asf converter_v2.68.

The Registration routine in some of the software (mostly without protections) from Boilsoft are custom + MD5 hash tables if you are interested.
Reply With Quote
  #9  
Old 08-23-2016, 22:54
TechLord TechLord is offline
Banned User
 
Join Date: Mar 2005
Location: 10 Steps Ahead of You
Posts: 786
Rept. Given: 389
Rept. Rcvd 247 Times in 112 Posts
Thanks Given: 806
Thanks Rcvd at 2,056 Times in 596 Posts
TechLord Reputation: 200-299 TechLord Reputation: 200-299 TechLord Reputation: 200-299
Dear Tempomat :

For your STUDY purpose, have unpacked and uploaded them here :

Quote:
http://www17.zippyshare.com/v/0Mhq0ECJ/file.html
I have made for WinTools Premium and RamSaver for now...

The patched versions have no nags also.

ALL LIMITATIONS REMOVED..

The unpacked is just an unpatched version for your study.

VERY SORRY that I do not have time or would have made DETAILED TUTS

Really glad to see learners !

I am sure that you can study the unpacked and understand by yourself.

Cheers and Good Luck !

P.S : The patches are very rudimentary and made VERY roughly, just to see if limitations and time-limit removed or not !

Last edited by TechLord; 08-24-2016 at 00:11.
Reply With Quote
The Following 2 Users Gave Reputation+1 to TechLord For This Useful Post:
b30wulf (08-24-2016), tonyweb (08-31-2016)
The Following 5 Users Say Thank You to TechLord For This Useful Post:
cachito (08-24-2016), niculaita (08-24-2016), ReBirth (08-24-2016), Tomy73 (08-24-2016), ZeNiX (08-24-2016)
  #10  
Old 08-24-2016, 08:08
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 64
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 15 Times in 12 Posts
TempoMat Reputation: 6
Thanks TechLord.

At look at the disassembly of your unpacked Ramsaver I could see that I was totally wrong in saying that there is no IAT redirection

I have now been able to trace to point where the decision is made whether to write an API in the IAT table or not. At that location whenever ESI=0xDC or 0x74 the IAT was written and with ESI=0xE6 it was skipped. So I was able to inject this code
Code:
009E0000     8A43 3B              MOV AL,BYTE PTR DS:[EBX+0x3B]
009E0003     81FE E6000000        CMP ESI,0xE6
009E0009     75 05                JNZ SHORT 009E0010
009E000B     BE 74000000          MOV ESI,0x74
009E0010   ^ E9 A161FEFF          JMP 009C61B6
to resolve the IAT.

Now I am trying to figure out how to fix those redirected calls to 01B00000 which are actually calls to the APIs that are redirected to the VM.

I am still reading some tutorials and hoping I can make a break through soon.

However any suggestion to the procedure for resolving this redirected calls will be very much appreciated.

Thanks,
TempoMat
Reply With Quote
  #11  
Old 08-24-2016, 17:48
TechLord TechLord is offline
Banned User
 
Join Date: Mar 2005
Location: 10 Steps Ahead of You
Posts: 786
Rept. Given: 389
Rept. Rcvd 247 Times in 112 Posts
Thanks Given: 806
Thanks Rcvd at 2,056 Times in 596 Posts
TechLord Reputation: 200-299 TechLord Reputation: 200-299 TechLord Reputation: 200-299
@TempoMat :

Two EXCELLENT papers that are a bit old but VERY relevant to your situation.

Go through them carefully.

When I FIRST read these a few years ago, they took a couple of days to fully understand.

Read them carefully and attempt to comprehend the concept the authors are trying to demonstrate.

Good luck !

Links :

Quote:
http://www22.zippyshare.com/v/JFj6BbER/file.html
http://www22.zippyshare.com/v/6mkOutJN/file.html
P.S : Thank you to everyone else who is following these posts of mine as well

Encourages me a lot !
Reply With Quote
The Following User Gave Reputation+1 to TechLord For This Useful Post:
niculaita (08-24-2016)
The Following 8 Users Say Thank You to TechLord For This Useful Post:
Hypnz (08-24-2016), Kjacky (08-25-2016), niculaita (08-24-2016), ReBirth (08-24-2016), romero (09-07-2016), Tomy73 (08-24-2016), user_hidden (08-24-2016), ZeNiX (08-25-2016)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
need help unpacking ASProtect Fade General Discussion 8 05-25-2011 22:12
Unpacking asprotect britedream General Discussion 7 09-01-2004 01:46


All times are GMT +8. The time now is 02:48.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX