Dvd2one?? ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov

hi, I trying to unpack this program , I'm not able to find OEP, anyone can help me?

seg000:0040D502 start proc near
seg000:0040D502 jz short loc_40D52F
seg000:0040D504 cmp byte ptr [eax], 5Ch
seg000:0040D507 jnz short loc_40D50B
seg000:0040D509 inc eax
seg000:0040D50A retn


I found this piece of code that's after the trace with tc EIP<value smaller than aspr code, but not sure that it's the right one.....

hxxp://www.dvd2one.com/download.php

thanks in advance

loman

[MaRKuS-DJM]

OEP is: 407DB4

Stolen bytes:
00407DB4 > $ 53 PUSH EBX
00407DB5 . 56 PUSH ESI
00407DB6 . 57 PUSH EDI
00407DB7 . 83EC 20 SUB ESP,20
00407DBA . 8D5C24 1C LEA EBX,DWORD PTR SS:[ESP+1C]
00407DBE . BA 904C4100 MOV EDX,dvd2one1.00414C90 ; ASCII "FontSize"
00407DC3 . 33C0 XOR EAX,EAX
00407DC5 . E8 F2580000 CALL dvd2one1.0040D6BC <<< this is the call which is executed before going to Temp-OEP!!!


the place where you are is near to OEP, just trace a little bit and you are there!

IAT:

can you explain me how you find the stolen bytes? I saw that those are all 0000000 at those address ..... thanks

loman

[MaRKuS-DJM]

all you have to do is to look @the stack window (these value's must match in dump @startup), then you have done it. (this is very hard for some programs)

i'll write the full later how it is done

[MaRKuS-DJM]

00407DB4 > $ 53 PUSH EBX
00407DB5 . 56 PUSH ESI
00407DB6 . 57 PUSH EDI
00407DB7 . 83EC 20 SUB ESP,20
00407DBA . 8D5C24 1C LEA EBX,DWORD PTR SS:[ESP+1C]
00407DBE . BA 904C4100 MOV EDX,dvd2one1.00414C90 ; ASCII "FontSize"
00407DC3 . 33C0 XOR EAX,EAX
00407DC5 . E8 F2580000 CALL dvd2one1.0040D6BC

ok, if you use the trace eip<900000 after the last exception you are here:
0040D502 74 2B JE SHORT dvd2one1.0040D52F
0040D504 8038 5C CMP BYTE PTR DS:[EAX],5C
0040D507 75 02 JNZ SHORT dvd2one1.0040D50B
0040D509 40 INC EAX
0040D50A C3 RETN
0040D50B 52 PUSH EDX
0040D50C 51 PUSH ECX
0040D50D 50 PUSH EAX
0040D50E 68 1C314100 PUSH dvd2one1.0041311C ; ASCII "SOFTWARE\Visual Domain\DVD2one"
0040D513 68 F8514100 PUSH dvd2one1.004151F8 ; ASCII "%s\%s"
0040D518 68 B02B5300 PUSH dvd2one1.00532BB0
0040D51D 2E:FF15 DC124100 CALL DWORD PTR CS:[4112DC] ; USER32.wsprintfA
0040D524 B8 B02B5300 MOV EAX,dvd2one1.00532BB0
0040D529 83C4 10 ADD ESP,10
0040D52C 59 POP ECX
0040D52D 5A POP EDX
0040D52E C3 RETN

@this place, EDX = 00414C90 ; ASCII "FontSize"
this solves the stolen byte:
00407DBE . BA 904C4100 MOV EDX,dvd2one1.00414C90 ; ASCII "FontSize"


execute the ret with F8
you are here:
0040D6CD 53 PUSH EBX
0040D6CE 6A 01 PUSH 1
0040D6D0 6A 00 PUSH 0
0040D6D2 50 PUSH EAX
0040D6D3 68 01000080 PUSH 80000001
0040D6D8 2E:FF15 00124100 CALL DWORD PTR CS:[411200] ; advapi32.RegOpenKeyExA
0040D6DF 89C3 MOV EBX,EAX
0040D6E1 85C0 TEST EAX,EAX
0040D6E3 74 10 JE SHORT dvd2one1.0040D6F5
0040D6E5 85DB TEST EBX,EBX
0040D6E7 75 47 JNZ SHORT dvd2one1.0040D730
0040D6E9 B8 01000000 MOV EAX,1
0040D6EE 83C4 08 ADD ESP,8
0040D6F1 5F POP EDI
0040D6F2 5E POP ESI
0040D6F3 59 POP ECX
0040D6F4 C3 RETN
0040D6F5 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
0040D6F9 50 PUSH EAX
0040D6FA 56 PUSH ESI
0040D6FB 53 PUSH EBX
0040D6FC 53 PUSH EBX
0040D6FD 57 PUSH EDI
0040D6FE 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
0040D702 BA 04000000 MOV EDX,4
0040D707 51 PUSH ECX
0040D708 895424 1C MOV DWORD PTR SS:[ESP+1C],EDX
0040D70C 2E:FF15 04124100 CALL DWORD PTR CS:[411204] ; advapi32.RegQueryValueExA
0040D713 8B3424 MOV ESI,DWORD PTR SS:[ESP]
0040D716 56 PUSH ESI
0040D717 89C3 MOV EBX,EAX
0040D719 2E:FF15 F4114100 CALL DWORD PTR CS:[4111F4] ; advapi32.RegCloseKey
0040D720 85DB TEST EBX,EBX
0040D722 75 0C JNZ SHORT dvd2one1.0040D730
0040D724 B8 01000000 MOV EAX,1
0040D729 83C4 08 ADD ESP,8
0040D72C 5F POP EDI
0040D72D 5E POP ESI
0040D72E 59 POP ECX
0040D72F C3 RETN

here are some push:
solves this bytes:
00407DB4 > $ 53 PUSH EBX
00407DB5 . 56 PUSH ESI
00407DB6 . 57 PUSH EDI
this writes the values to stack (i've seen that it works without thes stolen bytes, but it's more correct)

another stolen byte:
00407DC3 . 33C0 XOR EAX,EAX
eax is @startup 0

00407DB7 . 83EC 20 SUB ESP,20
this corrects stack-RVA (or better said, size)@startup

LEA EBX,LEA EBX,DWORD PTR SS:[ESP+1C]
this corrects the value @6FFB4 which is called here:
00407DE0 . 8B5C24 20 MOV EBX,DWORD PTR SS:[ESP+20]


i know this isn't very good explanation, i think britedream is the better one for this because he has many more knowledge about ASM & unpacking

I've quite understood the EDX = 00414C90, but I've not understood how you catch how you find the other stolen bytes, from where?

you say...

>here are some push:
>solves this bytes:
>00407DB4 > $ 53 PUSH EBX
>00407DB5 . 56 PUSH ESI
>00407DB6 . 57 PUSH EDI

how do you catch them????

maybe I'm too newbie to understand it .......


thanks

[MaRKuS-DJM]

you can ignore these bytes

the program works exactly the same way without these bytes

but when I unpack I need to recover stolen bytes, how do I find them?

thanks again

[MaRKuS-DJM]

you must find a way that the stack @dump match to the stack @original program. and this is done by that commands... if you follow you see the stack @original program (@temp-oep) is the same as in the dump (@temp-oep) (all the bytes that were added, not the stack from the beginning)