|
#1
|
|||
|
|||
Manually unpacking Asprotect
I'd like to learn this, some of the threads I've seen on this are a bit to complex for me at my stage of learning, what are a couple of reasonably easy targets to work on for starters, even better if someone can give me some links to some tuts on some good ones for beginers, ones where you can still download the target applications that is.
|
#2
|
|||
|
|||
See http://www.exetools.com/forum/showthread.php?s=&threadid=2847 for a previous discussion like this.
Regards |
#3
|
|||
|
|||
Pompeyfan same with me. all the discussions on Aspr are too complex for a newbie Thats why m just fooling around here giving free advices to newcomers in JMI style without any pennies Thank u for starting this topic...Since i successfully tried out some easy tuts on unpacking UPX and Aspack lets try out this ASpr....but need help here If no one wants to help then its okay i'l check that link provided by satyricOn but some1 plz help i want to finish off this tut...plz
yeah i was trying the tut by Labba last month but i was so confused at the point of getting the OEP. Program: Wtm-CD-Protect 1.54 see i could follow the tut like this. Yes i changed that '01' isdebuggerpresent to '00'. After Shift + F9 i land here 00B639EC 3100 XOR DWORD PTR DS:[EAX],EAX 00B639EE 64:8F05 00000000 POP DWORD PTR FS:[0] 00B639F5 58 POP EAX 00B639F6 833D B07EB600 00 CMP DWORD PTR DS:[B67EB0],0 00B639FD 74 14 JE SHORT 00B63A13 00B639FF 6A 0C PUSH 0C 00B63A01 B9 B07EB600 MOV ECX,0B67EB0 00B63A06 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 00B63A09 BA 04000000 MOV EDX,4 00B63A0E E8 2DD1FFFF CALL 00B60B40 00B63A13 FF75 FC PUSH DWORD PTR SS:[EBP-4] 00B63A16 FF75 F8 PUSH DWORD PTR SS:[EBP-8] 00B63A19 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 00B63A1C 8338 00 CMP DWORD PTR DS:[EAX],0 00B63A1F 74 02 JE SHORT 00B63A23 00B63A21 FF30 PUSH DWORD PTR DS:[EAX] 00B63A23 FF75 F0 PUSH DWORD PTR SS:[EBP-10] 00B63A26 FF75 EC PUSH DWORD PTR SS:[EBP-14] 00B63A29 C3 RETN I put the BP at 00B63A29 and then Shift+F9. Then command line with pressing Alt+F1 to : TC EIP<900000 I go here. 00405214 $-FF25 DC914300 JMP DWORD PTR DS:[4391DC] 0040521A 8BC0 MOV EAX,EAX 0040521C $-FF25 D8914300 JMP DWORD PTR DS:[4391D8] 00405222 8BC0 MOV EAX,EAX 00405224 $-FF25 D4914300 JMP DWORD PTR DS:[4391D4] 0040522A 8BC0 MOV EAX,EAX 0040522C $-FF25 D0914300 JMP DWORD PTR DS:[4391D0] Then after F8 1 time i go here. 00B61C64 55 PUSH EBP 00B61C65 8BEC MOV EBP,ESP 00B61C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00B61C6A 85C0 TEST EAX,EAX 00B61C6C 75 13 JNZ SHORT 00B61C81 00B61C6E 813D A47AB600 00>CMP DWORD PTR DS:[B67AA4],400000 ; ASCII "MZP" 00B61C78 75 07 JNZ SHORT 00B61C81 00B61C7A A1 A47AB600 MOV EAX,DWORD PTR DS:[B67AA4] 00B61C7F EB 06 JMP SHORT 00B61C87 00B61C81 50 PUSH EAX 00B61C82 E8 3135FFFF CALL 00B551B8 ; JMP to kernel32.GetModuleHandleA 00B61C87 5D POP EBP 00B61C88 C2 0400 RETN 4 Then again after the RET i go here 0040531C . BA 9C804300 MOV EDX,ACopy.0043809C 00405321 . 52 PUSH EDX 00405322 . 8905 B8944300 MOV DWORD PTR DS:[4394B8],EAX 00405328 . 8942 04 MOV DWORD PTR DS:[EDX+4],EAX 0040532B . E8 98FFFFFF CALL ACopy.004052C8 00405330 . 5A POP EDX 00405331 . 58 POP EAX 00405332 . E8 15E1FFFF CALL ACopy.0040344C 00405337 . C3 RETN I don't understand what i am supposed to do after dumping the process with Lord PE. I dump the process and save it. Then i press F8 and after the RET i get here. 00437589 8B DB 8B 0043758A 1D DB 1D 0043758B 90 NOP 0043758C 8A DB 8A 0043758D 43 DB 43 ; CHAR 'C' 0043758E 00 DB 00 0043758F 8B DB 8B 00437590 03 DB 03 00437591 E8 DB E8 00437592 1E DB 1E 00437593 1F DB 1F 00437594 FF DB FF 00437595 FF DB FF 00437596 8B DB 8B 00437597 0D DB 0D In LaBBa's tutorial i am supposed to land here. And the OEP is 00436EAD 00436EAD 8B1D 907A4300 MOV EBX,DWORD PTR DS:[437A90] ; ACopy.004386E8 00436EB3 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436EB5 E8 FA25FFFF CALL ACopy.004294B4 00436EBA 8B0D 0C7B4300 MOV ECX,DWORD PTR DS:[437B0C] ; ACopy.00438774 00436EC0 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436EC2 8B15 10374300 MOV EDX,DWORD PTR DS:[433710] ; ACopy.00433750 00436EC8 E8 FF25FFFF CALL ACopy.004294CC 00436ECD 8B0D 707A4300 MOV ECX,DWORD PTR DS:[437A70] ; ACopy.00438750 00436ED3 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436ED5 8B15 C0274300 MOV EDX,DWORD PTR DS:[4327C0] ; ACopy.00432800 00436EDB E8 EC25FFFF CALL ACopy.004294CC 00436EE0 8B0D 047A4300 MOV ECX,DWORD PTR DS:[437A04] ; ACopy.00438764 00436EE6 8B03 MOV EAX,DWORD PTR DS:[EBX] What m i doing wrong i really don't understand...sorry if this problem is dumb...regrets ....newbies sometimes ask dumb ??? Experts should not bully them thanking in Advance Last edited by ferrari; 02-25-2004 at 20:49. |
#4
|
|||
|
|||
@ferrari
The Target you are dealing with is different to the tute, the fake oep = 00437589 the stolen bytes are 00437578 > $ 55 PUSH EBP ; real OEP 00437579 . 8BEC MOV EBP,ESP 0043757B . 83C4 F4 ADD ESP,-0C 0043757E . 53 PUSH EBX 0043757F . B8 78744300 MOV EAX,dumped_.00437478 Best Wishes R@dier Last edited by R@dier; 02-25-2004 at 20:59. |
#5
|
|||
|
|||
Ferrari, where can I download the version of this program you are using, so I can follow this one too, and try and unpack it.
|
#6
|
|||
|
|||
hi pompeyfan u can download the software here-->/http://www.webtoolmaster.com/
the latest version is 1.61 and i am trying the version 1.54 as per LaBBa's Final tutorial on ASpr. It's there in Request Section...since i had requested it Just do a search there. |
#7
|
|||
|
|||
Don't forget that Tuts are simply reports on one individual's experience with one particular version of one particular piece of software. That individual may, or may not know "what it's all about" but may simply have stumbled on the solution in a particular case.
Just as in "real life," one can not take such advice as providing the true path to enlightenment. While it may serve as an additional stepping stone, it is but one piece of a larger puzzle, which must be considered within its own frame work. Try to consider the Tuts you read as a frozen moment in time. You usually have an ongoing contest between protector and cracker and whenever one stands still, the other has the opportunity to move ahead. The issue with these systems is in the attempt to figure out the approach used by the protection to screw with your efforts. If you focus too hard on the small details, you might figure out how it works on this very small slice of the universe, but you will probably miss the rather larger picture of trying to figure out just what the hell the code is doing and what that tells you about what the system is attempting to accomplish. Make notes of what is happening and where the code is taking you. There is no reason to trust that "next time" it will do the same thing, so if you have not begun to understand "what" it is doing, blindly following along isn't really teaching you anything, but 'following along." When the road and the sign paths change, you are still lost in the dark codewoods. Trying to figure out the "what," the "how," and particularly the "why," gives you the knowledge and the tools to attack the "next" generation and the "next" protector. Regards,
__________________
JMI |
#8
|
|||
|
|||
Well, I've tried using the search function, and I can see no tut on Wtm-CD-Protect 1.54, by anyone
|
#9
|
|||
|
|||
so sorry pompeyfan.....actually i had asked that question when i was new to exetools....and see what i had asked....don't laugh now okay.....and download that asprotect final tut.zip by Labba
http://www.exetools.com/forum/showthread.php?s=&threadid=3215&highlight=Aspack |
#10
|
|||
|
|||
, ooops sorry , thanks, got it now
|
#11
|
|||
|
|||
guys I'm having same issues....
