Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-21-2004, 18:17
el-kiwi
 
Posts: n/a
problem with asprotect 1.2x-1.3x

hi to all,

well I load app in peid and its say asprotect 1.2x-1.3x [registered],
go to last exepction bp on memory access and i land here:

00406A2C -FF25 C0D24F00 JMP DWORD PTR DS:[4FD2C0] ; kernel32.GetModuleHandleA
00406A32 8BC0 MOV EAX,EAX
00406A34 -FF25 BCD24F00 JMP DWORD PTR DS:[4FD2BC] ; kernel32.LocalAlloc
00406A3A 8BC0 MOV EAX,EAX
00406A3C -FF25 B8D24F00 JMP DWORD PTR DS:[4FD2B8] ; kernel32.TlsGetValue
00406A42 8BC0 MOV EAX,EAX
00406A44 -FF25 B4D24F00 JMP DWORD PTR DS:[4FD2B4] ; kernel32.TlsSetValue

now interesting thing is that imprec resolve all functions,except GetProccAddress,so I dump app here at 00406A2C fix dump and program wont run, its always go to kernel32.exit thread.
Now,this is not real oep,so I think that app maybe use stolen bytes or stolen code tehnics, anyone expierence this problem? any sugestions?
Reply With Quote
  #2  
Old 11-21-2004, 22:50
0KRam
 
Posts: n/a
What's the target?
Reply With Quote
  #3  
Old 11-22-2004, 01:05
el-kiwi
 
Posts: n/a
system cleaner 4.95 build 200
Reply With Quote
  #4  
Old 11-22-2004, 05:32
Michel Michel is offline
Friend
 
Join Date: Sep 2004
Location: France
Posts: 66
Rept. Given: 2
Rept. Rcvd 6 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Michel Reputation: 6
it's an asprotect v 2.0x
Reply With Quote
  #5  
Old 11-27-2004, 13:29
pluscontrol
 
Posts: n/a
you are lucky, in windows98 i get this:

004079E8 - FF25 40B35900 JMP DWORD PTR DS:[59B340]
004079EE 8BC0 MOV EAX,EAX
004079F0 - FF25 3CB35900 JMP DWORD PTR DS:[59B33C]
004079F6 8BC0 MOV EAX,EAX
004079F8 E8 03866301 CALL 01A40000
004079FD 90 NOP
004079FE 8BC0 MOV EAX,EAX
00407A00 E8 FB856301 CALL 01A40000

the last two are going to asprotect section.


Looking for stolen bytes.... i found two places that could be the begining of stolen bytes:


01A2025A 55 PUSH EBP
01A2025B E9 6D0C0000 JMP 01A20ECD
01A20260 50 PUSH EAX
01A20261 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
01A20264 E9 23030000 JMP 01A2058C
01A20269 8D45 04 LEA EAX,DWORD PTR SS:[EBP+4]
01A2026C E9 2B030000 JMP 01A2059C
01A20271 68 1F19A201 PUSH 1A2191F
01A20276 E8 85FD1200 CALL 01B50000

or

01A2165D 53 PUSH EBX
01A2165E 2BDD SUB EBX,EBP
01A21660 EB 02 JMP SHORT 01A21664
01A21662 CD20 8D5C26E4 VxDCall E4265C8D
01A21668 26:EB 02 JMP SHORT 01A2166D
01A2166B CD20 8D5C207D VxDCall 7D205C8D
01A21671 26:EB 02 JMP SHORT 01A21676


nedd to investigate more.

I'm tired now so the easy way is to dump asprotect section and create a new section in program for it, then fix virtual address to be the same that used asprotect.

good night.
Reply With Quote
  #6  
Old 11-29-2004, 21:56
el-kiwi
 
Posts: n/a
shift+F9 till here:

00C40061 C700 AF8DA71B MOV DWORD PTR DS:[EAX],1BA78DAF
00C40067 41 INC ECX
00C40068 67:64:8F06 0000 POP DWORD PTR FS:[0]
00C4006E EB 02 JMP SHORT 00C40072
00C40070 CD 20 INT 20
00C40072 83C4 04 ADD ESP,4
00C40075 034424 38 ADD EAX,DWORD PTR SS:[ESP+38]
00C40079 B8 26C84900 MOV EAX,49C826
00C4007E 58 POP EAX
00C4007F 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
00C40082 E8 3917FFFF CALL 00C317C0
00C40087 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30]
00C4008A A1 E477C400 MOV EAX,DWORD PTR DS:[C477E4]
00C4008F E8 C435FEFF CALL 00C23658
00C40094 51 PUSH ECX
00C40095 E8 2C000000 CALL 00C400C6
00C4009A 52 PUSH EDX
00C4009B F3: PREFIX REP: ; Superfluous prefix
00C4009C EB 02 JMP SHORT 00C400A0
00C4009E CD 20 INT 20
00C400A0 81D2 AD65B152 ADC EDX,52B165AD
00C400A6 64:EB 02 JMP SHORT 00C400AB ; Superfluous prefix

now I put memory breakpoint on access and shift+F9 two times bring me here:

00C37F47 C603 E9 MOV BYTE PTR DS:[EBX],0E9
00C37F4A 8D53 01 LEA EDX,DWORD PTR DS:[EBX+1]
00C37F4D 8902 MOV DWORD PTR DS:[EDX],EAX
00C37F4F 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00C37F52 8910 MOV DWORD PTR DS:[EAX],EDX
00C37F54 B8 05000000 MOV EAX,5
00C37F59 5B POP EBX
00C37F5A 5D POP EBP
00C37F5B C2 0400 RETN 4

now in register:

EAX 00A9D6D9
ECX 00EA05A2
EDX 00A9D6D9
EBX 00402EC4 SystemCl.00402EC4
ESP 0012FEA0
EBP 0012FEA4
ESI 15507F7E
EDI FFFFB4B0
EIP 00C37F47

i trace with F8 to see whats happen,and its look like here is the place where program encrypt oep, and because EBX value is changed some of this address is oep... maybe I m wrong...need to trace little bit more
Reply With Quote
  #7  
Old 12-03-2004, 05:28
pluscontrol
 
Posts: n/a
I resolved some days ago a crackme wich had stolen bytes, and stopped once in the place that you points to write in code a jmp xxxx, the program never reach that address in program code but it stopped in xxxx.

Studying the code i understood it was stolen bytes place, the code is not clean but very hidden and you nedd a while to figure out what is going on.

With this target i tried to do the same but stops many times in that place to write in code, what i did was to put a breackpoint every place the jmp pointed and after last exception see wich one stopped.

It stopped twice which i say could be where stolen bytes start, the problem is if i use run trace until OEP i got about 4000 lines of code and is very hard to follow someting there.

you don't say how many times stops in that place when writing, as i said i use windows 98 and the program stops many times there, maybe in other os is different.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASprotect Problem p4r4d0x General Discussion 12 05-19-2018 16:17
problem.................................... nikicraki General Discussion 3 12-13-2003 21:03
IDA 4.17 problem loman General Discussion 2 08-21-2002 18:35


All times are GMT +8. The time now is 04:13.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2022 )