Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-21-2004, 03:57
padawan
 
Posts: n/a
Talking Team Project: PHP Processor v1.2???

Hello,

I'd like to propose a team project that hopefully will take to writing a tutorial. The target I've been taking a look at is PHP Processor v1.2 (hxxp://www.gridinsoft.com/downloads/phppro12.zip).
It's an asprotected target. I have unpacked it using the latest version of stripper. It would be nice if we could work on it from unpacking to cracking it so to write a complete tutorial.
I believe the application also uses the asprotect APIs, since once unpacked it behaves as if trial period has expired.

Having found no way around the "expire" status I was thinking of making a loader. One that deletes the trial period registry entry, patches the target to hide the starting nag screen, programmatically clicks the "continue" button on the nag, and deletes all signs of the application being unregistered (10 files project limit).

I'd love to be able to work with someone more expert and I'd like to see if someone is able to identify a better solution. Is anyone willing to work on it with me?


padawan

[Edit by JMI: this doesn't belong in the "Software Releasing Forum" until you are actually "releasing" software.]

Last edited by padawan; 02-21-2004 at 06:30.
Reply With Quote
  #2  
Old 02-21-2004, 05:53
padawan
 
Posts: n/a
Sorry JMI, I didn't notice I placed the post in the Software Releases forum ... I thought I posted in the Crack Tutorials forum for I wanted the people posting there to join. I must be more tired than I thought. Sorry again.

padawan
Reply With Quote
  #3  
Old 02-21-2004, 06:43
JMI JMI is offline
Leader
 
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 96 Times in 94 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
No big deal. There isn't a "Mini-Projects Forum" like at Woodmann's to put it in anyway.

Regards,
__________________
JMI
Reply With Quote
  #4  
Old 02-21-2004, 12:54
crusader
 
Posts: n/a
well it wont be much of a project if u use stripper to unpack for u... if u want to do things manually i would join in n help out...
Reply With Quote
  #5  
Old 02-21-2004, 18:30
padawan
 
Posts: n/a
crusader, I have done for what I know. Not knowing how to unpack it manually I used an unpacker.

But as you can see from my initial post, I'd like to write a tutorial that goes from unpacking the target to cracking/keygenning it and I'm more then willing to contribute for what I can or to follow when I can be of no help.

The application can be downloaded here hxxp://www.gridinsoft.com/downloads/phppro12.zip (1.37MB).

Now, PEiD identifies the target as protected by ASProtect 1.2 / 1.2c. Where do I start from wanting to unpack the application manually?

padawan
Reply With Quote
  #6  
Old 02-21-2004, 19:34
crusader
 
Posts: n/a
erm ok, i am not sure how much you know abt cracking, asm or aspr... but if you havent done this, search and find a couple of tutorial about aspr, written within 2 years or so... read n gather as much info as possible abt aspr...

then i hope u got all the tools needed, just refer to the tutorials for tools required...

once u sort all that out... dump aspr.dll... how do u do that? the tutorials explain a bit but u will have to explore also... post questions as u encounter them...

cheers,
crUs

PS : i have already downloaded the prog...
Reply With Quote
  #7  
Old 02-21-2004, 20:07
padawan
 
Posts: n/a
Tools and reading shouldn't be a problem.
Crusader, I'll be back in a couple of days with questions.


padawan

Last edited by padawan; 02-21-2004 at 20:09.
Reply With Quote
  #8  
Old 02-21-2004, 20:44
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
padawan, you used stripper??? then i understand. look here:

005996BA |. 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX ; |
005996BD |. C645 D8 0B MOV BYTE PTR SS:[EBP-28],0B ; |
005996C1 |. 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C] ; |
005996C4 |. 33C9 XOR ECX,ECX ; |
005996C6 |. B8 74975900 MOV EAX,_PHPProc.00599774 ; |ASCII "Can't load language library: %s.lng"
005996CB |. E8 7016E7FF CALL _PHPProc.0040AD40 ; \_PHPProc.0040AD40
005996D0 |. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
005996D3 |. E8 A4B8E6FF CALL _PHPProc.00404F7C
005996D8 |. 8BD0 MOV EDX,EAX
005996DA |. B9 98975900 MOV ECX,_PHPProc.00599798 ; ASCII "Error!"
005996DF |. A1 D0735A00 MOV EAX,DWORD PTR DS:[5A73D0]
005996E4 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005996E6 |. E8 9162EDFF CALL _PHPProc.0046F97C
005996EB |. E8 48B2E6FF CALL _PHPProc.00404938
005996F0 |> FF15 2C6F5A00 CALL DWORD PTR DS:[5A6F2C] if you use stripper, this DWORD will be 00598F3C. this means: program expired (this dword is set by aspr). you have to modify this offset to 00598E28 and all works perfect.
005996F6 |. A1 D0735A00 MOV EAX,DWORD PTR DS:[5A73D0]
005996FB |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005996FD |. E8 EA60EDFF CALL _PHPProc.0046F7EC
00599702 |. 33C0 XOR EAX,EAX
00599704 |. 5A POP EDX
00599705 |. 59 POP ECX
00599706 |. 59 POP ECX
00599707 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0059970A |. 68 24975900 PUSH _PHPProc.00599724
0059970F |> 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00599712 |. BA 05000000 MOV EDX,5
00599717 |. E8 D4B3E6FF CALL _PHPProc.00404AF0
0059971C \. C3 RETN
0059971D .^E9 0AADE6FF JMP _PHPProc.0040442C
00599722 .^EB EB JMP SHORT _PHPProc.0059970F

MaRKuS TH-DJM / SnD TeaM

PS: it doesn't use any APIs like you mentioned. but all the parameters (or lets say: DWORDS) for the program are set while ASProtect unpacks the target. so it is able to lead the code to other location (like here) where the program says: unregistered. so you can't find a way to crack it. but as you see, it is possible.

Last edited by MaRKuS-DJM; 02-21-2004 at 20:48.
Reply With Quote
  #9  
Old 02-21-2004, 21:46
padawan
 
Posts: n/a
MaRKuS-DJM, you are indeed right.
Still, doesn't asprotect provide a library that developers may utilize inside their code??? Otherwise how could the initial nag screen print the remaining days to the trial.

Just a curiosity, did you already know such global variable needs setting to a given value or did you discover it on this specific target??? Also, how many of such global variables are there around that asprotect usually sets???

padawan
Reply With Quote
  #10  
Old 02-21-2004, 22:42
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
maybe there's a small library. haven't thought about this...

i know it because i saw many other ASPr-Targets with this technique before... AnyDVD is such a target, if you manual unpack, the value is right, if you unpack with stripper, the value is empty and AnyDVD does nothing more like showing errors.
it belongs to the programmers how many variables they set... it depends of registered/unregistered status of the program how they are set.
Reply With Quote
  #11  
Old 02-22-2004, 12:51
crusader
 
Posts: n/a
sigh... how do u expect them to learn if u feed them like that Markus? so much for a project heh Padawan... u will not learn anything if u only listen n follow exactly what others tell you to...
Reply With Quote
  #12  
Old 02-22-2004, 18:34
padawan
 
Posts: n/a
crusader, don't think MaRKuS lead me away from my intent of getting back here with questions. He just explained one of the mysteries ...

padawan
Reply With Quote
  #13  
Old 02-22-2004, 19:20
crusader
 
Posts: n/a
lol.. tt is good to hear ... nice to see u so willing to learn... well if u actually finish the project as u set out to... u will be able to explain exactly why the is a difference between manual dump n asprstripper dump...
Reply With Quote
  #14  
Old 02-22-2004, 23:02
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
sorry crusader, you are right... but there's a easy way to find the right value for this... if your program is expired, go into that DWORD-Call, and scroll up... above should be the code for registered or not expired program
Reply With Quote
  #15  
Old 02-23-2004, 07:29
padawan
 
Posts: n/a
Hello,

first of all a few generic questions on asprotect:

1) Does asprotect implement anti-debug, anti-tool or anti-dump code??? Does it remove memory and HW breakpoints???
2) Stolen bytes: when did asprotect (what version) introduce this further difficulty. What is the theory or rationale behind their "rescue"???

Now, from what I've read the following should be a reasonable approach to manually unpack the asprotected application:

Code:
1) Locate the OEP
2) when the application is completely decrypted (execution on the OEP) dump it 
3) Fix the PE
   a) correct the dump EP
   b) find stolen bytes
   c) reconstruct the IAT
      c1) correct sections characteristics
      c2) set PSIZE == VSIZE and OFFSET == RVA
I'd like to investigate each step at a time.

As the first step I started looking for the OEP.
BTW, I'm sorry but on my machine softice just can't run (video adapter driver problems) so I'm using OllyDbg.

To find the OEP I used a process that seems to be effective, the "exception counting approach" (I don't know if someone has given it a name but if not this is its new name).
1) I counted the number of exceptions to the application showing up. I rerun the application stopping one exception before and getting into the exception this time. I ended up into winnt.dll.
2) I set a memory breakpoint on access of the application code section and continued the application execution ending up at 00599600:

00599600 PUSH EBP
00599601 MOV EBP,ESP
00599603 ADD ESP,-2C

Since this seems the typical prolog to a function I believe this could very well be the OEP.

Questions:
1) is this the correct OEP?
2) to find the OEP, counted the 19 exceptions, before resorting to placing a memory breakpoint on the application code section I tried to use OllyDbg's trace feature setting a stop condition such as EIP<500000. Well, this condition never stops the tracing!!! OllyDbg just goes on running even if the OEP should indeed stop the tracing (OEP is < 900000). I repeated this step tens of times thinking I was doing something wrong and in the end, frustrated, I just tried a different approach. Still, I'd like to know WHY is this happening??? Why is tracing not working??? BTW, I'm using a window 2000 OS.


MaRKuS-DJM, when you talk of scrolling up from the dword-call you are refering to the call at 005996F0 to the function starting at 00598E28??? I have taken a look up from that memory location but I don't see anything "interesting" ... or at least no clue to code dealing with the application being registered or not expired.


padawan

Last edited by padawan; 02-23-2004 at 17:25.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Full version of Project-52 and Project-AVR Yaumen General Discussion 0 08-10-2004 16:27


All times are GMT +8. The time now is 19:36.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2022 )