Still need help with Asprotect
 

Wondering if someone could help me with this target, I thought I'd learned a lot from the Wtm CD Protect V1.54 tut of LaBBas, but I cant seem to get the OEP for the following, PEid reports OEP at 00417338, but nothing leads me there by tracing:

Registry Defragmentation for Windows 95-XP
Version 5.0b
Authors: Nick Nifontov
Alexander Berezovsky
Copyright � Elcor Software 2001-2004
hxxp://www.elcor.net/

This is what I tried so far:

Shift & F9 26 times, breakpoint on RETN then shift & F9, trace TC EIP<900000, Ctrl & A (analyse), then here:

0040531C $-FF25 44B24100 JMP DWORD PTR DS:[41B244]
00405322 8BC0 MOV EAX,EAX
00405324 $-FF25 40B24100 JMP DWORD PTR DS:[41B240]
0040532A 8BC0 MOV EAX,EAX
0040532C $-FF25 3CB24100 JMP DWORD PTR DS:[41B23C]
00405332 8BC0 MOV EAX,EAX
00405334 $-FF25 38B24100 JMP DWORD PTR DS:[41B238]
0040533A 8BC0 MOV EAX,EAX
0040533C /$ 50 PUSH EAX
0040533D |. 6A 40 PUSH 40
0040533F |. E8 E0FFFFFF CALL RegDefra.00405324
00405344 \. C3 RETN

F8 one time, and you are here:

009A1C64 55 PUSH EBP
009A1C65 8BEC MOV EBP,ESP
009A1C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
009A1C6A 85C0 TEST EAX,EAX
009A1C6C 75 13 JNZ SHORT 009A1C81
009A1C6E 813D A47A9A00 00>CMP DWORD PTR DS:[9A7AA4],400000 ; ASCII "MZP"
009A1C78 75 07 JNZ SHORT 009A1C81
009A1C7A A1 A47A9A00 MOV EAX,DWORD PTR DS:[9A7AA4]
009A1C7F EB 06 JMP SHORT 009A1C87
009A1C81 50 PUSH EAX
009A1C82 E8 3135FFFF CALL 009951B8 ; JMP to kernel32.GetModuleHandleA
009A1C87 5D POP EBP
009A1C88 C2 0400 RETN 4

Press F8 to RET command and you are here:

004053F1 . A3 10A74100 MOV DWORD PTR DS:[41A710],EAX ; RegDefra.00400000
004053F6 . A1 10A74100 MOV EAX,DWORD PTR DS:[41A710]
004053FB . A3 8C904100 MOV DWORD PTR DS:[41908C],EAX
00405400 . 33C0 XOR EAX,EAX
00405402 . A3 90904100 MOV DWORD PTR DS:[419090],EAX
00405407 . 33C0 XOR EAX,EAX
00405409 . A3 94904100 MOV DWORD PTR DS:[419094],EAX
0040540E . E8 C1FFFFFF CALL RegDefra.004053D4
00405413 . BA 88904100 MOV EDX,RegDefra.00419088
00405418 . 8BC3 MOV EAX,EBX
0040541A . E8 9DE5FFFF CALL RegDefra.004039BC
0040541F . 5B POP EBX
00405420 . C3 RETN

Dump full with Loredpe, then F8 till after the RETN, and you are at the Fake OEP I thought:

00418E88 E8 DB E8

Tried fixing the Import table here without success, Imprec gives me message nothing good here, tried IAT autosearch, and also tried entering the OEP I thought I had found.

Brightdreams OEP finder script ends here:

0040531C FF DB FF

After Ctrl & A:

0040531C $-FF25 44B24100 JMP DWORD PTR DS:[41B244]
00405322 8BC0 MOV EAX,EAX
00405324 $-FF25 40B24100 JMP DWORD PTR DS:[41B240]
0040532A 8BC0 MOV EAX,EAX
0040532C $-FF25 3CB24100 JMP DWORD PTR DS:[41B23C]
00405332 8BC0 MOV EAX,EAX
00405334 $-FF25 38B24100 JMP DWORD PTR DS:[41B238]
0040533A 8BC0 MOV EAX,EAX
0040533C /$ 50 PUSH EAX
0040533D |. 6A 40 PUSH 40
0040533F |. E8 E0FFFFFF CALL RegDefra.00405324
00405344 \. C3 RETN

Has anyone else tried this target, and can they give me a few tips on where to go from here?

Hi,
my script is stopping at the right place, but please read the msg that it displays , it says" click on the 'k' at the toolbar , if it is not empty then duoble click on the last address you see there" , then the stolen bytes place and oep are above where you land. or follow the recent tut made by R@der.
Regards.
note:
here is the oep+stolen on my pc:

00418E78 55 PUSH EBP
00418E79 8BEC MOV EBP,ESP
00418E7B 83C4 F0 ADD ESP,-10
00418E7E B8 808D4100 MOV EAX,RegDefra.00418D80


Note2:

Please remove analysis if it is done , otherwise the address you will see inside the K, if any, will not be the correct one.

@Pompeyfan
If u followed R@dier's tut and after writing the stolen bytes, New Origin here, dumping the process, if u get the above error then i think u have not entered the OEP-->18E78 and then click IAT Search. I got it that way.

@Britedream

PEiD scan shows that there are total four exe's which are ASPR'd
viz.
RegDefrag.exe , RegBackup.exe, RegDfrgSch.exe, SysBackup.exe

As per R@dier's tut and ur instructions i unpacked RegDefrag.exe
but it won't run. I don't get any messages. Nothing happens if i double click it. Is it right britedream? If yes, that means i unpacked it correctly. So i thought that for the app to run I have to unpack the other 3 also. I unpacked RegBackup.exe, RegDfrgSch.exe correctly, i guess, coz same thing if i try to run them. But when i load SysBackup.exe in Olly it fails and give me some DLL not found error. Do u get the same error. Can u explain why?

Hi ferrari,
the programs have aspr's check sum protection

you are going to need to debug the proggy to get it to run,
I have had a quick go at it and currently get the attached error message,
I will try to have a closer look tomorrow

Best Wishes

R@dier

Thanks for the replies guys, I'll try this again later today:)

Starnge, but I've tried it quite a few times, and when I press on the K, I have a blank call stack window, no analysis done either.:confused:

please right click on cpu pane and check the analysis option , if it says remove analysis,please do so.

Hi ferrari,
no need to unpack those files for regdefrag exe to startup correctly. just try to overcome the protection in the regdefrag exe.(it should display the msg that R@der posted).

Regards.

R@dier and Britedream:

Okay i think i unpacked it correctly this time. When i run 'RegToolkit.exe' and from there if i try to run 'RegDefrag.exe' i get the same error message like R@dier. I have attached the IAT tree. Plz check if it's correct. And also plz explain how to get rid of this checksum thing.
Thank you.

iat start at 1b168

Okay, sorted that out now, sorry about that:)

I get the attached message when I try to do any tracing with this program, whether by the TC<900000, or by tracing as per R@dier's latest tut, why would that be?

Hi,
if you are refering to regdefrag, it is not the best program you can tackle , when I looked at it the first time , I saw 16 times check to the error R@der posted, which will consume your time trying to fix that,if you would like to see that, just bp on ShowWindow , look at the stack and go to the Msg , take reference, you will see those references to the R@der posted error msg.
(not only that but there are more things to fix).
my advise to you is to go with less protection till you firmly grasp unpacking ,and work your way up to that.

Ragards.

Interesting, sounds like I did pick a hard one didn't I, not sure what went wrong last time, but tried it again this arvo, and got to the same stage as R@dier and Ferrari no probs, guess I'd better decide whether in light of what you said whether I want to leave this one go for a while, kinda depends on what the others decide I think.
Thanks for your help anyway, I think I have learned a bit out of this thread so far anyway.:)

One interesting thing, if you unpack with Stripper, you get this info on import table:

16:31:08 - processing import table..
ImportAddressTable RVA :0001b168 - kernel32.dll
ImportAddressTable RVA :0001b204 - user32.dll
ImportAddressTable RVA :0001b218 - advapi32.dll
ImportAddressTable RVA :0001b228 - oleaut32.dll
ImportAddressTable RVA :0001b238 - kernel32.dll
ImportAddressTable RVA :0001b24c - advapi32.dll
ImportAddressTable RVA :0001b284 - kernel32.dll
ImportAddressTable RVA :0001b36c - version.dll
ImportAddressTable RVA :0001b37c - gdi32.dll
ImportAddressTable RVA :0001b400 - user32.dll
ImportAddressTable RVA :0001b52c - shell32.dll
ImportAddressTable RVA :0001b534 - ole32.dll
ImportAddressTable RVA :0001b540 - comctl32.dll
ImportAddressTable RVA :0001b548 - shell32.dll
ImportAddressTable RVA :0001b558 - comctl32.dll
ImportAddressTable RVA :0001b568 - winmm.dll
ImportAddressTable RVA :0001b570 - advapi32.dll
16:31:09 - fixing import table..
ImportAddress RVA :0001b1ac - kernel32.dll!GetModuleHandleA
ImportAddress RVA :0001b1bc - kernel32.dll!GetCommandLineA
ImportAddress RVA :0001b244 - kernel32.dll!GetModuleHandleA
ImportAddress RVA :0001b304 - kernel32.dll!GetModuleHandleA
ImportAddress RVA :0001b32c - kernel32.dll!GetCurrentProcess
ImportAddress RVA :0001b330 - kernel32.dll!GetCommandLineA

Whereas when I manually upack it, I get the same result as Ferrari, noting that Brightdream states that IAT starts at 0001b168, rather than 0001b238.

Ok, I will put your mind at ease. at the first exception search for "8b178902eb", right above that, are two calls bp on the last one, go on with shif+f9 till you reach it, nope it this will almost fix your table, and you should see the instruction right below you, moving the first item to the iat, which confirm what I told you and the stripper finding as you posted.

I am afraid Britedream but my brain fail to process this one :rolleyes:
This may be a dumb ? but i wud rather dare ask it then remain one.
Okay i start it fresh in olly. At first exception i hit Ctrl B
and enter 8b178902eb. I land here

009A32B4 E8 47FCFFFF CALL 009A2F00
009A32B9 E8 7EFEFFFF CALL 009A313C
009A32BE 8B17 MOV EDX,DWORD PTR DS:[EDI]
009A32C0 8902 MOV DWORD PTR DS:[EDX],EAX
009A32C2 EB 7E JMP SHORT 009A3342
009A32C4 83FB 06 CMP EBX,6
009A32C7 74 05 JE SHORT 009A32CE
009A32C9 83FB 03 CMP EBX,3
009A32CC 75 37 JNZ SHORT 009A3305

I put BP at 009A32B9 and hit shift+f9 until i reach there. Then m i supposed to NOP it. And if yes then what should i do next. Plz can u elaborate as why u do all this. i mean how got this-->"8b178902eb" and why put bp and why nop it.
Plz if possible :(

write down the address you see the instruction below where you are moving to edx,nope the call ,f9,you will get an exception, hit "-" key to go back, undo changes, then go on to oep , once there,click on the dump pane , go to the address that you wrote , you should see the start of your iat=1b168. this is to explain to you my respond to popeyfan for the address 41b168 I posted. I hope I am clear on this .
note:
as for why to nope this : this call is the one messes up your iat.

regards.

Okay, I've dumped it, and fixed the IAT table okay now, I must still be a dumb ass though, because I couldn't see what you said, that being "once there,click on the dump pane , go to the address that you wrote , you should see the start of your iat=1b168", nevertheless at least I was able to fix the IAT with Imprec, thanks for that.:)

you were wondering about 1b168 which is the rva of the iat , and posted the stripper finding of the iat which is va 41b168, so I did show you how I got the va 41b168.

This is part of what you posted:
1-
"One interesting thing, if you unpack with Stripper, you get this info on import table:

16:31:08 - processing import table..
ImportAddressTable RVA :0001b168 - kernel32.dll

2-
Whereas when I manually upack it, I get the same result as Ferrari, noting that Brightdream states that IAT starts at 0001b168, rather than 0001b238."

I hope someone can explain this better than I did, so you can understand it.

Not to worry mate, it is probably just me, probably hard to teach an old dog new tricks, at least you got through to me how to fix the import table, I just coudn't see the instruction that moved the first item to the iat.
Here is the error message generated by the unpacked .exe:

00410994 /$ 68 30100000 PUSH 1030 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_SYSTEMMODAL
00410999 |. 68 AC094100 PUSH RegDefra.004109AC ; |Title = "Warning"
0041099E |. 68 B4094100 PUSH RegDefra.004109B4 ; |Text = "File corrupted ! Please run a virus-check, then re-install the application."
004109A3 |. 6A 00 PUSH 0 ; |hOwner = NULL
004109A5 |. E8 D24FFFFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
004109AA \. C3 RETN

And references to this command:

References in RegDefra: to 00410994
Address Disassembly Comment
00410994 PUSH 1030 (Initial CPU selection)
00412D68 CALL RegDefra.00410994
00413C3E CALL RegDefra.00410994
00414569 CALL RegDefra.00410994
00415DD1 CALL RegDefra.00410994
0041680B CALL RegDefra.00410994
00416AD1 CALL RegDefra.00410994
00416FD0 CALL RegDefra.00410994
004176B6 CALL RegDefra.00410994
004176EA CALL RegDefra.00410994
004181C3 CALL RegDefra.00410994
00418A3B CALL RegDefra.00410994
00418C70 CALL RegDefra.00410994
00418CA6 CALL RegDefra.00410994
00418CDC CALL RegDefra.00410994
00418D0F CALL RegDefra.00410994
00418D42 CALL RegDefra.00410994

Is getting rid of this error message more complicated than just nopping all these calls?

Hi,
My harddisk is dead now , i am using an old computer,so i don't have the file or the info, but i remember this error msg occurring after a call to MapViewOfFile, if I remembered correctly, so bp on this api in your dump, and trace from the last call to this api that the error msg poped up after, do the same in the original target, you should be able to see the difference that made the msg to appear. this is just an idea see if it works.

Pompeyfan:

Another piece of good advice (besides that ball bouncing in off the corner post) is that you get in the practice of keeping notes of the process "as you go." This gives you two advantages. Taking the time to make notes tends to make one more careful, instead of just crashing along, and it gives you something to check against when you have a problem like you are experiencing.

I believe you will find that if YOU write out the steps you understand you should be taking and write down the results of what happens when you take those steps, you will become somewhat more methodical and careful and can cross check your results with what you were expecting, without totally trusting to tired eyes and sleep deprived brain.

One additional advantage of proceeding by this method, is that the next time you are working with the same protection and it takes a strange turn, you will be aware it has happed differently than in the past and have a new path down which to wander.

Sometimes it is benificial just to take a step back and look at the code and try to figure out what the hell it appears to be trying to do. You know it is moving stuff around and getting and placing things in various places, but the more you come to UNDERSTAND what the code is ACTUALLY doing, the better chance you have to work your way through the dark codewoods. This is real learning. Then you will not only be following the path, you will be reading the trail markers. That's when it becomes really fun and you actually begin to search for that something different, which signals that a new varient has arrived on the scene. Then you are not following someone else's trail, but blazing your own.

If you are only trying to "follow" someone else's path (as from a tut) without actually trying to understand what the code is doing, you eventually will miss a step when the trail forks just when a cloud passed in front of the moon and you don't see the side trail.

Regards,

Thanks Britedream, I'll try that tommorow, getting to late tonight, and thanks to JMI for usual words of wisdom, makes a lot of sense, I'll take that advice on board.:)

Trick from elcor
 

Hi,
Satyricon (hi buddy) has made a nice tut about TweakRam from elcor as well. The tut and the file can be downloaded via ftp. Check it out.
Once you finish this baby, you will be easely defeating this registry defragmentation as well. because the trick is the same.


kyrios

yep fully agree with u pompeyfan...thats why m his superfan ;) :D

Pompeyfan see if u find this interesting
http://codebreakers.anticrack.de/viewarticle.php?id=27&layout=abstract

Thanks Ferrari, I'll read through that, how do I access the site ftp?, I've never used it before, I'd like to get the TweakRam tut.
I just tried ftp.exetools.com and put my forum username and password, but that doesn't let me in.

If you are trying to access the ftp here you should be suitably embarassed that you haven't already reviewed the "Announcements and News" Forum. If you had done that you would already "know" what to do. :rolleyes: Remember that part of ferrari signature and make use of your most important "tools." ;)

You will find discussion of the tut here:

http://www.exetools.com/forum/showthread.php?s=&threadid=2847

and the TUT is located in: "/incoming/Elcor TweakRAM 3.31.0.3404"

Regards,

Okay, found it now, sorry guys, thanks for your patience, scored a bit of an own goal there I think.

I seem to be having trouble with the trace part with TweakRAM when trying to unpack it, I've struck this with some other Asprotected programs, it just seems to hang, am I alone with this problem?, it doesn't happen on all of them, just some.

Err... What exactly are you doing a trace for?

If you're trying to find the OEP, just set a memory (on execution) breakpoint on the app's code section and run.

If you're trying to find the stolen bytes... Well, let's just say there are ways other than using a trace; I certainly don't ever trace in Olly...

Regards,
Satyric0n

I mean doing the trace by either method, either the TC EIP<900000 at the command line first mentioned in LaBBas tuts, or when doing the memory (on execution) breakpoint on the app's code section and then pressing ctrl & F11.
On some programs it just keeps hanging on the trace, and last night I left it for some considerable time on TweakRAM, it still showed tracing in the bottom right, but I'm sure it had hung.

Hi Pompeyfan:)

I don't use this forum much, I prefer the RCE one:cool:

Hey your work is good. I just managed to work out your thing about Pompey rock Saint's suck:D

How about Pompey <17 Saint's >17 OK - ha ha:D

Long live Merredin - WA State of Excitement:cool:

/hobferret

:D

Alright now, I want all you soccer fans to behave yoursleves in the stands from now on. Way too many people getting hurt just trying to enjoy a game. ;) Sometimes they seem to need reminding that this is not WAR, it is a GAME. Unfortunately it is a lack of perspective that is evident in many sports, in many parts of the world, including my own. :rolleyes:

Not quite a bad as those, of whatever pursuasion, who seem to believe that the Diety sanctions their wanton slaughter of the innocent in the name of their personal views of religion, politics, or territorial imperative.

Regards,

If we only win 1 match more this season, I hope it is March 21, home to Southampton, actually JMI usually you have great insight, but on this point I differ, just a game, nah, Pompey vs Saints =WAR:D

Yes, I see that finds the OEP okay, so do you then use the method explained by Labba to find the stolen bytes, seems harder than doing a trace if the darn thing will work.

trace does work fine on tweakram leatest version. use my script asprbp to be on the right address for trace, set bp on memory access, then control+F11. that is all.

Now if it worked fine on my PC, I wouldn't waste my time posting saying the trace hung would I:mad: , glad to hear it works for you.

I use my own method for finding stolen bytes, not one I ever saw in a tutorial. Try using your own head instead of blindly following someone else's tutorial, and you will find things become much easier. (Acknowledgement of the fact that JMI has already said this recently goes here. ;))

You probably have the options on the Trace tab in Olly's Debugging Options set wrong. Try reading about what those options do, and maybe you can solve your own problem.

Regards,
Satyric0n