Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-21-2004, 17:15
*RemedY* *RemedY* is offline
Family
 
Join Date: Sep 2003
Posts: 115
Rept. Given: 18
Rept. Rcvd 72 Times in 30 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
*RemedY* Reputation: 72
Unhappy Damaged stolen bytes

Hi everybody,

I recently came across a program packed with "ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov" and I tried to unpack it manually. "Nothing special", I thought and went through the usual process. I found the fake-OEP, insert the stolen bytes (12), dumped the victim and finally rebuilt the IAT. All went OK - but the dumped program refused to run (and still do so)! After a lot of hours of war against this prog I decided to load it in Stripper 2.07. Stripper was able to unpack it, but the prog shows only the nag at the beginning and collapses then. So I looked at the log from Stripper and there it says "stolen bytes were damaged by alexey". My eyes are still question marks ´cause I´ve never come across "damaged stolen bytes" so far. Can you tell me please, what these stolen bytes are? What is different from "normal" ASProtect and maybe a hint how to handle it.
Thanks a lot in advance

Regards *RemedY*
Reply With Quote
  #2  
Old 05-21-2004, 23:37
freddy2002
 
Posts: n/a
Head over to RCE & search for it
Reply With Quote
  #3  
Old 05-22-2004, 03:55
*RemedY* *RemedY* is offline
Family
 
Join Date: Sep 2003
Posts: 115
Rept. Given: 18
Rept. Rcvd 72 Times in 30 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
*RemedY* Reputation: 72
I will be glad doing so - but I don't have any idea what RCE is.
Maybe I have to apologize for my lack of knowledge but I would be very happy if you tell me who or what RCE is.
Thank you

Regards *RemedY*

I'm sorry, I see you meant the woodman- forum (never realized the "RCE"). I searched the forum for "damaged stolen bytes" and all I found was a thread where the guy who dared to ask about this topic got answers in a very rude way. So I have still no idea what it is.

Last edited by *RemedY*; 05-22-2004 at 04:09.
Reply With Quote
  #4  
Old 05-22-2004, 05:11
JMI JMI is offline
Leader
 
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 96 Times in 94 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
*RemedY*:

If you actually read the whole thread on the RCE/Woodmann Forum you should/would have learned that using pre-fabricated "unpackers/strippers" is no guarantee that they are going to give you the correct information or perform their tasks properly. Has it occurred to you that the makers of the protection systems obtain copies of these "tools" and intentionally attempt to make them fail?

If you actually know about manual unpacking, you should know that an incorrect IAT reconstruction is generally the cause of the program failing to run if you have properly stripped the aspr shell and correctly re-adjusted the stolen bytes.

What is clear is that you apparently have failed to actually investigate why the program may now be crashing and where. That is what a debugger is designed to help you do. Why not try it and see if you can determing what the problem might be.

Regards,
__________________
JMI
Reply With Quote
  #5  
Old 05-22-2004, 05:52
freddy2002
 
Posts: n/a
@RemedY
get hiewdemo, open it and load a exe file
in your windows parent, now press F4 decode,
now F8 and next F5, you will be at EntryPoint (OEP)
Every linker generates other bytes !
Example 55 8b and so on
or another linker 6a 70 and so on,
these bytes are the stolen bytes.
They were executed (sometimes emulated) after unpack
and before the jump to main exe file.
OK
(get packer demo, pack notepad, and see what's happening)
Reply With Quote
  #6  
Old 05-22-2004, 06:24
*RemedY* *RemedY* is offline
Family
 
Join Date: Sep 2003
Posts: 115
Rept. Given: 18
Rept. Rcvd 72 Times in 30 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
*RemedY* Reputation: 72
First of all I have to apologize if I sound rude now, but sometimes I think that no one with less than 100 posts is taken serious here.

@JMI
Actually I examined the dumped and fixed .exe with Olly. It lead me to an "Access violation". When I fixed it, it lead me to another. After 17 fixes I can see the programm´s main-gui. But that was not the problem. Everything I wanted to know was an explanation what the hell damaged stolen bytes are. It would have been much more friendly to say "hey mate, damaged stolen bytes doesn´t really exist. most of the time something goes wrong with the IAT, check it", than to state that I´m just plain stupid (that´s the way I understand your reply!). I simply wanted to know, if there is something called "damaged stolen bytes" known to someone. The only reason why I used "Stripper" was that I wanted to know if a tool can do what i can´t do manually. Then I saw this damaged thing. Huh!

I thought that a board is a place to ask questions (as long as they make sense to someone) and I´m sorry for not being perfect.

@freddy2002
Thank you, mate for your efforts. I already own a copy of HIEW and I double-checked the stolen bytes (actually I checked them 7-times) but i can´t find something wrong. Now, I´m going to check it one more time and if i fail again I will go the hard way through fixing it with ASM.

Regards *RemedY*
Reply With Quote
  #7  
Old 05-22-2004, 07:17
JMI JMI is offline
Leader
 
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 96 Times in 94 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
*RemedY*

Your problem with perceiving the reply as rude is based upon a common problem, evidenced by your post. YOU know what you have done/tried and what you want to find out, but you do not carefully consider, and therefore do not actually write enough information to explain what you had done which gets you to your current condition.

I ask you simply:

1) How would someone know that you actually had tried to solve your own problem by use of a debugger? What phrase in your first post did you intend to convey that information??? That is the specific reason my response states: "...you apparently have failed to actually investigate why the program may now be crashing and where. That is what a debugger is designed to help you do. Why not try it and see if you can determing what the problem might be." The word "apparently" refers to the fact that your post did not suggest any effort in that regard.

2) How was anyone to know that you had read more than the first "rude" response in the thread on the RCE Forum, when you made no reference as to having acquired the knowledge that ""hey mate, damaged stolen bytes doesn't really exist" when that very information is contained in that thread???

NO ONE asked you to be perfect or commented on your lack of perfection. Because you are impatient, you, and many others, fail to understand that "giving someone the answer" is not necessarily as important, or useful, as trying to "teach them how to think about their problem and try to solve it themselves."

There were two fundimental issues evidenced by your post. The first was you appeared not really to understand what the "stolen bytes" were and even with your last post, you do not indicate that you actually attempted to trace the operation of those "stolen bytes" you say you added, to see if the problem was coming from them. Had YOU done so, you would have known that the problem was, most probably, something else. At that point the whole issue of "damaged stolen bytes" would have been irrelivant, and YOU would have already known it.

This was the reason for the statement: "If you actually know about manual unpacking, you should know that an incorrect IAT reconstruction is generally the cause of the program failing to run if you have properly stripped the aspr shell and correctly re-adjusted the stolen bytes." Again I was reduced to guessing about your knowledge base and I gave you the best guess I could to solve your problem, based upon the very limited information you provided.

Let me simply repeat a part of a thread I posted on the RCE Forum which may make the purpose of the comments more clear to you:

"In short, think more carefully about what your setup is and about what you actually did and remember that WE WEREN'T WATCHING YOU DO IT and don't know your machine. Say what YOU DID like you wanted someone who WASN'T there to know EXACTLY how you set thing up and enough of the complete steps you followed to actually understand WHERE it started to go wrong."

How, or whether you decide to take or use free advise is up to you. It is an issue of your perception if you chose to interpret the advise as belittling, since that was never it's intent.

Regards,
__________________
JMI

Last edited by JMI; 05-22-2004 at 07:23.
Reply With Quote
  #8  
Old 05-22-2004, 07:56
*RemedY* *RemedY* is offline
Family
 
Join Date: Sep 2003
Posts: 115
Rept. Given: 18
Rept. Rcvd 72 Times in 30 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
*RemedY* Reputation: 72
@JMI

I would like to apologize for my reply to what you´ve said. You are right - how should anybody know what I´ve done so far to solve the problem on my own. I will try to describe things a bit more clear next time. I didn´t want to sound rude, so please accept my "sorry" if i did. I will improve my way of posting.

Regards *RemedY*
Reply With Quote
  #9  
Old 05-22-2004, 11:36
JMI JMI is offline
Leader
 
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 96 Times in 94 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
*RemedY*:

More than good enough. It is often hard, when one is stuck and really, really wants to solve the problem NOW, to take the time to stop and ask the question: "What would someone reading what I just wrote understand about what I'm asking and how to try to help me?" That you, or anyone reading this thread, might ask that question of themselves and prepare more informative questions and get more help would be good for us all.

Hang in there. There is always more to learn, and just when you think you are begining to get the hang of something, they'll probably change it.

Regards,
__________________
JMI
Reply With Quote
  #10  
Old 05-22-2004, 16:58
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
Quote:
Originally Posted by *RemedY*
I found the fake-OEP, insert the stolen bytes (12), dumped the victim and finally rebuilt the IAT.

So I looked at the log from Stripper and there it says "stolen bytes were damaged by alexey".
what do you mean? "stolen bytes were damaged by alexey" means nothing different than they are stolen from OEP and inserted somewhere else, but with lots of junk code. i think for you it also says "look at last section". there you can find them, but i think you already found them, because you say you inserted the stolen bytes (12). nothing special

they aren't damaged, they are junked
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
int3 and stolen bytes ! Newbie_Cracker General Discussion 4 03-14-2007 16:48
DVDRegionFree 3.25 Stolen bytes MaRKuS-DJM General Discussion 2 01-05-2004 00:23
22 stolen bytes? SvensK General Discussion 2 11-06-2003 17:13
ASPR: stolen bytes neccessary?! MaRKuS-DJM General Discussion 2 11-05-2003 09:13


All times are GMT +8. The time now is 08:43.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )