Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-17-2004, 18:44
loman
 
Posts: n/a
PostSmile - ASPR 1.23 RC$ Registered ... how to find oep??

hi,
I was trying to help one friend of mine unpacking this program and I saw that it's different from other aspr I unpacked, last excepion is


009F309F 3100 XOR DWORD PTR DS:[EAX],EAX
009F30A1 EB 01 JMP SHORT 009F30A4
009F30A3 68 648F0500 PUSH 58F64
009F30A8 0000 ADD BYTE PTR DS:[EAX],AL
009F30AA 00EB ADD BL,CH
009F30AC 02E8 ADD CH,AL
009F30AE 0158 EB ADD DWORD PTR DS:[EAX-15],EBX
009F30B1 6A E8 PUSH -18
009F30B3 8DF4 LEA ESI,ESP ; Illegal use of register
009F30B5 FE ??? ; Unknown command
009F30B6 FF8B F08B0303 DEC DWORD PTR DS:[EBX+3038BF0]
009F30BC 45 INC EBP
009F30BD EC IN AL,DX ; I/O command
009F30BE 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
009F30C1 8B4B 04 MOV ECX,DWORD PTR DS:[EBX+4]
009F30C4 8BD6 MOV EDX,ESI
009F30C6 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
009F30C9 E8 CEFAFFFF CALL 009F2B9C

and there's no ret.... it also give a MsgBox with Protection Error
Error : 1


hxxp://www.PostSmile.com

Thanks in advance

loman
Reply With Quote
  #2  
Old 01-17-2004, 19:04
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
i'll have a look at it
Reply With Quote
  #3  
Old 01-17-2004, 19:22
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
maybe you are wrong? i see really no difference and came to the following:

OEP: 4EB139

Stolen bytes:
004EB139 >/$ 55 PUSH EBP
004EB13A |. 8BEC MOV EBP,ESP
004EB13C |. 83EC 14 SUB ESP,14
004EB13F |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
004EB142 |. 51 PUSH ECX
004EB143 |. B8 C8AB4E00 MOV EAX,dumped_.004EABC8

IAT is attached.
The program works fully registered then (Registered to tA, don't ask why).

Edit:
i was wrong, it only works registered with filename "dumped_.exe"

Last edited by MaRKuS-DJM; 01-17-2004 at 19:25.
Reply With Quote
  #4  
Old 01-17-2004, 19:33
loman
 
Posts: n/a
nothing....... I always get Protection Error, can you tell me at what line you get last exception?
Reply With Quote
  #5  
Old 01-17-2004, 20:21
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
this is my last exception (the same as in all aspr-targets)

009E3D03 3100 XOR DWORD PTR DS:[EAX],EAX
009E3D05 64:8F05 00000000 POP DWORD PTR FS:[0]
009E3D0C 58 POP EAX
009E3D0D 833D BC7E9E00 00 CMP DWORD PTR DS:[9E7EBC],0
009E3D14 74 14 JE SHORT 009E3D2A
009E3D16 6A 0C PUSH 0C
009E3D18 B9 BC7E9E00 MOV ECX,9E7EBC
009E3D1D 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
009E3D20 BA 04000000 MOV EDX,4
009E3D25 E8 E6D2FFFF CALL 009E1010
009E3D2A FF75 FC PUSH DWORD PTR SS:[EBP-4]
009E3D2D FF75 F8 PUSH DWORD PTR SS:[EBP-8]
009E3D30 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
009E3D33 8338 00 CMP DWORD PTR DS:[EAX],0
009E3D36 74 02 JE SHORT 009E3D3A
009E3D38 FF30 PUSH DWORD PTR DS:[EAX]
009E3D3A FF75 F0 PUSH DWORD PTR SS:[EBP-10]
009E3D3D FF75 EC PUSH DWORD PTR SS:[EBP-14]
009E3D40 C3 RETN

maybe your debugger isn't hidden?
Reply With Quote
  #6  
Old 01-17-2004, 20:26
loman
 
Posts: n/a
I use ollydgb and I patch the IsDebuggerPresent at 7FFDF002 from 1 to 0. Is there other more cool ways?

thanks
Reply With Quote
  #7  
Old 01-18-2004, 00:38
LaBBa LaBBa is offline
VIP
 
Join Date: Jul 2003
Posts: 150
Rept. Given: 0
Rept. Rcvd 16 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 11 Times in 11 Posts
LaBBa Reputation: 16
Full ASPR tut

hxxp://www.woodmann.net/forum/showthread.php?t=5304 tut for download: hxxp://www.woodmann.net/forum/attachment.php?attachmentid=836

enjoy

[Edit by JMI: LaBBa no clickable links outside the Forum please, even to Woodmann's site, because others can't seem to stop posting clickable links to software vendors sites.]
Reply With Quote
  #8  
Old 01-22-2004, 02:00
cerb
 
Posts: n/a
Hi MaRKus-DJM,

i found all the OEP but i dont know where should i do the dump?

