EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 05-31-2004, 15:16
Crk
 
Posts: n/a
britedream either you got previous version or newer one? or the OEP from the attached tree is wrong

and maybe this IAT won't work with my dumped exe!

i got Whereisit? v3.60.521 and right OEP is: 002FB5EC (006FB5EC)

for any where is it version or just latest one look with W32dasm for the unique text string : AMAINICON go a little up where that piece of code start
( 558BEC83C4F0 .....)that's the OEP.

would you confirm which exactly version you got?

Regards
Reply With Quote
  #17  
Old 05-31-2004, 15:55
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
you are right my version is 3.59 , but by fixing the table it will not work, there are anti dumps you have to over come. I am also looking to make it works on other pces . so give some time .


note:
I have to give you my unpacked to work with it ,becuase if you dump from your
original, the doors to iat already changed to asprotect area.

Last edited by britedream; 05-31-2004 at 15:59.
Reply With Quote
  #18  
Old 05-31-2004, 17:12
drbyte
 
Posts: n/a
Hi,
More and more unAmrmadiloed, unAsproteced stuff refuse to run on non XP machines. RestoreLastError cannot be found in non XP kernel.

I have fixed this replacing RestoreLastError with FlushFileBuffers

Am I wrong?
Reply With Quote
  #19  
Old 05-31-2004, 18:27
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
To [email protected] and hobgoblin:

I sent you the unpacked target that should work on all xp pces, please feed back.

sorry svensk I don't have your email.

Last edited by britedream; 05-31-2004 at 20:15.
Reply With Quote
  #20  
Old 05-31-2004, 18:40
Satyric0n
 
Posts: n/a
Quote:
Originally Posted by drbyte
I have fixed this replacing RestoreLastError with FlushFileBuffers

Am I wrong?
In all instances, you should replace calls to RestoreLastError with SetLastError.
Reply With Quote
  #21  
Old 05-31-2004, 19:07
hobgoblin hobgoblin is offline
Friend
 
Join Date: Jan 2002
Posts: 123
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
hobgoblin Reputation: 0
To britedream

Runs fine on my computer. thanks for the files. I'm about to start digging now.

regards,
hobgoblin
Reply With Quote
  #22  
Old 05-31-2004, 20:02
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
To hobgoblin

Thanks hobglobin for the feed back, now extools forum may be the first to unpack this lovable protector.


regards.
Reply With Quote
  #23  
Old 06-01-2004, 14:24
ferrari
 
Posts: n/a
TARGET: http://www.jufsoft.com/badcopy

Protection: Latest ASProtect

Used Britedream's Olly script for "ASPR 1.3b" and got to OEP

Without using Ollyscript I did this to get to the OEP.

Hit Shift+F9 26 times and here:
0115E56E 0156 00 ADD DWORD PTR DS:[ESI],EDX

Put BP here:
0115E588 833D 6C3B1601 00 CMP DWORD PTR DS:[1163B6C],0

And hit Shift+F9 and Olly breaks. Then Alt+M and put BP on memory access on code. Then Set the debugging options and hit F9 once and you are at the OEP(Remove analysis) with no stolen bytes.

00501184 55 PUSH EBP
00501185 8BEC MOV EBP,ESP
00501187 83C4 F0 ADD ESP,-10
0050118A B8 240E5000 MOV EAX,BadCopy.00500E24
0050118F E8 105EF0FF CALL BadCopy.00406FA4


Dumped the target and there were no unresolved pointers and fixed IAT and then dump file.

But target wont run

Error: Access violation while reading [1181B34]

00407294 $- FF25 C841C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleFileNameA
0040729A 8BC0 MOV EAX,EAX
0040729C $- FF25 CC41C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetModuleHandleA
004072A2 8BC0 MOV EAX,EAX
004072A4 $ FF25 341B1801 JMP DWORD PTR DS:[1181B34]
004072AA 8BC0 MOV EAX,EAX
004072AC $- FF25 D041C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetProfileStringA
004072B2 8BC0 MOV EAX,EAX
004072B4 $- FF25 D441C100 JMP DWORD PTR DS:[<&kernel32.>; kernel32.GetStdHandle

How to fix this plz help.

Regards,
Reply With Quote
  #24  
Old 06-01-2004, 17:55
hobgoblin hobgoblin is offline
Friend
 
Join Date: Jan 2002
Posts: 123
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
hobgoblin Reputation: 0
IAT..

and how did you find the address for the IAT?

regards,
hobgoblin
Reply With Quote
  #25  
Old 06-01-2004, 19:20
ferrari
 
Posts: n/a
Quote:
Originally Posted by hobgoblin
and how did you find the address for the IAT?

regards,
hobgoblin
err. spank me, I did not save the tree. I started Imprec, attached to the process and just hit IAT auto search (did not enter the OEP) and got the message found something, get imports, size was something around 7xx and there were no unresolved pointers, all import functions were valid. But now again when I do the same Imprec displays could not find anythng
I have the "dump_.exe" Shall I upload?

Regards,

Last edited by ferrari; 06-01-2004 at 19:25.
Reply With Quote
  #26  
Old 06-01-2004, 21:39
hobgoblin hobgoblin is offline
Friend
 
Join Date: Jan 2002
Posts: 123
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
hobgoblin Reputation: 0
Thanks

Thanks for the reply. How to find the place in aspr code where the iat table is created/written to memory somehow eludes me. Usually I use a bp GetProcAddress to find it, but this time I don't. I do find a place where this api is called to find the addresses to an iat, but I'm not sure whether this is the correct one.
Well, well. I have to dig deeper I guess.

regards,
hobgoblin
Reply With Quote
  #27  
Old 06-01-2004, 22:55
crusader
 
Posts: n/a
Let me give you some help hobgoblin ... aspr IAT redirection code is all here... of course the memory address will be diff but i am sure you can figure out how to get there based on relative offset

Code:
0041555B next:                         ; CODE XREF: RedirectIATptr+C8j
0041555B                               ; RedirectIATptr+14Aj
0041555B                               ; RedirectIATptr+254j
0041555B                               ; RedirectIATptr+25Fj
0041555B                               ; RedirectIATptr+319j
0041555B                               ; RedirectIATptr+38Bj
0041555B                               ; RedirectIATptr+3FEj
0041555B                               ; RedirectIATptr+41Ej
0041555B                               ; RedirectIATptr+453j
0041555B                               ; RedirectIATptr+49Aj
0041555B                               ; RedirectIATptr+4ACj
0041555B   mov   eax, [ebx+8]
0041555E   mov   esi, [eax]
00415560   add   dword ptr [ebx+8], 4
00415564   mov   eax, [ebx+8]
00415567   mov   al, [eax]
00415569   mov   [esp+struct.RedirectionType], al
0041556D   inc   dword ptr [ebx+8]
00415570   test  esi, esi
00415572   jnz   short loc_415592      ; get RVA of IAT_ptr
00415574   jmp   short loc_415577

00415577 loc_415577:                   ; CODE XREF: RedirectIATptr+E4j
00415577   mov   eax, edi
00415579   call  @[email protected]@FreeMem$qqrv ; System::__linkproc__ FreeMem(void)
0041557E   mov   byte ptr [ebx+38h], 0
00415582   mov   al, 1
00415584   jmp   end
00415592 
00415592 loc_415592:                   ; CODE XREF: RedirectIATptr+E2j
00415592   xor   esi, [esp+struct.XOR_key] ; get RVA of IAT_ptr
00415596   add   esi, [ebx+40h]        ; add Image Base
00415599   mov   eax, [ebx+8]
0041559C   mov   al, [eax]
0041559E   inc   dword ptr [ebx+8]     ; get Dll Number
004155A1   xor   edx, edx
004155A3   mov   dl, al
004155A5   mov   eax, edi              ; edi => dll base table
004155A7   call  GetDwordInTable       ; Get Imported DLL base
004155AC   mov   [esp+struct.DLL_base], eax
004155B0   mov   eax, [ebx+8]
004155B3   mov   al, [eax]
004155B5   inc   dword ptr [ebx+8]
004155B8   test  al, al
004155BA   jnz   short loc_4155DF
004155BC 
004155BC type_0:
004155BC   push  offset sub_414FF0
004155C1   push  offset ????pGetProcAddress ; GetProcAddress
004155C6   push  offset MemAlloc       ; Decrypt
004155CB   push  esi                   ; IAT_ptr
004155CC   lea   eax, [ebx+8]
004155CF   push  eax                   ; API_ptr
004155D0   mov   eax, [esp+(struct.DLL_base+14h)]
004155D4   push  eax                   ; Dll_handle
004155D5   call  sub_415018
004155DA   jmp   next
004155DF 
004155DF loc_4155DF:                   ; CODE XREF: RedirectIATptr+12Aj
004155DF   cmp   al, 2
004155E1   jnz   loc_4156F4
004155E7 
004155E7 type_2:                       ; RIP API code into Aspr shell
004155E7   xor   eax, eax
004155E9   mov   [esp+struct.field_20], eax
004155ED   mov   eax, [ebx+8]
004155F0   mov   al, [eax]
004155F2   inc   dword ptr [ebx+8]
004155F5   jmp   short loc_4155F8
004155F8 
004155F8 loc_4155F8:                   ; CODE XREF: RedirectIATptr+165j
004155F8   sub   al, 1
004155FA   jnb   short type_2_1
004155FC 
004155FC type_2_0:
004155FC   mov   eax, [ebx+8]
004155FF   movzx eax, byte ptr [eax]
00415602   inc   dword ptr [ebx+8]
00415605   mov   edx, [ebx+8]
00415608   mov   edx, [edx]
0041560A   add   dword ptr [ebx+8], 4
0041560E   lea   ecx, [esp+struct.field_24]
00415612   push  ecx
00415613   mov   cl, [esp+(struct.RedirectionType+4)]
00415617   push  ecx
00415618   mov   ecx, edx
0041561A   mov   edx, ebx
0041561C   xchg  eax, edx
0041561D   call  sub_414E20
00415622   mov   [esp+struct.field_20], eax
00415626   jmp   short type_2_1
00415626
00415629 type_2_1:                     ; CODE XREF: RedirectIATptr+16Aj
00415629                               ; RedirectIATptr+196j
00415629   mov   eax, [ebx+8]
0041562C   mov   ebp, [eax]
0041562E   add   dword ptr [ebx+8], 4
00415632   mov   eax, [esp+struct.field_10]
00415636   call  @[email protected]@GetMem$qqrv  ; System::__linkproc__ GetMem(void)
0041563B   mov   [esp+struct.RippedAPIcodePtr], eax
0041563F   mov   edx, ebp
00415641   mov   eax, [esp+struct.DLL_base]
00415645   call  GetProcAddress_       ; eax == DLL_base
00415645                               ; edx == API_hash
0041564A   mov   ebp, eax
0041564C   test  ebp, ebp
0041564E   jnz   short loc_41565A
00415650   push  offset _str_10__.Text
00415655   call  ErrMsg???
0041565A 
0041565A loc_41565A:                   ; CODE XREF: RedirectIATptr+1BEj
0041565A   cmp   [esp+struct.field_20], 0
0041565F   jz    short loc_4156A5
00415661   mov   eax, [esp+struct.RippedAPIcodePtr]
00415665   mov   edx, [esp+struct.field_20]
00415669   mov   [eax], edx
0041566B   mov   eax, [esp+struct.field_20]
0041566F   add   eax, [esp+struct.field_24]
00415673   mov   byte ptr [eax], 68h   ; set up a Push
00415676   push  0
00415678   push  offset pCheckBPX
0041567D   lea   ecx, [esp+(struct.field_18+8)]
00415681   mov   edx, ebp
00415683   mov   eax, ebx
00415685   call  RipCodeFromAPI        ; edx== original address of API
0041568A   mov   edx, [esp+struct.field_20]
0041568E   add   edx, [esp+struct.field_24]
00415692   inc   edx
00415693   mov   [edx], eax
00415695   mov   eax, [esp+struct.field_20]
00415699   add   eax, [esp+struct.field_24]
0041569D   add   eax, 5
004156A0   mov   byte ptr [eax], 0C3h
004156A3   jmp   short loc_4156CE
004156A5 
004156A5 loc_4156A5:                   ; CODE XREF: RedirectIATptr+1CFj
004156A5   push  0
004156A7   push  offset pCheckBPX
004156AC   lea   ecx, [esp+(struct.field_18+8)]
004156B0   mov   edx, ebp
004156B2   mov   eax, ebx
004156B4   call  RipCodeFromAPI        ; edx== original address of API
004156B9   mov   edx, [esp+struct.RippedAPIcodePtr]
004156BD   mov   [edx], eax
004156BF   lea   ecx, [esp+struct.RippedAPIcodePtr]
004156C3   mov   dl, [esp+struct.RedirectionType]
004156C7   mov   eax, ebx
004156C9   call  ???GenerateRandomRetCode
004156CE 
004156CE loc_4156CE:                   ; CODE XREF: RedirectIATptr+213j
004156CE   mov   eax, esi
004156D0   sub   eax, 2
004156D3   cmp   word ptr [eax], 0
004156D7   jnz   short loc_4156E9
004156D9   mov   edx, [esp+struct.RippedAPIcodePtr]
004156DD   mov   edx, [edx]
004156DF   call  Patch_IAT_Call_ptr
004156E4   jmp   next
004156E9
004156E9 loc_4156E9:                   ; CODE XREF: RedirectIATptr+247j
004156E9   mov   eax, [esp+struct.RippedAPIcodePtr]
004156ED   mov   [esi], eax
004156EF   jmp   next
004156F4 
004156F4 loc_4156F4:                   ; CODE XREF: RedirectIATptr+151j
004156F4   cmp   al, 1
004156F6   jnz   loc_4157AE
004156FC   jmp   short type_1
004156FF 
004156FF type_1:                       ; CODE XREF: RedirectIATptr+26Cj
004156FF   mov   eax, [ebx+8]
00415702   mov   eax, [eax]
00415704   mov   [esp+struct.field_0], eax
00415707   add   dword ptr [ebx+8], 4
0041570B   cmp   dword ptr [ebx+44h], 0
0041570F   jz    short loc_41571A
00415711   mov   eax, [esp+struct.field_0]
00415714   call  dword ptr [ebx+44h]
00415717   mov   [esp+struct.field_0], eax
0041571A 
0041571A loc_41571A:                   ; CODE XREF: RedirectIATptr+27Fj
0041571A   mov   eax, [ebx+8]
0041571D   mov   ax, [eax]
00415720   mov   word ptr [esp+struct.API_name_length], ax
00415725   add   dword ptr [ebx+8], 2
00415729   cmp   [esp+struct.field_1C], 0
0041572E   jz    short loc_41573B
00415730   mov   eax, [esp+struct.XOR_key]
00415734   mov   [esp+struct.field_1C], 0
00415739   jmp   short loc_415741
0041573B 
0041573B loc_41573B:                   ; CODE XREF: RedirectIATptr+29Ej
0041573B   mov   eax, [esp+struct.field_18]
0041573F   mov   eax, [eax]
00415741 
00415741 loc_415741:                   ; CODE XREF: RedirectIATptr+2A9j
00415741   mov   ecx, eax
00415743   mov   dx, word ptr [esp+struct.API_name_length]
00415748   mov   eax, [ebx+8]
0041574B   call  DecryptBuffer         ; eax == Buffer Address
0041574B                               ; dx  == Buffer Size
0041574B                               ; ecx == Key
00415750   mov   eax, [esp+struct.field_10]
00415754   call  @[email protected]@GetMem$qqrv  ; System::__linkproc__ GetMem(void)
00415759   mov   [esp+struct.RippedAPIcodePtr], eax
0041575D   mov   eax, [ebx+8]
00415760   push  eax
00415761   mov   eax, [esp+(struct.DLL_base+4)]
00415765   push  eax
00415766   mov   eax, ds:oGetProcAddress???
0041576B   mov   eax, [eax]
0041576D   call  eax
0041576F   mov   ebp, eax
00415771   test  ebp, ebp
00415773   jnz   short loc_41577F
00415775   push  offset _str_11__.Text
0041577A   call  ErrMsg???
0041577F 
0041577F loc_41577F:                   ; CODE XREF: RedirectIATptr+2E3j
0041577F   mov   eax, [esp+struct.field_0]
00415782   push  eax
00415783   push  offset pCheckBPX
00415788   lea   ecx, [esp+(struct.field_18+8)]
0041578C   mov   edx, ebp
0041578E   mov   eax, ebx
00415790   call  RipCodeFromAPI        ; edx== original address of API
00415795   mov   edx, [esp+struct.RippedAPIcodePtr]
00415799   mov   [edx], eax
0041579B   mov   eax, [esp+struct.RippedAPIcodePtr]
0041579F   mov   [esi], eax
004157A1   movzx eax, word ptr [esp+struct.API_name_length]
004157A6   add   [ebx+8], eax
004157A9   jmp   next
004157AE 
004157AE loc_4157AE:                   ; CODE XREF: RedirectIATptr+266j
004157AE   cmp   al, 4
004157B0   jnz   loc_415893
004157B6   jmp   short type_4
Reply With Quote
  #28  
Old 06-01-2004, 23:52
ferrari
 
Posts: n/a
@hobglobin:

O there was a misunderstanding. Now I understand, your question was addressed to britedream and I thought you were asking me

Anyways britedream will you plz help me on this target I posted

Regards,
Reply With Quote
  #29  
Old 06-01-2004, 23:55
hobgoblin hobgoblin is offline
Friend
 
Join Date: Jan 2002
Posts: 123
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
hobgoblin Reputation: 0
no

It was for you.
I was looking at Badcopy...

hobgoblin

To crusader: I guess the code you listed is for BadCopy? Or maybe its a general code?

Last edited by hobgoblin; 06-02-2004 at 00:20.
Reply With Quote
  #30  
Old 06-02-2004, 02:00
Darren Darren is offline
Friend
 
Join Date: May 2003
Posts: 26
Rept. Given: 3
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 10
Thanks Rcvd at 4 Times in 3 Posts
Darren Reputation: 0
nice bit of IDA work crusader

Quote:
Originally Posted by hobgoblin
Thanks for the reply. How to find the place in aspr code where the iat table is created/written to memory somehow eludes me. Usually I use a bp GetProcAddress to find it, but this time I don't. I do find a place where this api is called to find the addresses to an iat, but I'm not sure whether this is the correct one.
Well, well. I have to dig deeper I guess.

regards,
hobgoblin
well let the app load into memory and find one the of call [xxxxxxxx] that points to the aspr memory, take a note of the address of the call opcode and add 2 to it so u have address of the offset, load your target into ollydebug and set the data window to the address u found, set olly to stop on exceptions and let the target run, keep an eye on the data window as u pass
each exception, u will see the data change once as aprs decodes / unpacks
and then the data will change once more as the code crusader pasted does it stuff, u can count the number of exceptions from the 1st change to the second change, stop on the last one before the data changes again, look below and should be very close to the code crusader pasted.

also its possible to set a bpm from within sice on the data address
to stop when its written to. (not %100)

- Darren
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASProtect-1.23 RC4 - 1.3.08.24 ferrari General Discussion 9 03-17-2004 01:22
Anyone can help me with this one?? ASProtect loman General Discussion 0 12-31-2003 16:37


All times are GMT +8. The time now is 13:07.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX