#31
|
|||
|
|||
Remember, the things that ASProtect relocates, it usually corrupts (such as the IAT), but those things did have an appropriate position in the file before being packed (again, like how the imports should go in the .idata section). 22E000 would not be the appropriate place for both relocation and the TlsTable (if either of them; I'm stil not sure what the 22E000 section is for), then, since they were in seperate sections before being packed.
Also, keep in mind that when a section is all 00s, it is probably uninitialized data (such as BSS), and anything you put there will be overwritten at runtime. Regards |
#32
|
|||
|
|||
Okay, I've tried something else.
1. Relocation table: Taking a look at 2EA9C4, it seems clear that the relocation table is empty, since there is only the header of the fix-up block (manipulated by ASPR?). I pushed that part to 231000, since there should be the original rel. table. After that I've fixed the directory table entry to 231000. No problem. 2. Thread Locale Storage: Examining addr 2ea9cc (place of TLS directory), I've found the following data: Raw Data Start: 62F000 (- base = 22F000 => empty section) -"- End : 62F01C Index : 6140C4 (some zeros inside of .data) Callbacks : 630010 (-base = 230010; hmmm... looks interesting, since at 630000 there's an exact copy of the TLS at 2ea9cc...) Size of Zerofill : 0 Characteristics: 0 First I've simply tried to transfer those 24 bytes to 22e00 and fix the directory table entry for TlsTable accordingly. It works, as long as I don't delete the .data section Now I've got not the slightest idea on how to proceed... At the moment, I'm trying to find out if any code in the .data section is executed, but it doesn't look like that would happen. So I'm afraid I'll need another hint Regards Wurstgote |
#33
|
|||
|
|||
Sorry, some corrections:
Quote:
Errr... only one correction. I suppose I'm getting braindead |
#34
|
||||
|
||||
Quote:
Quote:
Quote:
Quote:
Regards Last edited by Satyric0n; 02-13-2004 at 06:09. |
#35
|
|||
|
|||
Quote:
Quote:
Considering the Tls Table, I think there is nothing else to fix. Quote:
As you've stated, ASPR also transfered some resources to the .data section... So the first thing I've done was to study the structure of the resource tree. After I've understood what it's all about, I've used ResourceHacker to take a closer look at all the resources. By this way it became obvious that perhaps Icon Group, VersionInfo and the last resource "24" need a relocation. So I walked the resource tree and found out that data for all three goups really is in the .data section. I've managed to relocate them back to the .rsrc section, but sweet Jesus, if I thought putting the IAT table back in place was tedious, I for sure don't know an adequate word to describe this piece of work Now my question is: Do you know of any tool that I can use to browse the resource tree of an app and that shows at each node to address where this node is stored? I've tried ResHacker (doesn't work) and PE Explorer (can read all resources but doesn't show addresses; also I can't use it to "repack" the resources). Any hint would be appreciated, since I believe that that should be the last thing to do before .data can be deleted. Regards Wurstgote |
#36
|
|||
|
|||
Quote:
Here is what I do to fix the resources: When my exe is at the point that I want to fix the resources, I make a copy of the exe. So now I have 2 identical exes: Resbldr2.exe and CopyOfResbldr2.exe Now, I load my first exe (Resbldr2.exe) into a resource editor (personally, I just use Visual Studio, since it does a good job and I already have it installed; so I know this process works with VS, but I can't guarantee that it will work with another resource editor), and simply delete all resources that fall in the offending section: in this case, the 3 icons, the version info, and RT_MANIFEST (what you called 24). Save that and close it, and now, .data in your first exe should have no resources in it. (It is at this point that I go and delete the .data section and wipe its section header from the PE.) Now, open both exes in your resource editor. In your second exe (CopyOfResbldr2.exe), select all the resources that you deleted in the first exe and Copy them (standard clipboard Copy is what I'm referring to), then paste them into your first exe. Save the first one, then close both files (and now you can delete CopyOfResbldr2.exe). When VS saves the changes, it puts the new resources you've pasted in into the .rsrc section, as it should. Now you have successfully transplanted the resources from the .data section to the .rsrc section, without a lot of hassle. One note, VS, when it saves the resource changes, screws up the VSize of the .rsrc section for some reason. So once I'm done I go into LordPE and fix .rsrc's VSize back to the same as RSize. Quote:
Now, there are 2 problems left with your exe. One you will notice immediately once you remove the .data section and try to run the app. The problem you will see is much the same as the problem when you try to get into the program's Options (though the way I fixed those two problems is very dissimilar). Lucky for you, you chose a very easy app to begin learning ASPR with. Once you get this all finished, I'll give you a link to an app that actually uses ASProtect effectively . Regards, Satyric0n Last edited by Satyric0n; 02-13-2004 at 22:16. |
#37
|
||||
|
||||
That's a pretty cool idea!
I'll give it a try as soon as possible. Nevertheless you still have to identify those resources in the to-be-deleted section. I'll have to think about that. There must be an easy way to accomplish that task - and if I'll have to write a small app to do it Quote:
Quote:
Quote:
Quote:
Regards Wurstgote |
#38
|
|||
|
|||
Quote:
So, easy as this is, there is still better news: every ASProtected app I have ever seen, relocates only these exact items: Icons, Version Info, and RT_MANIFEST (if it exists). So, though I always double check to see that there aren't any others that have been relocated, I have never seen any other than these three types. Of course, writing a small app to identify these for you (or even relocate them for you) would also be another good learning process, and maybe more fun . Quote:
Regards, Satyric0n |
#39
|
||||
|
||||
Quote:
Perhaps next time I should play a little with the software I'm using instead of mindlessly crying for help... Quote:
Quote:
Quote:
Regards Wurstgote |
#40
|
|||
|
|||
It's me again
Quote:
Nevertheless I've managed to make the "Options" menu available. First I've tried to follow britedreams suggestions, but either his ideas were way beyond my head or Win XP behaves different than Win 2K.; so I had to do it on my own. I've loaded the dumped app into Olly and let it run. As soon as I try to access the "Options" in the "Tools" menu, Olly pops up with an access violation at 57891e. The code around looks like this: 0057890C /$ PUSH EBP 0057890D |. MOV EBP,ESP 0057890F |. PUSH ECX 00578910 |. PUSH EBX 00578911 |. MOV EAX,DWORD PTR DS:[40781E] ;<&kernel32.GetModuleHandleA> 00578917 |. MOV EBX,DWORD PTR DS:[EAX] 00578919 |. PUSH DWORD PTR DS:[EBX] 0057891B |. MOV DWORD PTR SS:[EBP-4],EBX 0057891E |. POP DWORD PTR DS:[EBX] 00578920 |. MOV EAX,DWORD PTR SS:[EBP-4] 00578923 |. POP EBX 00578924 |. POP ECX 00578925 |. POP EBP 00578926 \. RETN So I've put a breakpoint on 578911 and single-stepped through the code. At 57891E, the code doesn't make any sense to me... Changing data in kernel32.dll wouldn't work, so I've changed 0057891E |. POP DWORD PTR DS:[EBX] to 0057891E |. POP DWORD PTR DS:[EAX] and everything's okay. Next I'll have to code that small app I've mentioned, just to see if I can get rid of that problem at startup you've talked about Regards Wurstgote |
#41
|
|||
|
|||
Quote:
Again, standard procedure for ASPR, so once you know about it and what it's doing, it's easy to take care of. Quote:
Quote:
Regards, Satyric0n |
#42
|
|||
|
|||
[QUOTE]Originally posted by Wurstgote
[B]It's me again . First I've tried to follow britedreams suggestions, but either his ideas were way beyond my head or Win XP behaves different than Win 2K.; so I had to do it on my own. I've loaded the dumped app into Olly and let it run. As soon as I try to access the "Options" in the "Tools" menu, Olly pops up with an access violation at 57891e. The code around looks like this: 0057890C /$ PUSH EBP 0057890D |. MOV EBP,ESP 0057890F |. PUSH ECX 00578910 |. PUSH EBX 00578911 |. MOV EAX,DWORD PTR DS:[40781E] ;<&kernel32.GetModuleHandleA> 00578917 |. MOV EBX,DWORD PTR DS:[EAX] 00578919 |. PUSH DWORD PTR DS:[EBX] 0057891B |. MOV DWORD PTR SS:[EBP-4],EBX 0057891E |. POP DWORD PTR DS:[EBX] 00578920 |. MOV EAX,DWORD PTR SS:[EBP-4] 00578923 |. POP EBX 00578924 |. POP ECX 00578925 |. POP EBP 00578926 \. RETN So I've put a breakpoint on 578911 and single-stepped through the code. ----------------------------------- you should bp 578911 in the orignal and follow the [40781e] to find the correct value. on your pc 578911 is the correct address for code that I changed in my earlier post. Last edited by britedream; 02-14-2004 at 10:33. |
#43
|
||||
|
||||
@ SatyricOn:
Quote:
Quote:
Quote:
@ britedream: Your help is much appreciated, but I'm not sure if I understand you: Quote:
00578911 MOV EAX,DWORD PTR DS:[40781E] ; [40781E] contains 62A43C with 00578911 MOV EAX,62A43C Could you please explain what I'm getting wrong here? Regards Wurstgote |
#44
|
|||
|
|||
well , if they were the same you wouldn't have an error, but address 40781e is pointing to an asprotect address which is not there in the dump once you unacked asprotect, so this is why you are having the error,but the asprotect address which
is pointed to by 40781e in the original is pointing to an address , this address is what you need to put in eax. |
#45
|
|||
|
|||
Quote:
I suppose laziness is what prompted me to solve this by NOPping those instructions (since that seems to fix the problem acceptably), instead of following through and finding out what I was supposed to do... Regards, Satyric0n |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
one newbie question | SubzEro | General Discussion | 7 | 03-12-2015 06:05 |
ASPR, ARMA question | sgdt | General Discussion | 3 | 04-09-2006 03:38 |
ASPR 1.2 question | gabri3l | General Discussion | 42 | 05-01-2004 15:09 |
a newbie question about CRC32 | abccc | General Discussion | 13 | 04-23-2004 03:13 |
"newbie" question for crackers ;) | newbie007 | General Discussion | 4 | 10-07-2003 04:46 |