Manually unpacking Asprotect
 

I'd like to learn this, some of the threads I've seen on this are a bit to complex for me at my stage of learning, what are a couple of reasonably easy targets to work on for starters, even better if someone can give me some links to some tuts on some good ones for beginers, ones where you can still download the target applications that is.

See http://www.exetools.com/forum/showthread.php?s=&threadid=2847 for a previous discussion like this.

Regards

Pompeyfan same with me. all the discussions on Aspr are too complex for a newbie :( Thats why m just fooling around here giving free advices to newcomers in JMI style without any pennies :p ;) Thank u for starting this topic...Since i successfully tried out some easy tuts on unpacking UPX and Aspack lets try out this ASpr....but need help here :( If no one wants to help then its okay i'l check that link provided by satyricOn :) but some1 plz help i want to finish off this tut...plz :D

yeah i was trying the tut by Labba last month but i was so confused at the point of getting the OEP.

Program: Wtm-CD-Protect 1.54

see i could follow the tut like this. Yes i changed that '01' isdebuggerpresent to '00'. After Shift + F9 i land here


00B639EC 3100 XOR DWORD PTR DS:[EAX],EAX
00B639EE 64:8F05 00000000 POP DWORD PTR FS:[0]
00B639F5 58 POP EAX
00B639F6 833D B07EB600 00 CMP DWORD PTR DS:[B67EB0],0
00B639FD 74 14 JE SHORT 00B63A13
00B639FF 6A 0C PUSH 0C
00B63A01 B9 B07EB600 MOV ECX,0B67EB0
00B63A06 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00B63A09 BA 04000000 MOV EDX,4
00B63A0E E8 2DD1FFFF CALL 00B60B40
00B63A13 FF75 FC PUSH DWORD PTR SS:[EBP-4]
00B63A16 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00B63A19 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00B63A1C 8338 00 CMP DWORD PTR DS:[EAX],0
00B63A1F 74 02 JE SHORT 00B63A23
00B63A21 FF30 PUSH DWORD PTR DS:[EAX]
00B63A23 FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00B63A26 FF75 EC PUSH DWORD PTR SS:[EBP-14]
00B63A29 C3 RETN

I put the BP at 00B63A29 and then Shift+F9.
Then command line with pressing Alt+F1 to : TC EIP<900000
I go here.

00405214 $-FF25 DC914300 JMP DWORD PTR DS:[4391DC]
0040521A 8BC0 MOV EAX,EAX
0040521C $-FF25 D8914300 JMP DWORD PTR DS:[4391D8]
00405222 8BC0 MOV EAX,EAX
00405224 $-FF25 D4914300 JMP DWORD PTR DS:[4391D4]
0040522A 8BC0 MOV EAX,EAX
0040522C $-FF25 D0914300 JMP DWORD PTR DS:[4391D0]

Then after F8 1 time i go here.

00B61C64 55 PUSH EBP
00B61C65 8BEC MOV EBP,ESP
00B61C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00B61C6A 85C0 TEST EAX,EAX
00B61C6C 75 13 JNZ SHORT 00B61C81
00B61C6E 813D A47AB600 00>CMP DWORD PTR DS:[B67AA4],400000 ; ASCII "MZP"
00B61C78 75 07 JNZ SHORT 00B61C81
00B61C7A A1 A47AB600 MOV EAX,DWORD PTR DS:[B67AA4]
00B61C7F EB 06 JMP SHORT 00B61C87
00B61C81 50 PUSH EAX
00B61C82 E8 3135FFFF CALL 00B551B8 ; JMP to kernel32.GetModuleHandleA
00B61C87 5D POP EBP
00B61C88 C2 0400 RETN 4

Then again after the RET i go here

0040531C . BA 9C804300 MOV EDX,ACopy.0043809C
00405321 . 52 PUSH EDX
00405322 . 8905 B8944300 MOV DWORD PTR DS:[4394B8],EAX
00405328 . 8942 04 MOV DWORD PTR DS:[EDX+4],EAX
0040532B . E8 98FFFFFF CALL ACopy.004052C8
00405330 . 5A POP EDX
00405331 . 58 POP EAX
00405332 . E8 15E1FFFF CALL ACopy.0040344C
00405337 . C3 RETN


I don't understand what i am supposed to do after dumping the process with Lord PE.
I dump the process and save it. Then i press F8 and after the RET i get here.

