|
#1
|
|||
|
|||
Still need help with Asprotect
Wondering if someone could help me with this target, I thought I'd learned a lot from the Wtm CD Protect V1.54 tut of LaBBas, but I cant seem to get the OEP for the following, PEid reports OEP at 00417338, but nothing leads me there by tracing:
Registry Defragmentation for Windows 95-XP Version 5.0b Authors: Nick Nifontov Alexander Berezovsky Copyright © Elcor Software 2001-2004 hxxp://www.elcor.net/ This is what I tried so far: Shift & F9 26 times, breakpoint on RETN then shift & F9, trace TC EIP<900000, Ctrl & A (analyse), then here: 0040531C $-FF25 44B24100 JMP DWORD PTR DS:[41B244] 00405322 8BC0 MOV EAX,EAX 00405324 $-FF25 40B24100 JMP DWORD PTR DS:[41B240] 0040532A 8BC0 MOV EAX,EAX 0040532C $-FF25 3CB24100 JMP DWORD PTR DS:[41B23C] 00405332 8BC0 MOV EAX,EAX 00405334 $-FF25 38B24100 JMP DWORD PTR DS:[41B238] 0040533A 8BC0 MOV EAX,EAX 0040533C /$ 50 PUSH EAX 0040533D |. 6A 40 PUSH 40 0040533F |. E8 E0FFFFFF CALL RegDefra.00405324 00405344 \. C3 RETN F8 one time, and you are here: 009A1C64 55 PUSH EBP 009A1C65 8BEC MOV EBP,ESP 009A1C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 009A1C6A 85C0 TEST EAX,EAX 009A1C6C 75 13 JNZ SHORT 009A1C81 009A1C6E 813D A47A9A00 00>CMP DWORD PTR DS:[9A7AA4],400000 ; ASCII "MZP" 009A1C78 75 07 JNZ SHORT 009A1C81 009A1C7A A1 A47A9A00 MOV EAX,DWORD PTR DS:[9A7AA4] 009A1C7F EB 06 JMP SHORT 009A1C87 009A1C81 50 PUSH EAX 009A1C82 E8 3135FFFF CALL 009951B8 ; JMP to kernel32.GetModuleHandleA 009A1C87 5D POP EBP 009A1C88 C2 0400 RETN 4 Press F8 to RET command and you are here: 004053F1 . A3 10A74100 MOV DWORD PTR DS:[41A710],EAX ; RegDefra.00400000 004053F6 . A1 10A74100 MOV EAX,DWORD PTR DS:[41A710] 004053FB . A3 8C904100 MOV DWORD PTR DS:[41908C],EAX 00405400 . 33C0 XOR EAX,EAX 00405402 . A3 90904100 MOV DWORD PTR DS:[419090],EAX 00405407 . 33C0 XOR EAX,EAX 00405409 . A3 94904100 MOV DWORD PTR DS:[419094],EAX 0040540E . E8 C1FFFFFF CALL RegDefra.004053D4 00405413 . BA 88904100 MOV EDX,RegDefra.00419088 00405418 . 8BC3 MOV EAX,EBX 0040541A . E8 9DE5FFFF CALL RegDefra.004039BC 0040541F . 5B POP EBX 00405420 . C3 RETN Dump full with Loredpe, then F8 till after the RETN, and you are at the Fake OEP I thought: 00418E88 E8 DB E8 Tried fixing the Import table here without success, Imprec gives me message nothing good here, tried IAT autosearch, and also tried entering the OEP I thought I had found. Brightdreams OEP finder script ends here: 0040531C FF DB FF After Ctrl & A: 0040531C $-FF25 44B24100 JMP DWORD PTR DS:[41B244] 00405322 8BC0 MOV EAX,EAX 00405324 $-FF25 40B24100 JMP DWORD PTR DS:[41B240] 0040532A 8BC0 MOV EAX,EAX 0040532C $-FF25 3CB24100 JMP DWORD PTR DS:[41B23C] 00405332 8BC0 MOV EAX,EAX 00405334 $-FF25 38B24100 JMP DWORD PTR DS:[41B238] 0040533A 8BC0 MOV EAX,EAX 0040533C /$ 50 PUSH EAX 0040533D |. 6A 40 PUSH 40 0040533F |. E8 E0FFFFFF CALL RegDefra.00405324 00405344 \. C3 RETN Has anyone else tried this target, and can they give me a few tips on where to go from here? |
#2
|
|||
|
|||
Hi,
my script is stopping at the right place, but please read the msg that it displays , it says" click on the 'k' at the toolbar , if it is not empty then duoble click on the last address you see there" , then the stolen bytes place and oep are above where you land. or follow the recent tut made by R@der. Regards. note: here is the oep+stolen on my pc: 00418E78 55 PUSH EBP 00418E79 8BEC MOV EBP,ESP 00418E7B 83C4 F0 ADD ESP,-10 00418E7E B8 808D4100 MOV EAX,RegDefra.00418D80 Note2: Please remove analysis if it is done , otherwise the address you will see inside the K, if any, will not be the correct one. Last edited by britedream; 03-06-2004 at 20:33. |
#3
|
|||
|
|||
@Pompeyfan
If u followed R@dier's tut and after writing the stolen bytes, New Origin here, dumping the process, if u get the above error then i think u have not entered the OEP-->18E78 and then click IAT Search. I got it that way. @Britedream PEiD scan shows that there are total four exe's which are ASPR'd viz. RegDefrag.exe , RegBackup.exe, RegDfrgSch.exe, SysBackup.exe As per R@dier's tut and ur instructions i unpacked RegDefrag.exe but it won't run. I don't get any messages. Nothing happens if i double click it. Is it right britedream? If yes, that means i unpacked it correctly. So i thought that for the app to run I have to unpack the other 3 also. I unpacked RegBackup.exe, RegDfrgSch.exe correctly, i guess, coz same thing if i try to run them. But when i load SysBackup.exe in Olly it fails and give me some DLL not found error. Do u get the same error. Can u explain why? |
#4
|
|||
|
|||
Hi ferrari,
the programs have aspr's check sum protection you are going to need to debug the proggy to get it to run, I have had a quick go at it and currently get the attached error message, I will try to have a closer look tomorrow Best Wishes R@dier |
#5
|
|||
|
|||
Thanks for the replies guys, I'll try this again later today
|
#6
|
|||
|
|||
Quote:
|
#7
|
|||
|
|||
please right click on cpu pane and check the analysis option , if it says remove analysis,please do so.
|
#8
|
|||
|
|||
Hi ferrari,
no need to unpack those files for regdefrag exe to startup correctly. just try to overcome the protection in the regdefrag exe.(it should display the msg that R@der posted). Regards. Last edited by britedream; 03-07-2004 at 16:44. |
#9
|
|||
|
|||
R@dier and Britedream:
Okay i think i unpacked it correctly this time. When i run 'RegToolkit.exe' and from there if i try to run 'RegDefrag.exe' i get the same error message like R@dier. I have attached the IAT tree. Plz check if it's correct. And also plz explain how to get rid of this checksum thing. Thank you. |
#10
|
|||
|
|||
iat start at 1b168
|
#11
|
|||
|
|||
Quote:
|
#12
|
|||
|
|||
I get the attached message when I try to do any tracing with this program, whether by the TC<900000, or by tracing as per R@dier's latest tut, why would that be?
|
#13
|
|||
|
|||
Hi,
if you are refering to regdefrag, it is not the best program you can tackle , when I looked at it the first time , I saw 16 times check to the error R@der posted, which will consume your time trying to fix that,if you would like to see that, just bp on ShowWindow , look at the stack and go to the Msg , take reference, you will see those references to the R@der posted error msg. (not only that but there are more things to fix). my advise to you is to go with less protection till you firmly grasp unpacking ,and work your way up to that. Ragards. Last edited by britedream; 03-08-2004 at 14:17. |
#14
|
|||
|
|||
Interesting, sounds like I did pick a hard one didn't I, not sure what went wrong last time, but tried it again this arvo, and got to the same stage as R@dier and Ferrari no probs, guess I'd better decide whether in light of what you said whether I want to leave this one go for a while, kinda depends on what the others decide I think.
Thanks for your help anyway, I think I have learned a bit out of this thread so far anyway. |
#15
|
|||
|
|||
One interesting thing, if you unpack with Stripper, you get this info on import table:
16:31:08 - processing import table.. ImportAddressTable RVA :0001b168 - kernel32.dll ImportAddressTable RVA :0001b204 - user32.dll ImportAddressTable RVA :0001b218 - advapi32.dll ImportAddressTable RVA :0001b228 - oleaut32.dll ImportAddressTable RVA :0001b238 - kernel32.dll ImportAddressTable RVA :0001b24c - advapi32.dll ImportAddressTable RVA :0001b284 - kernel32.dll ImportAddressTable RVA :0001b36c - version.dll ImportAddressTable RVA :0001b37c - gdi32.dll ImportAddressTable RVA :0001b400 - user32.dll ImportAddressTable RVA :0001b52c - shell32.dll ImportAddressTable RVA :0001b534 - ole32.dll ImportAddressTable RVA :0001b540 - comctl32.dll ImportAddressTable RVA :0001b548 - shell32.dll ImportAddressTable RVA :0001b558 - comctl32.dll ImportAddressTable RVA :0001b568 - winmm.dll ImportAddressTable RVA :0001b570 - advapi32.dll 16:31:09 - fixing import table.. ImportAddress RVA :0001b1ac - kernel32.dll!GetModuleHandleA ImportAddress RVA :0001b1bc - kernel32.dll!GetCommandLineA ImportAddress RVA :0001b244 - kernel32.dll!GetModuleHandleA ImportAddress RVA :0001b304 - kernel32.dll!GetModuleHandleA ImportAddress RVA :0001b32c - kernel32.dll!GetCurrentProcess ImportAddress RVA :0001b330 - kernel32.dll!GetCommandLineA Whereas when I manually upack it, I get the same result as Ferrari, noting that Brightdream states that IAT starts at 0001b168, rather than 0001b238. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
The new asprotect 1.31 | britedream | General Discussion | 48 | 06-03-2004 17:12 |
Anyone can help me with this one?? ASProtect | loman | General Discussion | 0 | 12-31-2003 16:37 |