Can you help me?



Quote:
Originally posted by MaRKuS-DJM
maybe you are wrong? i see really no difference and came to the following:

OEP: 4EB139

Stolen bytes:
004EB139 >/$ 55 PUSH EBP
004EB13A |. 8BEC MOV EBP,ESP
004EB13C |. 83EC 14 SUB ESP,14
004EB13F |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
004EB142 |. 51 PUSH ECX
004EB143 |. B8 C8AB4E00 MOV EAX,dumped_.004EABC8

IAT is attached.
The program works fully registered then (Registered to tA, don't ask why).

Edit:
i was wrong, it only works registered with filename "dumped_.exe"
Reply With Quote
  #9  
Old 01-22-2004, 04:57
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
if you used the "tc eip<900000", you have to dump after this command (you should be at a jump-command, wich jumps into some code which executes a kernel32.GetModuleHandleA)

then edit the EP with LordPE or any other tool to real OEP but do not dump later or dump will crash (it does for me)

Regards,
MaRKuS TH-DJM
Reply With Quote
  #10  
Old 01-22-2004, 05:20
cerb
 
Posts: n/a
Hello,

Thx for the fast help. But i get when i start the unpacked exe at
004EB154 an write error:

004EB139 > $ 55 PUSH EBP
004EB13A . 8BEC MOV EBP,ESP
004EB13C . 83EC 14 SUB ESP,14
004EB13F . 36:8945 EC MOV DWORD PTR SS:[EBP-14],EAX
004EB143 . 51 PUSH ECX
004EB144 . B8 C8AB4E00 MOV EAX,jmp_.004EABC8
004EB149 . 0FBBF1 BTC ECX,ESI
004EB14C . FF33 PUSH DWORD PTR DS:[EBX]
004EB14E . C055 68 E3 RCL BYTE PTR SS:[EBP+68],0E3 ; Shift constant out of range 1..31
004EB152 . B1 4E MOV CL,4E
004EB154 00 DB 00
004EB155 . 64:FF30 PUSH DWORD PTR FS:[EAX]
004EB158 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
004EB15B . 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]

what is wrong?
Reply With Quote
  #11  
Old 01-22-2004, 21:28
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
this code doesn't look good. after the last stolen byte should be a call!! seems you have overwritten this code. don't overwrite any code! try to change EP
Reply With Quote
  #12  
Old 01-22-2004, 21:35
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
i analysed the code, and i came to this:

004EB139 > 55 PUSH EBP
004EB13A 8BEC MOV EBP,ESP
004EB13C 83EC 14 SUB ESP,14
004EB13F 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
004EB142 51 PUSH ECX
004EB143 B8 C8AB4E00 MOV EAX,fuckup.004EABC8
004EB148 E8 0FBBF1FF CALL fuckup.00406C5C <<< you overwrote this code!!!
004EB14D 33C0 XOR EAX,EAX
004EB14F 55 PUSH EBP
004EB150 68 E3B14E00 PUSH fuckup.004EB1E3
004EB155 64:FF30 PUSH DWORD PTR FS:[EAX]
004EB158 64:8920 MOV DWORD PTR FS:[EAX],ESP
004EB15B 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
004EB15E A1 10E54E00 MOV EAX,DWORD PTR DS:[4EE510]
004EB163 E8 3CB8F1FF CALL fuckup.004069A4

i saw, your bytes are different from mine @4EB13F
MOV DWORD PTR SS:[EBP-14],EAX

mine: 8945EC
yours: 36:8945EC

what have you done there?
try to correct it and it will work
Reply With Quote
  #13  
Old 01-23-2004, 02:45
cerb
 
Posts: n/a
Hi MaRKuS-DJM,

thx for your help. I found my error. I typed in hiew the asm code push ebp .... and that was wrong.

Now work the app.

Best Regards
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 00:35.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2022 )