Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 12-12-2005, 15:15
winndy winndy is online now
VIP
 
Join Date: Sep 2005
Posts: 236
Rept. Given: 104
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 27
Thanks Rcvd at 16 Times in 13 Posts
winndy Reputation: 26
Entrypoint < 400000 ,then how to dump?[ASProtect 1.22 - 1.23 Beta 21]

I an trying to unpack "HandyFile Find and Replace Text Aid Kit" protected by ASProtect 1.22 - 1.23 Beta 21.
hxxp://www.silveragesoftware.com/

I guess this is the entrypoint:
[edit]:I was wrong,this is not entrypoint.when I trace in 003E3310,there is
a lot of jumps just like aspr 1.23 RC4.very confused,
Code:
003F4858     55                    push ebp                        ; HFFR.0045C3FC
003F4859     8BEC                mov ebp,esp
003F485B     83C4 B4            add esp,-4C
003F485E     B8 38473F00      mov eax,3F4738
003F4863     E8 B007FFFF     call 003E5018
003F4868     E8 A3EAFEFF     call 003E3310
003F486D     8D40 00            lea eax,dword ptr ds:[eax]
003F4870     0000                add byte ptr ds:[eax],al
003F4872     0000                add byte ptr ds:[eax],al
003F4874     0000                add byte ptr ds:[eax],al
003F4876     0000                add byte ptr ds:[eax],al
003F4878     0000                add byte ptr ds:[eax],al
The Imagebase is 00400000.
I could not use OllyDump nor LordPE to dump the 003XXXX code.

Another similar question,I have read tut
"Unpacking_ASProtect_1.23-1.3.08.24_RC4_Adding_Section_By_Ferrari".
Why We cannot dump the section that is added?
When aspr unpacked the code,there add many sections,Could we dump
all the sections,so we need not to "add section" to repair the crash?

Regards

A confused poor guy..

Last edited by winndy; 12-12-2005 at 15:54.
Reply With Quote
  #2  
Old 12-12-2005, 16:47
hosiminh hosiminh is offline
Friend
 
Join Date: Aug 2004
Posts: 203
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
hosiminh Reputation: 1
target version 3.2 sr6
MD5= 063220da662761f8ab27c92d57f68a49 ; HFFR.exe


last exception:
03A12CF2 31C0 XOR EAX,EAX
03A12CF4 64:FF30 PUSH DWORD PTR FS:[EAX]
03A12CF7 64:8920 MOV DWORD PTR FS:[EAX],ESP
03A12CFA 3100 XOR DWORD PTR DS:[EAX],EAX

Dunno what you have been doing , but i put memory bp on 2nd section , passed last exception to program i landed here:

oep:
00432236 55 PUSH EBP
00432237 8BEC MOV EBP,ESP
00432239 6A FF PUSH -1
0043223B 68 F04A4000 PUSH HFFR.00404AF0
00432240 68 FA214300 PUSH HFFR.004321FA ; JMP to msvcrt._except_handler3
00432245 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0043224B 50 PUSH EAX
0043224C 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
00432253 83EC 68 SUB ESP,68
00432256 53 PUSH EBX
00432257 56 PUSH ESI
00432258 57 PUSH EDI
00432259 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0043225C 33DB XOR EBX,EBX
0043225E 895D FC MOV DWORD PTR SS:[EBP-4],EBX
00432261 6A 02 PUSH 2
00432263 FF15 E8174000 CALL DWORD PTR DS:[4017E8] ; msvcrt.__set_app_type

MS VC target...

anti-dump
004222EA FFD0 CALL EAX //nop it

otherwise you will get funny MsgBox:
"Shame On You"
"Protection not found !"

Last edited by hosiminh; 12-12-2005 at 17:10.
Reply With Quote
  #3  
Old 12-12-2005, 17:18
winndy winndy is online now
VIP
 
Join Date: Sep 2005
Posts: 236
Rept. Given: 104
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 27
Thanks Rcvd at 16 Times in 13 Posts
winndy Reputation: 26
But when I press F9,It runs,No exception!
My OD's exception configuration meets trouble?

I ticked all the checkbox in exception configuration panel.
And add such customer exceptions:

[0]=000006BA,000006BA
[1]=0009B25C,0009B25C
[2]=0012FB14,0012FB14
[3]=0082A9A0,0082A9A0
[4]=00953D74,00953D74
[5]=0EEDFADE,0EEDFADE
[6]=80000002,80000002
[7]=80000004,80000004
[8]=C0000008,C0000008
[9]=C000001E,C000001E

BTW:my target is Text Aid Kit edition.


Thanks,hosiminh,I love you,.

regards
Reply With Quote
  #4  
Old 12-12-2005, 17:36
hosiminh hosiminh is offline
Friend
 
Join Date: Aug 2004
Posts: 203
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
hosiminh Reputation: 1
Under Options -> Debugging options -> tick only "Ignore memory access vilation in KERNEL32" ...

Next time check "Log window" when your target runs...
Reply With Quote
  #5  
Old 12-12-2005, 18:38
winndy winndy is online now
VIP
 
Join Date: Sep 2005
Posts: 236
Rept. Given: 104
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 27
Thanks Rcvd at 16 Times in 13 Posts
winndy Reputation: 26
I got it!
Once again a brave knight saved a pooy guy...

And I moved the Nag.
Code:
00422370     A1 207A4300         mov eax,dword ptr ds:[437A20]  ==>patch here
00422375     50                  push eax
00422376     FF15 CC104000       call dword ptr ds:[<&kernel32.lstrlen>] ; kernel32.lstrlenA
0042237C     85C0                test eax,eax
0042237E     75 0E               jnz short HFFR_d__.0042238E         ===>must jump
00422380     50                  push eax
00422381     A3 08BE4000         mov dword ptr ds:[40BE08],eax
00422386     E8 D5000000         call HFFR_d__.00422460               ===>Nag window

let's see the memory:
00437A20  61 38 3E 00 00 00 00 00  a8>.....
00437A28  00 00 00 00 00 00 00 00  ........

Patch it:
00437A20  28 7A 43 00 00 00 00 00  (zC.....
00437A28  77 69 6E 6E 64 79 00 00  winndy..

No more Nags.
It's your honour,hosiminh.

Regards
Reply With Quote
  #6  
Old 12-13-2005, 21:10
hosiminh hosiminh is offline
Friend
 
Join Date: Aug 2004
Posts: 203
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
hosiminh Reputation: 1
About those address where aspr reads user name (if/when regged) ... is there any generic way to find this particular asm instruction:
mov e??,dword ptr ds:[someaddress] ?

Last edited by hosiminh; 12-13-2005 at 21:26.
Reply With Quote
  #7  
Old 12-14-2005, 00:02
Human
 
Posts: n/a
well debug and run and access violation will happen due there will be 0 address so you must put some there where you puted nick for example with hiew
Reply With Quote
  #8  
Old 12-14-2005, 02:02
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 33 Times in 16 Posts
deroko Reputation: 30
Quote:
Originally Posted by winndy
Code:
003F4858     55                    push ebp                        ; HFFR.0045C3FC
003F4859     8BEC                mov ebp,esp
003F485B     83C4 B4            add esp,-4C
003F485E     B8 38473F00      mov eax,3F4738
003F4863     E8 B007FFFF     call 003E5018
003F4868     E8 A3EAFEFF     call 003E3310
003F486D     8D40 00            lea eax,dword ptr ds:[eax]
This is just asprotect virtual .exe extracted by aspr itself into memory, same as secure.dll in armadillo. All protection is in it, so dumping it and analyzing it is a good way to understand how asprotect works.

That's at least my approach on every asprotected target.
Reply With Quote
  #9  
Old 12-14-2005, 12:20
winndy winndy is online now
VIP
 
Join Date: Sep 2005
Posts: 236
Rept. Given: 104
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 27
Thanks Rcvd at 16 Times in 13 Posts
winndy Reputation: 26
Quote:
Originally Posted by deroko
This is just asprotect virtual .exe extracted by aspr itself into memory, same as secure.dll in armadillo. All protection is in it, so dumping it and analyzing it is a good way to understand how asprotect works.

That's at least my approach on every asprotected target.
But the imagebase is 003XXXXX,< 00400000,
OllyDump and LordPE could not dump it.
That's a problem troubled me.

The second is that could you explain more details about virtual .exe you mentioned.
Quote:
That's at least my approach on every asprotected target.
Need some tuts.


