#1
|
|||
|
|||
ASPR v2.1x SKE - SEEKING HELP
Hi there...
Until now i've used Stripper 2.07/2.11 to speed up the work or some Olly script to get to the oep to dump aspr files. However, I'm running into a little problem with some lately asprotected applications. PEID v0.94 scan returns to be ASProtect v2.1x SKE and RDG v0.98 returns ASProtect v2.0 Stripper fails, complaining about not reaching the last SEH and some protection error 85. Plus none of the ollyscript i've tried was working. So i decided to go on and MUP these files, with such a bad result: none of the regular method was working. I tried to catch the last seh, used the int3 exceptions trick, the memory breakpoint into target's code and several other methods. Nothing worked, so i was just wondering if anybody succeeded to get a valid dump of such targets. Please keep in mind that i am just focusing on unpacking technic, since i managed to defeat the target's protection scheme. I'm not seeking help on reversing a specific target, i'm doing this just for fun/knowledge. So i've enclosed a little keygenme that uses this asprotect version, thus those who which to help can get their hands on a real example. Any help will be appreciated, thanks Kameo. |
#2
|
|||
|
|||
Hi Kameo!!!
I can't open your file to study so I only have a tutorial for you: http://s54.yousendit.com/d.aspx?id=2T1C3NGZBOTU30X4GQXSPSDF25 Have fun! scherzo |
#3
|
|||
|
|||
This unpackme was packed with "protect original entry point" aspr feature.
Last Seh is reachable after 2nd Int3 exception... |
#4
|
|||
|
|||
@scherzo:
Yep you must have at least 5 or 10 post to be allowed to donwload from the board. Thx for the link i'm give a glance to your tut. @hosiminh: Thx for the tip |
#5
|
|||
|
|||
Good tut- http://www.cracklab.ru/rar/dl/CRACKLAB.rU_32.rar
decompiling VM by PE_Kill |
#6
|
|||
|
|||
Hi Kameo
at 401416 is a jmp to the stolen bytes , put bp on the address that 401416 is jumping to, that is the start of your stolen.
Last edited by britedream; 03-16-2006 at 20:15. |
#7
|
|||
|
|||
Hi Kameo!
If you want find the correct OEP in stolen code, you can use this script: Code:
// ASProtect 1.32 and greater (except ASProtect 2.0 alpha) OEP finder by sanniassin::REVENGE Crew // Ignore all exceptions // Clear all breakpoints // Tested on WinXP only var x var y var is_DLL mov x,esp sub x,48 bphws x,"r" mov y,[eip] and y,000000FF cmp y,60 jne zzz mov is_DLL,1 zzz: run mov y,[eip] cmp y,01B80875 jne zzz bphwc x find edi,#83C404010424C3# mov x,$RESULT add x,6 bp x run bc x sto mov x,eip findcall: dec x mov y,[x] cmp y,5B5E5F5D jne findcall sub x,8 go x sti rtr sto mov x,eip and x,0000FFFF cmp x,0 je no_VM_on_OEP VM_on_OEP: msg "OEP found! OEP stolen." jmp pause no_VM_on_OEP: mov x,esp cmp is_DLL,1 jne is_exe add x,10 jmp label_9 is_exe: add x,8 label_9: bphws x,"r" run mov y,eip dec y mov y,[y] and y,000000FF cmp y,5C jne label_9 bphwc x cmp is_DLL,1 jne is_exe2 find eip,#8944241C61FFE0# add $RESULT,5 bp $RESULT run bc $RESULT sto jmp msg is_exe2: mov x,eax go x msg: msg "OEP found! OEP not stolen." pause: pause |
#8
|
|||
|
|||
@britedream:
How do you know how to get to this address ??? @typed: Seems to be a nice tut. I can read english, french, arabic, spanish, italian and german... but definitely not russian. However i'mma gonna see if i can not get a translation tool to work out this tut. -------- So let's sum up a little bit, what i did: Scan through PEID and RDG appears that the target is packed with ASProtect v2.11 SKE. Load it into OllyDebug (v1.10), cleared all breakpoints and ignored all exceptions. Used script provided by scherzo few lines before (with OdbgScript v1.47) to reach the stolen oep. Then "Search for -> All intermodular calls". Sorted results by 'Destination' and i saw several 'CALL 00B30000', so i guess that this target uses Advanced Import Protection. Double-clicked on the first 'CALL 00B30000' to get back to CPU window, performed a "Find references to -> Call destination", now i've got all my AIP addresses! The first one being, 00AD0352, and the last one, 00AD1C59. Back to CPU window and to OEP: Scrolled down a bit searchinf for a valid call in order to retrieve informations about the IAT section. And i found these ones: 00AD0396 FF15 40504000 CALL DWORD PTR DS:[405040] ; kernel32.GetStartupInfoA 00AD03A9 FF15 60504000 CALL DWORD PTR DS:[405060] ; kernel32.FreeEnvironmentStringsA So i guess that IAT is stored in 00405xxx section. Let's check into memory-map, ALT-M give me this: Memory map 00400000 00001000 ASPR211p PE header 00401000 00004000 ASPR211p code 00405000 00001000 ASPR211p data <-- this section contains iat? 00406000 00001000 ASPR211p 00407000 00001000 ASPR211p .rsrc resources 00408000 00024000 ASPR211p .data imports,... 0042C000 00001000 ASPR211p .adata So ok, i've got all my informations now: stolen oep: 00AD02C2 (yours might be different...) code section: 401000 code size: 4000 iat section: 405000 iat size: 1000 AIP call destination: 00B30000 first call to AIP: 00AD0352 last call to AIP: 00AD1C59 Let's resolve the broken iat with: 'ASProtect 2.0x Fix IAT with Import Elimination #4b.txt' script by Pnluck. "Is the IAT of this PE corrupt?", i answered yes. "Enter the address of code section", i put '401000'. "Enter the address of the section where is the IAT", i put '405000'. "Enter the size of same section", i put '1000'. The script pops this message: "The iat start at 000405000". "Enter the AIP call destination", i put '00B30000'. and i ended with this message box "Error: eax or edi value is 0, do you want to continue?" no matter what i decide, the target either crashes or exit without any call being resolved... I tried with other iat fixer's scripts, sometimes is resolves 1 or 2 pointer, but right after, it ends crashing olly. But what really bothers me, is that, when some calls are resolved they become 'CALL 01210004' instead of 'CALL 00xx0000', shouldn't it be something like 'CALL DWORD PTR DS:[405xxx]' ? I'm realy wondering what i'm doing wrong. |
#9
|
|||
|
|||
The reason is that 00B30000 is not the AIP. Got to address 00401000 and search for all intermodular calls and there you can see the real AIP destination. But AIP is on this target the smallest problem, the OEP protection and the VM is really hard to defeat.
|
#10
|
|||
|
|||
Quote:
|
#11
|
|||
|
|||
I already have a working dump of the target, however it's not really accurate to understand how to unpack a regular packed file.
|
#12
|
|||
|
|||
Quote:
Quote:
|
#13
|
|||
|
|||
Quote:
Defeating the VM protection of an Asprotected target, and also the RSA serial checking routine provided by Asprotect... It would be the perfect tutorial, but the main problem of this tutorial is its language... Russian. I know that most of the best reversers around are either Chinese, Japanese or Russian, that's a fact, but, man... it would be a nice thing if they would release their tut, at least in english. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Aspr anyone know this one? | hobferret | General Discussion | 16 | 05-13-2015 22:54 |
More Aspr 1.31 | SvensK | General Discussion | 0 | 06-09-2004 22:52 |