Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #31  
Old 01-26-2004, 12:31
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
thanks ShaG for the improvement, much better!.

inlight of my post on this forum and the three steps I mentioned for unpacking asprotect , now this script
will demonstrate this fact by locating
the stolen bytes , to do that , do the following:

1-hide debugger

2- run this script below, and look for your
stolen.(some time you may need to add to
the stolen bytes the mov eax,xxxxxx), it is easy, I did clarify this some where in this forum) .[hint: F9 few times once script finshes, you will be at mov ebp,esp in programs that start: push ebp, mov ebp,esp]

3.- look for your oep as I noted in a thread in this forum.

note:
this script will work on most of the aspr. programs that have stolen bytes, in some it will not , so you need to trace once you are in the break point of the updated script "lastex", I will provide a script for such programs later on, if a need for it arises.

scripts tested on registry cleaner expert. (this script is only to demonstrate steps I posted for unpacking asprotect. I didn't put any effort in it , I just added few codes to lastex script).
Attached Files
File Type: txt asprsto.txt (259 Bytes, 195 views)

Last edited by britedream; 01-26-2004 at 21:07.
Reply With Quote
  #32  
Old 01-26-2004, 19:51
R@dier
 
Posts: n/a
@ britedream

wow your script is awesome, worked well on 2 of the programs i tested it on. (acopy, dezine)

Thanks for sharing your work




@ SHaG

thanks for improving your plugin, it is truly usefull



R@dier
Reply With Quote
  #33  
Old 01-26-2004, 22:46
R@dier
 
Posts: n/a
Thought I would try my hand at scripting
this works for pecompact1.76
I dont know about any other versions




R@dier
Attached Files
File Type: txt pecompact1.76.txt (154 Bytes, 126 views)
Reply With Quote
  #34  
Old 01-27-2004, 03:05
lownoise
 
Posts: n/a
aspack, neolite

Rewrote te scripts for aspack and neolite for version 0.4

Neolite

eob Break
findop eip, #FFE0#
bphws $RESULT, "x"
run

Break:
bphwc $RESULT
sti
log eip
ret


aspack

eob Break
findop eip, #6175#
bphws $RESULT, "x"
run

Break:
bphwc $RESULT
sto
sto
sto
sto
log eip

ret
Reply With Quote
  #35  
Old 01-27-2004, 08:31
SHaG SHaG is offline
Friend
 
Join Date: Jan 2004
Posts: 51
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SHaG Reputation: 0
PE Pack 1.0
Attached Files
File Type: txt pepack10.txt (144 Bytes, 128 views)
Reply With Quote
  #36  
Old 01-27-2004, 21:45
SHaG SHaG is offline
Friend
 
Join Date: Jan 2004
Posts: 51
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SHaG Reputation: 0
This one should prove useful:

tElock 0.98
Attached Files
File Type: txt telock098.txt (526 Bytes, 142 views)
Reply With Quote
  #37  
Old 02-01-2004, 23:56
dARWIN
 
Posts: n/a
Hi,

i'm testing your script on Target "Website-Watcher 3.60b" wich is protected with "ASProtect 1.22 - 1.23 Beta 21 -> Alexey Solodovnikov".

hxxp://aignes.com/de/download.htm

So i'm loading the wswatch.exe into OllyDbg and starting your Script. Then something happens and the Programm has started successful.

Now, i'm at Offset 0075F002 where is a CALL wswatch.0075F00A

Can you tell me what i have to do next for finding the OEP ?

Thank's for your help.

[Edit by JMI: dARWIN, you obviously did not look around here before you posted. You are NOT supposed to post clickable links here, espically to software venders. ALWAYS uncheck the "Automatically parse URLs" button and use "hxxp" or the like for the address.}
Reply With Quote
  #38  
Old 02-02-2004, 00:58
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
to darwin:

you are using the wrong script for this program "asprsto", this is for finding the solen bytes , but on most programs , for this one it willn't work, we have work around this , I will explain briefly , but
before that you have two options:
option one:
hide debugger
run" lastex" script
this will stop on the last exception , set bp(F2) on the first retn you see, shit+F9
will stop on the bp.

option two:
hide debugger:
run "asprbp" script
i t will stop on bp as above

now , view memory and set memory breakboint on access, on code section.

set trace condition:esp==12ffa4(for clarification search the forum for what I posted about this one)
control+F11
will encounter a loop, F12 to stop olly
bp (F2) under jnz , F9, then control+F11
once stopped, look below you will see
your stoln bytes :
push ebp
mov ebp,esp
add esp,-0c
push ebx
mov eax, 65526c
shift+f9 will stop below your oep
copy your stolen above where you have stopped, set origin here on the push ebp, then dump. fix your iat.
it should run.
here is asprobp=lastex updated.
Attached Files
File Type: txt asprbp.txt (182 Bytes, 122 views)

Last edited by britedream; 02-02-2004 at 18:03.
Reply With Quote
  #39  
Old 02-02-2004, 02:24
dARWIN
 
Posts: n/a
@britedream

thank you very much for your explainations

But both scripts don't stop on the bp/exception...

so i used the unpacker ASPROTECTstripper 2.03 an it works fine

Perhaps you could try it yourself with my Target and tell me how you did it

thanks again
Reply With Quote
  #40  
Old 02-02-2004, 10:47
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
I did check your target and both stop as they should.

Last edited by britedream; 02-02-2004 at 10:49.
Reply With Quote
  #41  
Old 02-02-2004, 14:27
Mitchjs
 
Posts: n/a
Works for me too!

but Im new on aspr...

I cant get a working dump.exe

Im sure im screwing it up in Import Rec 1.6

I need some help there

I get to the OEP

I dump the process... I add back in the stolen bytes...correct OEP to offset 00255A44

i load up imprec, with the program running.. attach
enter 0025A44, click on IAT autosearch... i increased the size to 3000... i level1 them... i ran the rest with the aspro 2.12 plugin
and then I cut the remaining bad inports

and finnally patch into dump

clearly im doing something wrong

can someone step me though from the point of the dump

thanks
mitch
Reply With Quote
  #42  
Old 02-07-2004, 02:40
Mitchjs
 
Posts: n/a
YEAH!!!

I got it unpacked

I cracked out the Filesize check, that was easy

but cracking out the trial stuff... im into it, but getting lost

and i thought that would be the easy part

did anyone try it, i dont give 2 sh**ts about the app
infact i want to uninstall asap

but i wanna crack it anyways, just because

mitch
Reply With Quote
  #43  
Old 02-07-2004, 21:11
Nilrem
 
Posts: n/a
Program name and link Mitchjs?
Reply With Quote
  #44  
Old 02-08-2004, 01:11
Mitchjs
 
Posts: n/a
its mentioned a couple of posts up

I only picked it to practice unpacking aspr!



"Website-Watcher 3.60b"

hxxp://aignes.com/de/download.htm


mitch
Reply With Quote
  #45  
Old 02-08-2004, 09:16
SHaG SHaG is offline
Friend
 
Join Date: Jan 2004
Posts: 51
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SHaG Reputation: 0
Ollyscript v0.5

Ollyscript v0.5 can now be downloaded at:
http://ollyscript.apsvans.com

New features like API breakpoints, run-to-return, module info etc. are implemented.

From readme.txt:
+ New commands:
CMT, GMI, GPA, LBL, RTR, RTU
+ New example script - tElock 0.98 OEP finder.

Comments please!!! =)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 17:30.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )