System Cleaner 4.9.3.174

I'm really still coming to grips with unpacking Asprotected programs, but had a go at this one by myself, the OEP and stolen bytes I got were as follows, am I at least on the right track, the only API I had to add back in with Imprec was Free Resources:

0058074E > $ 55 PUSH EBP
0058074F . 8BEC MOV EBP,ESP
00580751 . 83EC 18 SUB ESP,18
00580754 . B8 B4FF5700 MOV EAX,SystemCl.0057FFB4
00580759 . 90 NOP
0058075A . E8 716EE8FF CALL SystemCl.004075D0

Now when I open the program, I get the attatched error, I tried tracing the code for a couple of hours tonight but cant get it to run, just wondering if the above is right before I continue playing around with it.

This error message is followed by the attatched.

The error seems to start coming up here:

004AC5CA |. E8 9168FEFF CALL SystemCl.00492E60

Not the first time you get here, but if you trace into this call, eventually you get to here:

0057F991 FF92 EC000000 CALL DWORD PTR DS:[EDX+EC]

Which leads back to the first mentioned call, and then the error message opens.

[hobgoblin]

I found a little more stolen bytes than you did. Here there are:

55 PUSH EBP
8BEC MOV EBP,ESP
83EC 18 SUB ESP,18
53 PUSH EBX
56 PUSH ESI
57 PUSH EDI
33C0 XOR EAX,EAX
8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
8945 EC MOV DWORD PTR SS:[EBP-14],EAX
B8 B4FF5700 MOV EAX,dumped_.0057FFB4

After unpacking it, I also got the error message you did. But this error message is a blessing in disguise really.:-) The box ask you if you want to send a message to the author or not. And it aks you if you want to look at it. Take a look at it, and you'll find a referance to a call at the address 005807AA. By checking that out I quickly found out that by nop'ing it, the program runs fine.
I dumped the program using LordPE, not Olly.

regards,
hobgoblin

Thanks a lot for that, I'll do it again from scratch, and figure out why I didn't get all the stolen bytes, appreciate your help mate.

Yes, it works now, with the stolen bytes you mention, and looking in my runtrace data I can see them in there, and the program runs for me even without nopping the call which is odd, unless of course you mean running it in a debugger, now that I have problems with, then it brings up the error message, with an exception at 004052CB, which you can trace back to the call you mention, but many other calls lead to it too, so nopping the call you did doesn't fix that.
Now comes the dumb ass question, and unless I ask it, I'll always be a dumb ass, how do I know which entries in the runtrace data are the stolen bytes, I know the PUSH EBP, MOV EBP,ESP & the SUB whatever and how to get the MOV EAX whatever, but the other ones I'm scratching my head as to how you know which ones to use.

Do you have Britedream's tut on stolen bytes? I'll forward it to you if u want.

[britedream]

I will do one more tut for the stolen bytes. which cover other case. that will make it very clear, hopefully.

britedream, can you please post your tutorial for everyone this time? Thanks.

Regards,
Satyric0n

[britedream]

My sincere apology for the poor images in the tut, I don't have good image capturing tool, and I don't know one.
please feel free to correct mistakes in typing or in concept.
note:
I didn't talk about the stolen but not erased, these are easy to find ,no need for explanation, just follow ecx to dump and choose disassemble option they will all be there , just lilttle up.

here is the tut.

Thanks, I'll have a good read through that, really appreciate it.

[hobgoblin]

Nice to see that you figured it out. But you write:
"now that I have problems with, then it brings up the error message, with an exception at 004052CB, which you can trace back to the call you mention, but many other calls lead to it too, so nopping the call you did doesn't fix that."
I'm not sure I understand you right about this. After I nop'ed the call at address 005807AA, the program runs fine. As far as I could see the call made from 005807AA is the only one. The code later on sure is called several times, but nop'ing the call still solved my problems. Getting the exception error at address 004052CB surely was the problem, but by nop'ing the call the exception wasn't triggered, and the program continues.
Another interesting problem pop's up later on. Run the program for a while and you get the code 411 error message. There is a "time bomb" in the program, probably triggered by the increased size of the unpacked file. To get around that you simply have to find the right call and put a ret instruction at the beginning of the called code.

regards,
hobgoblin

I am only talking about running it in Olly now, works fine outside of Olly:

Call at:

005807AA . E8 A9DAF3FF CALL SystemCl.004BE258

Leads to:

004BE258 /$ 53 PUSH EBX
004BE259 |. 8BD8 MOV EBX,EAX
004BE25B |. 8BC3 MOV EAX,EBX
004BE25D |. 8B15 54515800 MOV EDX,DWORD PTR DS:[585154]
004BE263 |. E8 5C70F4FF CALL SystemCl.004052C4

Leads to:

004052C4 $ 31C9 XOR ECX,ECX
004052C6 . 85D2 TEST EDX,EDX
004052C8 . 74 21 JE SHORT SystemCl.004052EB
004052CA . 52 PUSH EDX
004052CB > 3A0A CMP CL,BYTE PTR DS:[EDX]

There are tons of calls to 004052C4, which then lead you to this access violation, nopping the call at 005807AA didn't help it to run in Olly, nopping the call to 004052C4 helps it run for a bit longer, the trial screen comes up, but keeps dissapearing because of access violations.
I haven't hit that code 411 error message yet, guess I haven't run the program long enough.

004BDF78 . 6A 00 PUSH 0 ; /Arg1 = 00000000
004BDF7A . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] ; |
004BDF7D . 50 PUSH EAX ; |/Arg1
004BDF7E . A1 F0505800 MOV EAX,DWORD PTR DS:[5850F0] ; ||
004BDF83 . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX ; ||
004BDF86 . C645 EC 0B MOV BYTE PTR SS:[EBP-14],0B ; ||
004BDF8A . 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18] ; ||
004BDF8D . 33C9 XOR ECX,ECX ; ||
004BDF8F . B8 70E04B00 MOV EAX,Copy_of_.004BE070 ; ||ASCII "Error 411 - CODE: %s"
004BDF94 . E8 3388F6FF CALL Copy_of_.004267CC ; |\Copy_of_.004267CC
004BDF99 . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; |
004BDF9C . 66:8B0D 88E04B>MOV CX,WORD PTR DS:[4BE088] ; |
004BDFA3 . B2 01 MOV DL,1 ; |
004BDFA5 . E8 5240F9FF CALL Copy_of_.00451FFC ; \Copy_of_.00451FFC

If you scroll up, this routine starts at:

004BDEC4 /. 55 PUSH EBP

If you search for references to this, you get:

References in Copy_of_: to 004BDEC4, item 1
Address=004BE179
Disassembly=PUSH Copy_of_.004BDEC4

Here is the routine:

004BE143 . 73 43 JNB SHORT Copy_of_.004BE188
004BE145 . 33C9 XOR ECX,ECX
004BE147 . B2 01 MOV DL,1
004BE149 . A1 58334500 MOV EAX,DWORD PTR DS:[453358]
004BE14E . E8 8D78F9FF CALL Copy_of_.004559E0
004BE153 . A3 F8F45800 MOV DWORD PTR DS:[58F4F8],EAX
004BE158 . 33D2 XOR EDX,EDX
004BE15A . A1 F8F45800 MOV EAX,DWORD PTR DS:[58F4F8]
004BE15F . E8 047AF9FF CALL Copy_of_.00455B68
004BE164 . BA 60EA0000 MOV EDX,0EA60
004BE169 . A1 F8F45800 MOV EAX,DWORD PTR DS:[58F4F8]
004BE16E . E8 057AF9FF CALL Copy_of_.00455B78
004BE173 . A1 FCF45800 MOV EAX,DWORD PTR DS:[58F4FC]
004BE178 . 50 PUSH EAX ; /Arg2 => 00000000
004BE179 . 68 C4DE4B00 PUSH Copy_of_.004BDEC4 ; |Arg1 = 004BDEC4
004BE17E . A1 F8F45800 MOV EAX,DWORD PTR DS:[58F4F8] ; |
004BE183 . E8 007AF9FF CALL Copy_of_.00455B88 ; \Copy_of_.00455B88
004BE188 > C3 RETN

Change this line to:

004BE143 . EB 43 JMP SHORT SystemCl.004BE188

No more code 411 error message!!!!

Also, if you change 0057FD45 from JE to JMP, you get rid of splash screen, still working on getting rid of the limit of only the first 30 files being deleted, otherwise program works fine, but wont run properly in Olly.

Quote:

After I nop'ed the call at address 005807AA, the program runs fine.

You are of course right Hobgoblin, I ended up having to change this too, it ran okay first day without this change, but following day it didn't, although if I restored a backup file made from the previous day it then would again without the nopping of the call, but then who wants to keep replacing the file everyday.