------------
Regards
Reply With Quote
  #10  
Old 12-14-2005, 12:28
winndy winndy is online now
VIP
 
Join Date: Sep 2005
Posts: 236
Rept. Given: 104
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 27
Thanks Rcvd at 16 Times in 13 Posts
winndy Reputation: 26
Quote:
Originally Posted by Human
well debug and run and access violation will happen due there will be 0 address so you must put some there where you puted nick for example with hiew
The problem is How you could find the exact access violation where you
can put you nick name.And whether there is a general method.
I think hosiminh means that.
Reply With Quote
  #11  
Old 12-14-2005, 22:49
JuneMouse
 
Posts: n/a
Quote:
Originally Posted by hosiminh
About those address where aspr reads user name (if/when regged) ... is there any generic way to find this particular asm instruction:
mov e??,dword ptr ds:[someaddress] ?
you mean in ollydbg ? if yes then you can try this out
right click-->search for--> all commands
type in there mov r32,dword ptr ds:[const]
and hit find

ollydbg will pop up another window with all those calls that matches the pattern

Code:
Found commands
Address    Disassembly                               Comment
00401000   JMP SHORT OLLYDBG.00401012                (Initial CPU selection)
00401012   MOV EAX,DWORD PTR DS:[4B011B]             [004B011B]=00000000
00401066   MOV EAX,DWORD PTR DS:[4B0123]             [004B0123]=00000000
00401140   MOV EAX,DWORD PTR DS:[4B011B]             [004B011B]=00000000
004014EF   MOV ESI,DWORD PTR DS:[4CD280]             DS:[004CD280]=00000000
if you just prefer only those that are moved to eax
change the command to
mov eax,dword ptr ds:[const]
Code:
Found commands
Address    Disassembly                               Comment
00401000   JMP SHORT OLLYDBG.00401012                (Initial CPU selection)
00401012   MOV EAX,DWORD PTR DS:[4B011B]             [004B011B]=00000000
00401066   MOV EAX,DWORD PTR DS:[4B0123]             [004B0123]=00000000
00401140   MOV EAX,DWORD PTR DS:[4B011B]             [004B011B]=00000000
0040196F   MOV EAX,DWORD PTR DS:[4CD280]             [004CD280]=0000000
and so on viz i searched for for register ebp below

Code:
Found commands
Address    Disassembly                               Comment
00401000   JMP SHORT OLLYDBG.00401012                (Initial CPU selection)
00414B60   MOV EBP,DWORD PTR DS:[4CD420]             DS:[004CD420]=00000000
00418E7A   MOV EBP,DWORD PTR DS:[4D8144]             DS:[004D8144]=00000000
0049CE40   MOV EBP,DWORD PTR DS:[4E3030]             DS:[004E3030]=00000000

hope thats what you were looking for

Last edited by JuneMouse; 12-14-2005 at 22:58.
Reply With Quote
  #12  
Old 12-14-2005, 23:00
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 33 Times in 16 Posts
deroko Reputation: 30
You can dump that part of memory but here are a few tricks:
1st virtual.exe is extracted by aspack before original asprotect gains control
2nd when you reach that entrypoint you may use dump regions to dump code from lordpe
3rd now when you have dumped region you have to fix peheader, actually you have to add completely new PE header b/c in dump there is no peheader (deleted)
4th fix imports by examing aspack import loading process and we know that aspack keeps whole import table, so dump it, and apply that to newly dumped file, fix import RVA in peheader and voila you can load that exe in IDA with all imports

here is example of virtual.exe used in Serv-u asprotect 2.1 ske :
http://rapidshare.de/files/8713096/dumped.rar.html
Reply With Quote
  #13  
Old 12-15-2005, 02:04
Maximus Maximus is offline
Friend
 
Join Date: Nov 2005
Posts: 39
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Maximus Reputation: 0
"The second is that could you explain more details about virtual .exe you mentioned."
These protections hold the protection code into a true executable image, that performs the dirty work.
You could trace aspr OEP protection (very funny) for the version you mention by locating the pushed address execution list and analysing the last one, the one that mingles with OEP protection.
Reply With Quote
  #14  
Old 12-15-2005, 22:12
winndy winndy is online now
VIP
 
Join Date: Sep 2005
Posts: 236
Rept. Given: 104
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 27
Thanks Rcvd at 16 Times in 13 Posts
winndy Reputation: 26
OK.
I'll take a careful look at the code.

Thanks all.

Regards
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 10:17.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )