Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #31  
Old 02-12-2004, 23:43
Satyric0n
 
Posts: n/a
Remember, the things that ASProtect relocates, it usually corrupts (such as the IAT), but those things did have an appropriate position in the file before being packed (again, like how the imports should go in the .idata section). 22E000 would not be the appropriate place for both relocation and the TlsTable (if either of them; I'm stil not sure what the 22E000 section is for), then, since they were in seperate sections before being packed.

Also, keep in mind that when a section is all 00s, it is probably uninitialized data (such as BSS), and anything you put there will be overwritten at runtime.

Regards
Reply With Quote
  #32  
Old 02-13-2004, 02:58
Wurstgote
 
Posts: n/a
Okay, I've tried something else.

1. Relocation table: Taking a look at 2EA9C4, it seems clear that the relocation table is empty, since there is only the header of the fix-up block (manipulated by ASPR?). I pushed that part to 231000, since there should be the original rel. table. After that I've fixed the directory table entry to 231000. No problem.

2. Thread Locale Storage: Examining addr 2ea9cc (place of TLS directory), I've found the following data:
Raw Data Start: 62F000 (- base = 22F000 => empty section)
-"- End : 62F01C
Index : 6140C4 (some zeros inside of .data)
Callbacks : 630010 (-base = 230010; hmmm... looks interesting, since at 630000 there's an exact copy of the TLS at 2ea9cc...)
Size of Zerofill : 0
Characteristics: 0

First I've simply tried to transfer those 24 bytes to 22e00 and fix the directory table entry for TlsTable accordingly. It works, as long as I don't delete the .data section

Now I've got not the slightest idea on how to proceed...
At the moment, I'm trying to find out if any code in the .data section is executed, but it doesn't look like that would happen.

So I'm afraid I'll need another hint

Regards
Wurstgote
Reply With Quote
  #33  
Old 02-13-2004, 03:05
Wurstgote
 
Posts: n/a
Sorry, some corrections:
Quote:
Index : 6140C4 (some zeros inside of .data)
Should have been DATA (according to the section names you gave me on page 1 (?) of this thread)

Errr... only one correction. I suppose I'm getting braindead
Reply With Quote
  #34  
Old 02-13-2004, 04:00
Satyric0n
 
Posts: n/a
Quote:
1. Relocation table: Taking a look at 2EA9C4, it seems clear that the relocation table is empty, since there is only the header of the fix-up block (manipulated by ASPR?). I pushed that part to 231000, since there should be the original rel. table. After that I've fixed the directory table entry to 231000. No problem.
This is a perfectly acceptable solution, although there is a better one yet. What you can do is change both your Relocation RVA and Size to 0, then in your PE Characteristics, set the Relocation Stripped flag. That way, you don't even need the header, and can simply delete the .reloc section's physical data and set its RSize to 0 in the section header. You might even be able to be rid of the section entirely, and wipe the section header out of the PE header, but I have never tested it; I'm always hesitant to delete sections created by the compiler, maybe I'm just too cautious...

Quote:
First I've simply tried to transfer those 24 bytes to 22e00 and fix the directory table entry for TlsTable accordingly.
I'm not sure if this would cause problems or not, as I'm not entirely sure what the section at 22E000 is for. It certainly could work, as the thing that's causing your exe to not run after you remove the .data section is not related to TLS. Needless to say, I have a different solution than yours; not to say that mine is a better solution, but it is different. The only thing I have against your solution is my general hesitation to copy data to 00'd out sections, as those sections are usually initialized at runtime and data you put there has a tendancy to get overwritten.

Quote:
Callbacks : 630010 (-base = 230010; hmmm... looks interesting, since at 630000 there's an exact copy of the TLS at 2ea9cc...)
This is a good observation... Run with it!

Quote:
Now I've got not the slightest idea on how to proceed... So I'm afraid I'll need another hint
Reread my description of what the .data section is. There are more things relocated in that section that the Relocation table and TLS table.

Regards

Last edited by Satyric0n; 02-13-2004 at 06:09.
Reply With Quote
  #35  
Old 02-13-2004, 21:36
Wurstgote
 
Posts: n/a
Quote:
What you can do is change both your Relocation RVA and Size to 0, then in your PE Characteristics, set the Relocation Stripped flag
Hey, I've never had thought of this! But, since it's empty anyway, why not kill it completely?
Quote:
Needless to say, I have a different solution than yours; not to say that mine is a better solution, but it is different.
Perhaps simply setting the TlsTable entry in the Directory Table to 230000?
Considering the Tls Table, I think there is nothing else to fix.
Quote:
Reread my description of what the .data section is. There are more things relocated in that section that the Relocation table and TLS table.
I've done that (good advice, by the way!) and I must admit that my eyes got it, but my brain must have been on holiday
As you've stated, ASPR also transfered some resources to the .data section...
So the first thing I've done was to study the structure of the resource tree. After I've understood what it's all about, I've used ResourceHacker to take a closer look at all the resources. By this way it became obvious that perhaps Icon Group, VersionInfo and the last resource "24" need a relocation.
So I walked the resource tree and found out that data for all three goups really is in the .data section. I've managed to relocate them back to the .rsrc section, but sweet Jesus, if I thought putting the IAT table back in place was tedious, I for sure don't know an adequate word to describe this piece of work

Now my question is: Do you know of any tool that I can use to browse the resource tree of an app and that shows at each node to address where this node is stored? I've tried ResHacker (doesn't work) and PE Explorer (can read all resources but doesn't show addresses; also I can't use it to "repack" the resources).

Any hint would be appreciated, since I believe that that should be the last thing to do before .data can be deleted.

Regards
Wurstgote
Reply With Quote
  #36  
Old 02-13-2004, 22:12
Satyric0n
 
Posts: n/a
Quote:
I've managed to relocate them back to the .rsrc section, but sweet Jesus, if I thought putting the IAT table back in place was tedious, I for sure don't know an adequate word to describe this piece of work
.. I do know what you mean.

Here is what I do to fix the resources:

When my exe is at the point that I want to fix the resources, I make a copy of the exe. So now I have 2 identical exes: Resbldr2.exe and CopyOfResbldr2.exe

Now, I load my first exe (Resbldr2.exe) into a resource editor (personally, I just use Visual Studio, since it does a good job and I already have it installed; so I know this process works with VS, but I can't guarantee that it will work with another resource editor), and simply delete all resources that fall in the offending section: in this case, the 3 icons, the version info, and RT_MANIFEST (what you called 24). Save that and close it, and now, .data in your first exe should have no resources in it. (It is at this point that I go and delete the .data section and wipe its section header from the PE.)

Now, open both exes in your resource editor. In your second exe (CopyOfResbldr2.exe), select all the resources that you deleted in the first exe and Copy them (standard clipboard Copy is what I'm referring to), then paste them into your first exe. Save the first one, then close both files (and now you can delete CopyOfResbldr2.exe). When VS saves the changes, it puts the new resources you've pasted in into the .rsrc section, as it should. Now you have successfully transplanted the resources from the .data section to the .rsrc section, without a lot of hassle.

One note, VS, when it saves the resource changes, screws up the VSize of the .rsrc section for some reason. So once I'm done I go into LordPE and fix .rsrc's VSize back to the same as RSize.

Quote:
Any hint would be appreciated, since I believe that that should be the last thing to do before .data can be deleted.
Indeed, you are correct here! Congratulations, most people wouldn't have bothered to even try these things, muchless follow through all the way (and by hand, as you did, at that) . I hope you learned a good bit about PE structure in the process .

Now, there are 2 problems left with your exe. One you will notice immediately once you remove the .data section and try to run the app. The problem you will see is much the same as the problem when you try to get into the program's Options (though the way I fixed those two problems is very dissimilar).

Lucky for you, you chose a very easy app to begin learning ASPR with. Once you get this all finished, I'll give you a link to an app that actually uses ASProtect effectively .

Regards,
Satyric0n

Last edited by Satyric0n; 02-13-2004 at 22:16.
Reply With Quote
  #37  
Old 02-13-2004, 22:50
Wurstgote
 
Posts: n/a
That's a pretty cool idea!
I'll give it a try as soon as possible.
Nevertheless you still have to identify those resources in the to-be-deleted section.
I'll have to think about that. There must be an easy way to accomplish that task - and if I'll have to write a small app to do it
Quote:
Congratulations
Thanks! You were right: It was a lot of fun
Quote:
I hope you learned a good bit about PE structure in the process
Believe me: more than a bit. But only due to my more than capable teacher
Quote:
Now, there are 2 problems left with your exe. One you will notice immediately once you remove the .data section and try to run the app. The problem you will see is much the same as the problem when you try to get into the program's Options (though the way I fixed those two problems is very dissimilar).
I'll take a look at those this evening... With a cool beer or two...
Quote:
Once you get this all finished, I'll give you a link to an app that actually uses ASProtect effectively
Makes me curious

Regards
Wurstgote
Reply With Quote
  #38  
Old 02-13-2004, 23:17
Satyric0n
 
Posts: n/a
Quote:
Nevertheless you still have to identify those resources in the to-be-deleted section.
I'll have to think about that. There must be an easy way to accomplish that task - and if I'll have to write a small app to do it
Indeed, there is . This is fairly easy using LordPE. Basically, just get the offset of the section immediately following the resource section (in this case .data, offset being 2EA000). Next, go into Directories and click the ... next to Resource. For every item you click on, you can see the Selected Item RVA. Just expand all the nodes in the tree, then you can just scroll through very quickly (just holding the down arrow key basically), and look for any items with RVA of 2EA000 or higher. Most are much lower, so ones nearing or above 2EA000 tend to jump out at you. In this case, there are all the icons (including the group icons), the version information, and "24" which is really a constant representing RT_MANIFEST (typically seen in Delphi and C++Builder apps).

So, easy as this is, there is still better news: every ASProtected app I have ever seen, relocates only these exact items: Icons, Version Info, and RT_MANIFEST (if it exists). So, though I always double check to see that there aren't any others that have been relocated, I have never seen any other than these three types.

Of course, writing a small app to identify these for you (or even relocate them for you) would also be another good learning process, and maybe more fun .

Quote:
I'll take a look at those this evening... With a cool beer or two...
I'd recommend a Guinness, but you live in Europe I think, and all the beers there are good . Here in the USA we have to buy imported beer to get anything that doesn't taste like piss..

Regards,
Satyric0n
Reply With Quote
  #39  
Old 02-14-2004, 00:27
Wurstgote
 
Posts: n/a
Quote:
This is fairly easy using LordPE
Uahhhh... Shame on me
Perhaps next time I should play a little with the software I'm using instead of mindlessly crying for help...
Quote:
Of course, writing a small app to identify these for you (or even relocate them for you) would also be another good learning process, and maybe more fun
Identifying AND relocating... good idea and something like this wouldn't be too hard to code I guess.
Quote:
I'd recommend a Guinness
Guinness would be fine, but the bottled one you get over here in Germany is spiked (?) with carbon dioxide instead of nitrogen, so it's no more creamy at all
Quote:
but you live in Europe I think, and all the beers there are good
Try to get your hands on one of those hellish beverages they "produce" (don't know the word for "putting gross stuff (including strawberries!!!) in a bowl and wait one or two centuries till it freaks the hell out of any human being") in Belgium... you'll wish you would have sticked to your local stuff

Regards
Wurstgote
Reply With Quote
  #40  
Old 02-14-2004, 08:16
Wurstgote
 
Posts: n/a
It's me again
Quote:
Now, there are 2 problems left with your exe. One you will notice immediately once you remove the .data section and try to run the app. The problem you will see is much the same as the problem when you try to get into the program's Options (though the way I fixed those two problems is very dissimilar).
I'm sorry, but the first problem has to stay unfixed for some time. I've got no tool at hand (ehhh... except my hands and brain, and both are as fast as a dead cat) to relocate the resources in the .data section, so for the moment, I'll leave those resources where they are.
Nevertheless I've managed to make the "Options" menu available.
First I've tried to follow britedreams suggestions, but either his ideas were way beyond my head or Win XP behaves different than Win 2K.; so I had to do it on my own.
I've loaded the dumped app into Olly and let it run. As soon as I try to access the "Options" in the "Tools" menu, Olly pops up with an access violation at 57891e.
The code around looks like this:

0057890C /$ PUSH EBP
0057890D |. MOV EBP,ESP
0057890F |. PUSH ECX
00578910 |. PUSH EBX
00578911 |. MOV EAX,DWORD PTR DS:[40781E] ;<&kernel32.GetModuleHandleA>
00578917 |. MOV EBX,DWORD PTR DS:[EAX]
00578919 |. PUSH DWORD PTR DS:[EBX]
0057891B |. MOV DWORD PTR SS:[EBP-4],EBX
0057891E |. POP DWORD PTR DS:[EBX]
00578920 |. MOV EAX,DWORD PTR SS:[EBP-4]
00578923 |. POP EBX
00578924 |. POP ECX
00578925 |. POP EBP
00578926 \. RETN

So I've put a breakpoint on 578911 and single-stepped through the code. At 57891E, the code doesn't make any sense to me... Changing data in kernel32.dll wouldn't work, so I've changed
0057891E |. POP DWORD PTR DS:[EBX]
to
0057891E |. POP DWORD PTR DS:[EAX]
and everything's okay.
Next I'll have to code that small app I've mentioned, just to see if I can get rid of that problem at startup you've talked about

Regards
Wurstgote
Reply With Quote
  #41  
Old 02-14-2004, 10:09
Satyric0n
 
Posts: n/a
Quote:
At 57891E, the code doesn't make any sense to me... Changing data in kernel32.dll wouldn't work
Exactly... Remember ASProtect's kernel32 emulation "protection"? This is one way it is used. ASPR's data is writable, so this wouldnt throw an exception if ASPR were still protecting the app. Kernel32, however, is not writable, so as soon as you remove it, lots of little exceptions like this pop up.

Again, standard procedure for ASPR, so once you know about it and what it's doing, it's easy to take care of.

Quote:
so I've changed
0057891E |. POP DWORD PTR DS:[EBX]
to
0057891E |. POP DWORD PTR DS:[EAX]
Hmm. This is not acceptable.. This would move whatever data was [EBX] to [EAX], overwriting whatever was there already (the value in EBX, at this point), which may be something critical (like an IAT entry). Standard procedure here is just to NOP the instructions at 578919 and 57891E.

Quote:
I've got no tool at hand to relocate the resources in the .data section, so for the moment, I'll leave those resources where they are.
I use Visual Studio, but a small app like ResHack or something should do the trick, too. That's a fairly small download, I think. Any resource editor should work; there are many out there, and most are free.

Regards,
Satyric0n
Reply With Quote
  #42  
Old 02-14-2004, 10:27
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
[QUOTE]Originally posted by Wurstgote
[B]It's me again

.
First I've tried to follow britedreams suggestions, but either his ideas were way beyond my head or Win XP behaves different than Win 2K.; so I had to do it on my own.
I've loaded the dumped app into Olly and let it run. As soon as I try to access the "Options" in the "Tools" menu, Olly pops up with an access violation at 57891e.
The code around looks like this:

0057890C /$ PUSH EBP
0057890D |. MOV EBP,ESP
0057890F |. PUSH ECX
00578910 |. PUSH EBX
00578911 |. MOV EAX,DWORD PTR DS:[40781E] ;<&kernel32.GetModuleHandleA>
00578917 |. MOV EBX,DWORD PTR DS:[EAX]
00578919 |. PUSH DWORD PTR DS:[EBX]
0057891B |. MOV DWORD PTR SS:[EBP-4],EBX
0057891E |. POP DWORD PTR DS:[EBX]
00578920 |. MOV EAX,DWORD PTR SS:[EBP-4]
00578923 |. POP EBX
00578924 |. POP ECX
00578925 |. POP EBP
00578926 \. RETN

So I've put a breakpoint on 578911 and single-stepped through the code.

-----------------------------------

you should bp 578911 in the orignal and follow the [40781e] to find the correct value.

on your pc 578911 is the correct address for code that I changed in my earlier post.

Last edited by britedream; 02-14-2004 at 10:33.
Reply With Quote
  #43  
Old 02-14-2004, 20:49
Wurstgote
 
Posts: n/a
@ SatyricOn:
Quote:
Hmm. This is not acceptable.. This would move whatever data was [EBX] to [EAX], overwriting whatever was there already (the value in EBX, at this point), which may be something critical (like an IAT entry).
Of course you're right... I don't know what I've thought when I did this change. Ok, it was late and I was tired
Quote:
Standard procedure here is just to NOP the instructions at 578919 and 57891E.
I see. And again: learned something new
Quote:
I use Visual Studio, but a small app like ResHack or something should do the trick, too. That's a fairly small download, I think. Any resource editor should work; there are many out there, and most are free.
Perhaps you're right, but till now I couldn't figure out how to use ResourceHacker for that kind of task. I'll try to google another resource editor. Perhaps I'll find an appropriate one!

@ britedream:
Your help is much appreciated, but I'm not sure if I understand you:
Quote:
you should bp 578911 in the orignal and follow the [40781e] to find the correct value. on your pc 578911 is the correct address for code that I changed in my earlier post.
I've compared the value of [40781E] in the original file with that in the dumped one. Both are the same. So, basically, it should make no difference if I replace

00578911 MOV EAX,DWORD PTR DS:[40781E] ; [40781E] contains 62A43C

with

00578911 MOV EAX,62A43C

Could you please explain what I'm getting wrong here?

Regards
Wurstgote
Reply With Quote
  #44  
Old 02-14-2004, 21:50
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
well , if they were the same you wouldn't have an error, but address 40781e is pointing to an asprotect address which is not there in the dump once you unacked asprotect, so this is why you are having the error,but the asprotect address which
is pointed to by 40781e in the original is
pointing to an address , this address is
what you need to put in eax.
Reply With Quote
  #45  
Old 02-14-2004, 22:05
Satyric0n
 
Posts: n/a
Quote:
Originally posted by britedream
well , if they were the same you wouldn't have an error, but address 40781e is pointing to an asprotect address which is not there in the dump once you unacked asprotect, so this is why you are having the error,but the asprotect address which
is pointed to by 40781e in the original is
pointing to an address , this address is
what you need to put in eax.
And I see even I still have things to learn on this subject. Thank you britedream.

I suppose laziness is what prompted me to solve this by NOPping those instructions (since that seems to fix the problem acceptably), instead of following through and finding out what I was supposed to do...

Regards,
Satyric0n
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
one newbie question SubzEro General Discussion 7 03-12-2015 06:05
ASPR, ARMA question sgdt General Discussion 3 04-09-2006 03:38
ASPR 1.2 question gabri3l General Discussion 42 05-01-2004 15:09
a newbie question about CRC32 abccc General Discussion 13 04-23-2004 03:13
"newbie" question for crackers ;) newbie007 General Discussion 4 10-07-2003 04:46


All times are GMT +8. The time now is 18:06.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )