#1
|
|||
|
|||
Entrypoint < 400000 ,then how to dump?[ASProtect 1.22 - 1.23 Beta 21]
I an trying to unpack "HandyFile Find and Replace Text Aid Kit" protected by ASProtect 1.22 - 1.23 Beta 21.
hxxp://www.silveragesoftware.com/ I guess this is the entrypoint: [edit]:I was wrong,this is not entrypoint.when I trace in 003E3310,there is a lot of jumps just like aspr 1.23 RC4.very confused, Code:
003F4858 55 push ebp ; HFFR.0045C3FC 003F4859 8BEC mov ebp,esp 003F485B 83C4 B4 add esp,-4C 003F485E B8 38473F00 mov eax,3F4738 003F4863 E8 B007FFFF call 003E5018 003F4868 E8 A3EAFEFF call 003E3310 003F486D 8D40 00 lea eax,dword ptr ds:[eax] 003F4870 0000 add byte ptr ds:[eax],al 003F4872 0000 add byte ptr ds:[eax],al 003F4874 0000 add byte ptr ds:[eax],al 003F4876 0000 add byte ptr ds:[eax],al 003F4878 0000 add byte ptr ds:[eax],al I could not use OllyDump nor LordPE to dump the 003XXXX code. Another similar question,I have read tut "Unpacking_ASProtect_1.23-1.3.08.24_RC4_Adding_Section_By_Ferrari". Why We cannot dump the section that is added? When aspr unpacked the code,there add many sections,Could we dump all the sections,so we need not to "add section" to repair the crash? Regards A confused poor guy.. Last edited by winndy; 12-12-2005 at 15:54. |
#2
|
|||
|
|||
target version 3.2 sr6
MD5= 063220da662761f8ab27c92d57f68a49 ; HFFR.exe last exception: 03A12CF2 31C0 XOR EAX,EAX 03A12CF4 64:FF30 PUSH DWORD PTR FS:[EAX] 03A12CF7 64:8920 MOV DWORD PTR FS:[EAX],ESP 03A12CFA 3100 XOR DWORD PTR DS:[EAX],EAX Dunno what you have been doing , but i put memory bp on 2nd section , passed last exception to program i landed here: oep: 00432236 55 PUSH EBP 00432237 8BEC MOV EBP,ESP 00432239 6A FF PUSH -1 0043223B 68 F04A4000 PUSH HFFR.00404AF0 00432240 68 FA214300 PUSH HFFR.004321FA ; JMP to msvcrt._except_handler3 00432245 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 0043224B 50 PUSH EAX 0043224C 64:8925 0000000>MOV DWORD PTR FS:[0],ESP 00432253 83EC 68 SUB ESP,68 00432256 53 PUSH EBX 00432257 56 PUSH ESI 00432258 57 PUSH EDI 00432259 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP 0043225C 33DB XOR EBX,EBX 0043225E 895D FC MOV DWORD PTR SS:[EBP-4],EBX 00432261 6A 02 PUSH 2 00432263 FF15 E8174000 CALL DWORD PTR DS:[4017E8] ; msvcrt.__set_app_type MS VC target... anti-dump 004222EA FFD0 CALL EAX //nop it otherwise you will get funny MsgBox: "Shame On You" "Protection not found !" Last edited by hosiminh; 12-12-2005 at 17:10. |
#3
|
|||
|
|||
But when I press F9,It runs,No exception!
My OD's exception configuration meets trouble? I ticked all the checkbox in exception configuration panel. And add such customer exceptions: [0]=000006BA,000006BA [1]=0009B25C,0009B25C [2]=0012FB14,0012FB14 [3]=0082A9A0,0082A9A0 [4]=00953D74,00953D74 [5]=0EEDFADE,0EEDFADE [6]=80000002,80000002 [7]=80000004,80000004 [8]=C0000008,C0000008 [9]=C000001E,C000001E BTW:my target is Text Aid Kit edition. Thanks,hosiminh,I love you,. regards |
#4
|
|||
|
|||
Under Options -> Debugging options -> tick only "Ignore memory access vilation in KERNEL32" ...
Next time check "Log window" when your target runs... |
#5
|
|||
|
|||
I got it!
Once again a brave knight saved a pooy guy... And I moved the Nag. Code:
00422370 A1 207A4300 mov eax,dword ptr ds:[437A20] ==>patch here 00422375 50 push eax 00422376 FF15 CC104000 call dword ptr ds:[<&kernel32.lstrlen>] ; kernel32.lstrlenA 0042237C 85C0 test eax,eax 0042237E 75 0E jnz short HFFR_d__.0042238E ===>must jump 00422380 50 push eax 00422381 A3 08BE4000 mov dword ptr ds:[40BE08],eax 00422386 E8 D5000000 call HFFR_d__.00422460 ===>Nag window let's see the memory: 00437A20 61 38 3E 00 00 00 00 00 a8>..... 00437A28 00 00 00 00 00 00 00 00 ........ Patch it: 00437A20 28 7A 43 00 00 00 00 00 (zC..... 00437A28 77 69 6E 6E 64 79 00 00 winndy.. No more Nags. It's your honour,hosiminh. Regards |
#6
|
|||
|
|||
About those address where aspr reads user name (if/when regged) ... is there any generic way to find this particular asm instruction:
mov e??,dword ptr ds:[someaddress] ? Last edited by hosiminh; 12-13-2005 at 21:26. |
#7
|
|||
|
|||
well debug and run and access violation will happen due there will be 0 address so you must put some there where you puted nick for example with hiew
|
#8
|
||||
|
||||
Quote:
That's at least my approach on every asprotected target. |
#9
|
|||
|
|||
Quote:
OllyDump and LordPE could not dump it. That's a problem troubled me. The second is that could you explain more details about virtual .exe you mentioned. Quote:
------------ Regards |
#10
|
|||
|
|||
Quote:
can put you nick name.And whether there is a general method. I think hosiminh means that. |
#11
|
|||
|
|||
Quote:
right click-->search for--> all commands type in there mov r32,dword ptr ds:[const] and hit find ollydbg will pop up another window with all those calls that matches the pattern Code:
Found commands Address Disassembly Comment 00401000 JMP SHORT OLLYDBG.00401012 (Initial CPU selection) 00401012 MOV EAX,DWORD PTR DS:[4B011B] [004B011B]=00000000 00401066 MOV EAX,DWORD PTR DS:[4B0123] [004B0123]=00000000 00401140 MOV EAX,DWORD PTR DS:[4B011B] [004B011B]=00000000 004014EF MOV ESI,DWORD PTR DS:[4CD280] DS:[004CD280]=00000000 change the command to mov eax,dword ptr ds:[const] Code:
Found commands Address Disassembly Comment 00401000 JMP SHORT OLLYDBG.00401012 (Initial CPU selection) 00401012 MOV EAX,DWORD PTR DS:[4B011B] [004B011B]=00000000 00401066 MOV EAX,DWORD PTR DS:[4B0123] [004B0123]=00000000 00401140 MOV EAX,DWORD PTR DS:[4B011B] [004B011B]=00000000 0040196F MOV EAX,DWORD PTR DS:[4CD280] [004CD280]=0000000 Code:
Found commands Address Disassembly Comment 00401000 JMP SHORT OLLYDBG.00401012 (Initial CPU selection) 00414B60 MOV EBP,DWORD PTR DS:[4CD420] DS:[004CD420]=00000000 00418E7A MOV EBP,DWORD PTR DS:[4D8144] DS:[004D8144]=00000000 0049CE40 MOV EBP,DWORD PTR DS:[4E3030] DS:[004E3030]=00000000 hope thats what you were looking for Last edited by JuneMouse; 12-14-2005 at 22:58. |
#12
|
||||
|
||||
You can dump that part of memory but here are a few tricks:
1st virtual.exe is extracted by aspack before original asprotect gains control 2nd when you reach that entrypoint you may use dump regions to dump code from lordpe 3rd now when you have dumped region you have to fix peheader, actually you have to add completely new PE header b/c in dump there is no peheader (deleted) 4th fix imports by examing aspack import loading process and we know that aspack keeps whole import table, so dump it, and apply that to newly dumped file, fix import RVA in peheader and voila you can load that exe in IDA with all imports here is example of virtual.exe used in Serv-u asprotect 2.1 ske : http://rapidshare.de/files/8713096/dumped.rar.html |
#13
|
|||
|
|||
"The second is that could you explain more details about virtual .exe you mentioned."
These protections hold the protection code into a true executable image, that performs the dirty work. You could trace aspr OEP protection (very funny) for the version you mention by locating the pushed address execution list and analysing the last one, the one that mingles with OEP protection. |
#14
|
|||
|
|||
OK.
I'll take a careful look at the code. Thanks all. Regards |
Thread Tools | |
Display Modes | |
|
|