00437589 8B DB 8B
0043758A 1D DB 1D
0043758B 90 NOP
0043758C 8A DB 8A
0043758D 43 DB 43 ; CHAR 'C'
0043758E 00 DB 00
0043758F 8B DB 8B
00437590 03 DB 03
00437591 E8 DB E8
00437592 1E DB 1E
00437593 1F DB 1F
00437594 FF DB FF
00437595 FF DB FF
00437596 8B DB 8B
00437597 0D DB 0D



In LaBBa's tutorial i am supposed to land here. And the OEP is 00436EAD :confused: :confused:

00436EAD 8B1D 907A4300 MOV EBX,DWORD PTR
DS:[437A90] ; ACopy.004386E8
00436EB3 8B03 MOV EAX,DWORD PTR DS:[EBX]
00436EB5 E8 FA25FFFF CALL ACopy.004294B4
00436EBA 8B0D 0C7B4300 MOV ECX,DWORD PTR
DS:[437B0C] ; ACopy.00438774
00436EC0 8B03 MOV EAX,DWORD PTR DS:[EBX]
00436EC2 8B15 10374300 MOV EDX,DWORD PTR
DS:[433710] ; ACopy.00433750
00436EC8 E8 FF25FFFF CALL ACopy.004294CC
00436ECD 8B0D 707A4300 MOV ECX,DWORD PTR
DS:[437A70] ; ACopy.00438750
00436ED3 8B03 MOV EAX,DWORD PTR DS:[EBX]
00436ED5 8B15 C0274300 MOV EDX,DWORD PTR
DS:[4327C0] ; ACopy.00432800
00436EDB E8 EC25FFFF CALL ACopy.004294CC
00436EE0 8B0D 047A4300 MOV ECX,DWORD PTR
DS:[437A04] ; ACopy.00438764
00436EE6 8B03 MOV EAX,DWORD PTR DS:[EBX]

What m i doing wrong i really don't understand...sorry if this problem is dumb...regrets :( ....newbies sometimes ask dumb ??? Experts should not bully them :p

thanking in Advance

@ferrari
The Target you are dealing with is different to the tute,

the fake oep = 00437589

the stolen bytes are
00437578 > $ 55 PUSH EBP ; real OEP
00437579 . 8BEC MOV EBP,ESP
0043757B . 83C4 F4 ADD ESP,-0C
0043757E . 53 PUSH EBX
0043757F . B8 78744300 MOV EAX,dumped_.00437478

Best Wishes

R@dier

Ferrari, where can I download the version of this program you are using, so I can follow this one too, and try and unpack it.

hi pompeyfan u can download the software here-->/http://www.webtoolmaster.com/

the latest version is 1.61 and i am trying the version 1.54 as per LaBBa's Final tutorial on ASpr. It's there in Request Section...since i had requested it Just do a search there. :)

Don't forget that Tuts are simply reports on one individual's experience with one particular version of one particular piece of software. That individual may, or may not know "what it's all about" but may simply have stumbled on the solution in a particular case.

Just as in "real life," one can not take such advice as providing the true path to enlightenment. While it may serve as an additional stepping stone, it is but one piece of a larger puzzle, which must be considered within its own frame work.

Try to consider the Tuts you read as a frozen moment in time. You usually have an ongoing contest between protector and cracker and whenever one stands still, the other has the opportunity to move ahead.

The issue with these systems is in the attempt to figure out the approach used by the protection to screw with your efforts. If you focus too hard on the small details, you might figure out how it works on this very small slice of the universe, but you will probably miss the rather larger picture of trying to figure out just what the hell the code is doing and what that tells you about what the system is attempting to accomplish.

Make notes of what is happening and where the code is taking you. There is no reason to trust that "next time" it will do the same thing, so if you have not begun to understand "what" it is doing, blindly following along isn't really teaching you anything, but 'following along." When the road and the sign paths change, you are still lost in the dark codewoods.

Trying to figure out the "what," the "how," and particularly the "why," gives you the knowledge and the tools to attack the "next" generation and the "next" protector.

Regards,

Well, I've tried using the search function, and I can see no tut on Wtm-CD-Protect 1.54, by anyone

:confused:

so sorry pompeyfan.....actually i had asked that question when i was new to exetools....and see what i had asked....don't laugh now okay.....and download that asprotect final tut.zip by Labba

http://www.exetools.com/forum/showthread.php?s=&threadid=3215&highlight=Aspack

:D :D :D , ooops sorry:) , thanks, got it now:)

guys I'm having same issues....

ferrari, I know exactlly what you are talking about..... I ended up exactlly as you ....

I got here:

so I used CTRL "A"

all good...
F8 one time and here:

F8 til ret then here:

OK dump then F8 til after retn....

You got here.......


I got here :D

looks same address is different....the TuT say with XP I'm on 2K ... Hmmmmm

seems my test subject is also version 1.6.1

what I'm really trying to get figured out is Advanced Serial Port Monitor and Advanced Serial Data Logger.....

both targets are at h**p://www.aggsoft.com/download

funny thing both these targets are updated from where I started, took me a good part of the day to Un-Fook my registry so I could re-start testing because the targets both expired the trial :D

well I have that much beat so far LOL ... so off I go again, I'm just glad there are TuTs like this to at least give ideas.

I know all will be a bit different as JMI says :D

lonewolf55:

The only appropriate thing to add to:

Aia a kau ka i`a i ka wa`a, mana`o ke ola.

loosly translated as:

One can think of life after the fish is in the canoe.

or

Before one feels elated and makes plans, he should first secure his "fish."

or

"Don't count your chickens before they hatch."

is:

`A`ohe hua o ka mai`a i ka la ho`okahi. :D

Regards,

WiSE MAN
 

what language is the first one ?

Regards

They are both in the language of the native peoples of Hawai'i. :D

You might be suprised what you can find if you enter things into google. :p Like his phrase. :D Or the one I added.

Oh, and lonewolf55, I seem to recall that ASPR changes certain address EACH TIME YOU RUN THE PROGRAM, as in "the jump to the OEP is always at a different location in memory"

This might be is issue you are encountering, although the different OS could certainly contribute. What IS important, is that the information is essentially identical, which you noticed. ;)

Regards,

offtopic
 

Huli ka malau, ka 'iako a ka lawai'a. :)

Re: offtopic
 

Work is done :D :P

http://www.k12.hi.us/~waianaeh/PolyVoyage/oral.html

http://worldlingo.com/products_services/worldlingo_translator.html :D


anywayz i just finished the Imprec part of the tut....hope i fixed it right :rolleyes: .....now comes the most important part of the tut....yes JMI i know Inquiring minds....but let me finished atleast one tut on Aspr with some expert help....i have some questions on the access violation part....i'l be back when i return home from work....hope some1 will help me then...R@Dier hope u r there ;)

Always happy to help :D




R@dier

and I must say you be quite correct bananas don't fruit in a day :D

as also: which means:

No breadfruit can be reached
when the picking stick is too short. <--- I think actually right now this is my problem :D

of course there be other translations, but we won't go there :D

and BTW Thanx so much for this Tidbit:

By JMI: I seem to recall that ASPR changes certain address EACH TIME YOU RUN THE PROGRAM, as in "the jump to the OEP is always at a different location in memory"

This I did not know, and it makes AsProtect very interesting :D

EDIT well I see some characters don't display quite as expected, to which I'm not surprised, I tried to change with no sucess what I posted between code tags .... sort of like asprotect :D

Okay the version 1.54 is here

http://www.freewebs.com/think_digit/cdprot.rar

( some download managers wont work, just copy paste link in browser)

Pompeyfan tell me when u reach the acess violation part of the tut. W'll do it together okay.

R@dier thank u. I'l post my problem soon :) waiting for pompeyfan
he wants to try the same version. ;)

I might not get a chance to try it out till later today, I'll post soon as I get a chance though.:)

Okay, I did the Imprec part, then I did the trace, changed the REP STOS BYTE PTR ES:[EDI] to JMP EDI, traced with F8, and get an access violation at:

00A55A11 FF50 28 CALL DWORD PTR DS:[EAX+28]

I nop that call, then trace till the next access violation at:

00A54CAC E8 10994A01 CALL 01EFE5C1

I nop that, and try tracing with f8 from here, but getthe message:

Don't know how to step, because memory at address 01EFE5C1 is not readable. Try to change EIP or pass exception to program.

What do I do from here?, I thought I was going so well up until here.:confused: :mad:

Aah...u right pompeyfan...same here.


first access violation
Changed to

When i F8 till--> 00C86360 I get this message. Here is a screenshot attached.

HI,
Yes I and other had this problem as well,
you need to keep noping the troublesome calls then all will be fine.

there is a better way to get the stolen bytes which I will explain when I get home tomorrow. Kinda flat out at the moment.
I have put together a tute which should help. I hope to post it tomorrow also

Best Wishes

R@dier

Nopping the second call doesn't succeed though, as we said, look forward to your alternative when you get a chance.:)

you have to NOP quite a bit


all this must be nop-ed

00A5683D FF50 28 CALL DWORD PTR DS:[EAX+28]
00A56840 E8 4668A500 CALL 014AD08B
00A56845 0F58EB ADDPS XMM5,XMM3
00A56848 019A C1D8C5F2 ADD DWORD PTR DS:[EDX+F2C5D8C1],EBX
so it becomes:



00A56824 F3: PREFIX REP: ; Superfluous prefix
00A56825 334424 38 XOR EAX,DWORD PTR SS:[ESP+38]
00A56829 3E:EB 01 JMP SHORT 00A5682D ; Superfluous prefix
00A5682C 6981 D0CE9277 8A>IMUL EAX,DWORD PTR DS:[ECX+7792CED0],1EB>
00A56836 6968 0B D04A0158 IMUL EBP,DWORD PTR DS:[EAX+B],58014AD0
00A5683D 90 NOP
00A5683E 90 NOP
00A5683F 90 NOP
00A56840 90 NOP
00A56841 90 NOP
00A56842 90 NOP
00A56843 90 NOP
00A56844 90 NOP
00A56845 90 NOP
00A56846 90 NOP
00A56847 90 NOP
00A56848 90 NOP
00A56849 90 NOP
00A5684A 90 NOP
00A5684B 90 NOP
00A5684C 90 NOP
00A5684D 90 NOP
00A5684E EB 01 JMP SHORT 00A56851
00A56850 F2: PREFIX REPNE: ; Superfluous prefix

then continue the process,
eventually you will find

00A565C5 55 PUSH EBP ; start of stolen bytes
00A565C6 EB 01 JMP SHORT 00A565C9
00A565C8 E8 8F442400 CALL 00C9AA5C
00A565CD 8BEC MOV EBP,ESP
00A565CF 81EC 0C000000 SUB ESP,0C

I'm working on a tutorial about this, but I'll put it on hold, if R@adier's method is better then I'll incorporate it into the tutorial if he doesn't mind.

Hi The tut is finished although a bit rough in places,
I am just waiting on some feed back then i will post it here.



Best Wishes
R@dier

Ok, well I look forward to it R@dier. My method can be a bit 'sketchy' since it is quite possible to miss one here and there, anyways, hopefully yours is a better method.

R@dier a problem. I followed the tut till end. But when i run the program i get error.
At POP EAX i note down the EAX value. In this case EAX = 0043809C But u have taken it as 00437478. Am I wrong? But i still followed ur steps.Plz clarify.

Screenshots attached.

@ ferrari ,

you need to execute the POP EAX to get the correct value of EAX,
from you Pic, you are sitting on it without running it,
use F7 to step over then tell me what the result is,
if you see in your stack frame(next to dump window)
in your pic
it is

0012FFA8 00437478 A.COPY.00437478

this is the value you need,

also i would not bother with HIEW, just use OllyDbg assemble command and insert the stolen Bytes

then do copy to executable

I hope this helps

Best Wishes

R@dier

I cant get the program to run with either value of EAX, 0043809C or 00437478, something is still wrong:( , I think we might need to see your whole tut, to backtrack where we have gone wrong, I've come up with the exact same problems as Ferrari all the way along.:confused:

you may want to check you have dumped in the correct place,
or that your IAT is correct.

another quick thing is have you reset the oep point to
00437578

the stolen bytes are
00437578 > $ 55 PUSH EBP ; real OEP
00437579 . 8BEC MOV EBP,ESP
0043757B . 83C4 F4 ADD ESP,-0C
0043757E . 53 PUSH EBX
0043757F . B8 78744300 MOV EAX,dumped_.00437478

if your IAT is correct and you have dumped in the right place
all should be working

Best Wishes

R@dier

R@dier i think u r right ...i'l do the imprec part again and check...i'l be back ;)

hurray!!! R@dier success...i wrongly fixed the IAT. Now it's unpacked successfully. Thank you very very much. Thank you LaBBA for a nice tut. Thank u pompeyfan for starting this topic. Thank u Markus-Djm, and my old friend...oops...Sir JMI and everyone else ;)


now i'l try practicing somemore apps. :D

I eagerly await your tutorial release R@dier, I suspect you have used LaBBa's method #1 for the stolen bytes or a modification of it.

Okay, I'll do the dumping again later today too, thanks for that.:)

@Nilrem
Hi,
No I don't really use LaBBa Method for stolen bytes
the tut will we posted tomorrrow after a couple of changes tonight


@ ferrari

Well done :-)


Best Wishes
R@dier

Pompeyfan if are unable to do it...then i'l upload some screenshots on the IAT part.
And also i think there is a mistake in the last part of LaBBa's tut....PE Editor

EP = OEP - BASE = 437578 - 400000 = 37578 <--- correct

EP = 437589 - 400000 = 37589 <--- wrong (fake OEP)

If u have done this right then most probably u've done wrong in the Imprec part like i did. I wud like to help u. Another tut by Labba...see the link... In this he has explained the IAT part. His english is bit poor :( but anywayz thank u LaBBa...atleast u have shared ur knowledge....u have tried to explain it in best possible way...Everyone is a noob at some stage. :D

Anyways even LaBBA has recieved criticism for his tuts ;)

http://www.woodmann.net/forum/showthread.php?t=4958

R@dier i m eagerly waiting for ur tut :) ...i wanna know that easy way of finding the Stolen bytes.

btw i got some Aspr targets
--> AIMPR 2.20- http://www.elcomsoft.com/

--> SIGuardian 1.71- http://www.siguardian.com<-- ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov

Thanks mate, actually I did manage to successfully complete the unpacking today, not sure what I did wrong last time, I thought I did it the way you said last time, anyway the main thing is I did it right this time, the problem was certainly with the dumping and fixing of the IAT table.
I'll have to try a couple more now, just to make sure I have fully learned this new skill, I'm pretty happy to have finnished my first anyway.;) :)

Hum, i'm eagerly waiting for this tut since i get an error while performing the tc eip<900000 trick. Anytime i do it on Asprotect last versions (1.23RC4) i get an
<target_exe> made a crash in "unknown" error...

Am i the only one having this bug or what, i'm using ollydebug 1.10 step2 on WinME... Plus i can't get the IsDebuggerPresent plugin to work, i use a tool called OllyGhost by Syn (Fool IsDebuggerPresent and can enable Kernel32 bps).

Anyone got a clue how to defeat this bug... or i just can't unpack the latest version of Aspr anymore. Thx