#1
|
|||
|
|||
Newbie question ASPR 1.23 RC4 (long!)
Hi all,
after reading a lot of tutorials and threads here and at woodmann about the above mentioned packer I've decided to try to unpack one prog on my own (Resource Builder 2.1 that you can download at hxxp://www.sicomponents.com) and failed completely. It would be very nice if someone could check the steps I've taken so far: 1. When loading the prog with Olly, it becomes clear that two packed DLLs are used. To get to the entry point of the exe I've used arz's anti-debug+lastex script. I've ended up at address 401000. 2. After another go with that script I've got to 016139EC XOR DWORD PTR DS:[EAX],EAX 016139EE POP DWORD PTR FS:[0] 016139F5 POP EAX 016139F6 CMP DWORD PTR DS:[1617EB0],0 and put a BP on the next RETN; SHIFT-F9 got me there. 3. I've done a conditional trace with TC EIP<900000 and ended at 004072DC JMP DWORD PTR DS:[62A31C] 004072E2 MOV EAX,EAX F8 took me back to the ASPR code; after another TC EIP<900000 I've landed her: 004073B1 MOV DWORD PTR DS:[626668],EAX 004073B6 MOV EAX,DWORD PTR DS:[626668] 004073BB MOV DWORD PTR DS:[6140D0],EAX 004073C0 XOR EAX,EAX 004073C2 MOV DWORD PTR DS:[6140D4],EAX 004073C7 XOR EAX,EAX 004073C9 MOV DWORD PTR DS:[6140D8],EAX 004073CE CALL app.00407394 004073D3 MOV EDX,app.006140CC 004073D8 MOV EAX,EBX 004073DA CALL Resbldr2.00404A04 004073DF POP EBX 004073E0 RETN According to Labba's tut the value of EAX after execution of 4073D8 is important to reconstruct the stolen bytes, because that's the value EAX needs (here it's 612D9C). The RETN takes me to the fake OEP at 613664. 4. Now I've dumped the app with ProcDump. 5. I started ImpRec, selected the running app, did an IATAutoSearch, changed the resulting RVA size to 1000, got the imports and fixed some of them with AutoTrace. There were still a lot of invalid ones. I've fixed those that pointed to ASPR code manually and the rest (pointing to invalid code) were killed with cut thunks (the resulting tree is attached below). Now the dump from 4. was fixed. 6. Next hunting for stolen bytes: I've tried it the Labba way (at the end of 2. do a TC REP STOS BYTE PTR ES:[EDI] to get to the place where the stolen bytes are erased, replace the command with JMP EDI and F8/NOP violations till you get to something like PUSH EBP; MOV EBP,ESP <- start of stolen bytes) but that didn't work, cause I always end up at a JMP that sends me to Nirvana. What I did instead was logging the first trace in 3. The resulting run log ends with a lot of REP STOS BYTE PTR ES:[EDI], but just before those you can find the erased code, which is marked by Olly. So I've ended up with PUSH EBP MOV EBP,ESP SUB ESP,0x10 MOV EAX,app.612D9C (from 3.) Those stolen bytes (all in all 11) were put just before the call at 61365F; the OEP should then be 613654. I've fixed the OEP with LordPE's PE Editor and hoped everything was fine... but nada! Evidently something went utterly wrong. But what?? Would be nice if someone of you experts could give me a hand on this one... Thanks in advance Wurstgote |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
one newbie question | SubzEro | General Discussion | 7 | 03-12-2015 06:05 |
ASPR, ARMA question | sgdt | General Discussion | 3 | 04-09-2006 03:38 |
ASPR 1.2 question | gabri3l | General Discussion | 42 | 05-01-2004 15:09 |
a newbie question about CRC32 | abccc | General Discussion | 13 | 04-23-2004 03:13 |
"newbie" question for crackers ;) | newbie007 | General Discussion | 4 | 10-07-2003 04:46 |