ferrari, I know exactlly what you are talking about..... I ended up exactlly as you .... I got here: Code:
00405214 FF DB FF 00405215 25 DB 25 ; CHAR '%' 00405216 DC DB DC 00405217 91 DB 91 00405218 43 DB 43 ; CHAR 'C' 00405219 00 DB 00 0040521A 8B DB 8B Code:
00405214 $-FF25 DC914300 JMP DWORD PTR DS:[4391DC] - we HERE 0040521A 8BC0 MOV EAX,EAX 0040521C $-FF25 D8914300 JMP DWORD PTR DS:[4391D8] F8 one time and here: Code:
00D91C64 55 PUSH EBP 00D91C65 8BEC MOV EBP,ESP 00D91C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00D91C6A 85C0 TEST EAX,EAX 00D91C6C 75 13 JNZ SHORT 00D91C81 Code:
0040531C . BA 9C804300 MOV EDX,ACopy.0043809C 00405321 . 52 PUSH EDX 00405322 . 8905 B8944300 MOV DWORD PTR DS:[4394B8],EAX 00405328 . 8942 04 MOV DWORD PTR DS:[EDX+4],EAX 0040532B . E8 98FFFFFF CALL ACopy.004052C8 00405330 . 5A POP EDX 00405331 . 58 POP EAX 00405332 . E8 15E1FFFF CALL ACopy.0040344C 00405337 . C3 RETN You got here....... Code:
00437589 8B DB 8B 0043758A 1D DB 1D 0043758B 90 NOP 0043758C 8A DB 8A 0043758D 43 DB 43 ; CHAR 'C' 0043758E 00 DB 00 Code:
00437555 8B DB 8B 00437556 1D DB 1D 00437557 90 NOP 00437558 8A DB 8A 00437559 43 DB 43 ; CHAR 'C' 0043755A 00 DB 00 0043755B 8B DB 8B seems my test subject is also version 1.6.1 what I'm really trying to get figured out is Advanced Serial Port Monitor and Advanced Serial Data Logger..... both targets are at h**p://www.aggsoft.com/download funny thing both these targets are updated from where I started, took me a good part of the day to Un-Fook my registry so I could re-start testing because the targets both expired the trial well I have that much beat so far LOL ... so off I go again, I'm just glad there are TuTs like this to at least give ideas. I know all will be a bit different as JMI says Last edited by lonewolf55; 02-27-2004 at 06:17. |
#12
|
|||
|
|||
lonewolf55:
The only appropriate thing to add to: Aia a kau ka i`a i ka wa`a, mana`o ke ola. loosly translated as: One can think of life after the fish is in the canoe. or Before one feels elated and makes plans, he should first secure his "fish." or "Don't count your chickens before they hatch." is: `A`ohe hua o ka mai`a i ka la ho`okahi. Regards,
__________________
JMI |
#13
|
||||
|
||||
WiSE MAN
what language is the first one ?
Regards |
#14
|
|||
|
|||
They are both in the language of the native peoples of Hawai'i.
You might be suprised what you can find if you enter things into google. Like his phrase. Or the one I added. Oh, and lonewolf55, I seem to recall that ASPR changes certain address EACH TIME YOU RUN THE PROGRAM, as in "the jump to the OEP is always at a different location in memory" This might be is issue you are encountering, although the different OS could certainly contribute. What IS important, is that the information is essentially identical, which you noticed. Regards,
__________________
JMI |
#15
|
||||
|
||||
offtopic
Huli ka malau, ka 'iako a ka lawai'a.
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
little question about manually unpacking | MaRKuS-DJM | General Discussion | 3 | 11-13-2003 00:43 |