|
Unpacking G6FTP 3.0
Hello,
i'm not new here, but i'm currently starting first posts ;) I've downloaded G6FTP 3.0 from hxxp://www.g6ftpserver.com/ The patch from core doesn't run well. so i started to look at it myself. I was unpacking the service of it with stripper. after unpacking the service doesn't run anymore. It will crash with an memory error. So i think the OEP isn't correct after unpacking with stripper. I'm new to Ollydbg and i haven't got anything right with it till now. Can somebody help me with unpacking the service of G6FTP? Thanks, neogen :) PS: Don't blame me if its the false forum... Thanks :D |
I don't know stripper, sorry.
Did stripper automatically fix the imports? If not you have to do this with ImpRec for example and its possible that you have to set the new oep with a pe-editor. Edited: Just downloaded stripper :) Ok, it fixes the imports, but it will not repair stolen bytes. So you have to do this by hand. Better search for a few tutorials which explain this better. |
Here's OEP and stolen bytes for ya. Hope it helps.
00573E64 55 PUSH EBP 00573E65 8BEC MOV EBP,ESP 00573E67 83EC 10 SUB ESP,10 00573E6A 53 PUSH EBX 00573E6B B8 A8405700 MOV EAX,G6FTPAdm.005740A8 Edit: This is for the Remote Admin .exe btw. |
Interesting thread, i'd been looking at this target myself, but the CORE crack seems to be working fine here. Also i've been looking at how CORE crack works, and i like the way they have used dll injection to change a jmp in the service and also write out a 02 byte to set from trial to standard mode.
What i couldn't figure was the memory address that this 02 byte is written to didn't seem to be read by service? (at least my bpm 0xadress rw in softice didn't seem to be hit) I assume this is some kind of aspr variable that main program access. Also stripper worked fine on remote admin exe for me, but like OP said it didn't work on service (but as black_out says it only fails on stolen bytes), so it was enough for dissasembly... -- bedrock |
Hi bedrock,
the core patch ruined SSL, first you need to create an SSL certificate and then a new domain. When you add a new domain then there comes an error message. You will not be able to add domain until all SSL certificates are deleted. Thats the problem... So i would like to fix this problem when i use an other approach to patch it. Also remote Admin runs fine here unpacked... ;) The problem is the service... Cheers, neogen :cool: |
Hi neogen,
I already have a domain with implicit SSL enabled and it's running fine here, but i tried what you said and create new domains, but they also created ok. I'm not sure how core patch would break ssl, as they only added a new section to the original ssl dll, with one additional import in it, which loads import from lic.key (which is really a PE file) and runs the patch code to change one jmp @ 0x490776 and write 0x02 to 0x4bd4f8, now i understand jmp from dissasembly of service. Maybe a different value from 0x02 will make a pro version instead of just standard version, but i have tried a few different values, and it not seem to workout -- bedrock |
Hi bedrock,
ich got no domain running and all things are plain installed. Then the error comes on my machine here. Its a Windows XP Pro english with SP1. I don't know if the error comes on all machines, but i have some friends which also tried it and they can reproduce the error with plain empty settings. So i will try to make another patch which changes the service and not the SSL dll. Its only for fun. I will try to use the shareware for adding first domain and then try the patched out. Thanks for the help, but who can help me with unpacking the service exe, without killing the service itself? I will try the lesson with ollydbg and imprec next hours when i'm back at home. Cheers and thanks for the fish, neogen |
AsprDbgr_build_101.exe makes good dumped of it... just make sure to kill the server and open it with the debugger.. when you see the finish message with ? then you'll able to dump with Lordpe find/set OEP and fix Imports with Imprec. and all done ...by the way i saw today TSRh team released a CRACKED exe for this one without using any dll to crack it... try that one... :)
|
There is indeed something not working.
Steps to reproduce error: 1. Start empty 2. Create a certificate 3. Try to create a domain, you'll see an error Also, when I tried to create a domain and make it create a certificate it works but then I couldn't access my domain properties. I wonder by myself wheter core was too lazy to unpack the .exe or that they discovered too many traps in the packed .exe that they decided this would be easier. Anyway, back to the drawingboard core :) |
Quote:
Where can i get the AsprDbgr? Cheers, neogen :cool: |
Yup same thing happened on my machine here, so defenetly not just you!
Where can i get the AsprDbgr? Try the search button as usual, I believe it was posted in Software Releases. Quote:
|
this exe has many crc checks after detecting aspr. is not longer present , also some invalid stuff left by aspr. after unpacking , stolen bytes etc.. best idea is inline patching it to ensure you'll have a full working exe however if you're too newbie i wouldn't recomend you to start with this target...
Regards |
Hmm, NOD32 displays a virus warning when trying to access that cracked .exe by TSRh. Did anyone else run into this problem?
|
@Crk,
I downloaded AsprDbgr_build_106, but i dont know how to make a good dump of it... It asks loads of questions about dips, i have been reading about ASPR and dips, but i dont know what i need to do with these dips. Which ever point i dump, and after fixing import it always crashes with a delphi 216 runtim error? more reading is needed... -- bedrock |
Quote:
We should do it on our own ;) Cheers, neogen |
Neh, it's not a virus. It's a custom crypting thingie and after that asprotect. As far as I can see it's a false warning.
|
@neogen: Maybe we should share some notes on our progress.
I have found stolen and OEP to be the following: 0049899C > $ 55 PUSH EBP 0049899D . 8BEC MOV EBP,ESP 0049899F . 83EC 10 SUB ESP,10 004989A2 . B8 94834900 MOV EAX,G6FTPSer.00498394 And I found that what's causing the most trouble is the Call EAX @ 0040400E. I get very different results when debugging my dumped exe and the original one. Edit: My dumped .exe keeps jumping at all the JNB's where it shouldn't. Regards SvensK |
Hi SvensK,
After reading lots of posts about aspr and Labba's tute, i was still getting nowhere with this target (i'm still not sure i am very far :( ) But then i found R@diers tute #6 - Manual unpacking ASProtect 1.23 RC4 - 1.3.08.24 and this has helped, at least now i was able to find stolen bytes, i have the same values as you, but i put oep @ 49899B and there was a nop left before the calls. :confused: 0049899B > $ 55 PUSH EBP 0049899C . 8BEC MOV EBP,ESP 0049899E . 83EC 10 SUB ESP,10 004989A1 . B8 94834900 MOV EAX,dumped_.00498394 004989A6 . 90 NOP But target still fails to run with generating Delphi 216 runtime errors, i traced in olly to the call eax @ 40400E you mention and this execute's around in a loop and finally causes an access violation :mad: -- bedrock |
There's supposed to be a 00 @ 0049899B so your OEP is one byte too low.
|
Quote:
My current state: I didn't have the time due to much other projects... I will try it next days on my own... Cheers, neogen |
OEP is: 0049899C -> 0009899C
the 0 you see before this location belongs to some Dword value .. don't touch it! but stolen bytes you give might be confuse... i tried 558BEC83C4D8B894834900 my exe is not crashing but ends somewhere where the programs quit or is not reading some part necessary to load ... :( of course there are some aspr. checks as i said before... if you don't fix them the program will crash .... tip: RaiseException API :) make sure also at 0042B68C the call dword has that RVA (dword value [FC824900]) in your dumped exe or will never work or even load at all the only solution will be to trace with original one and step into the calls until program reach the code to be full loaded... then to trace with dumped one to see differences. Call EAX @ 0040400E .... and where exactly is calling this.. RVA ? |
Ok, i've gone back to looking at this target, but i'm not really sure what is going on. I've dumped and rebuit stolen bytes and iat, and now i've started tracing through the dumped exe, to see differences between the dump and the protected exe.
I get to here in the code: Code:
00402250 . 8BC3 MOV EAX,EBXI have set this block of memory to 00 in olly, and continued, but i eventually get to try access 87000 which doesn't exist in dumped target, but does in asprotected target ?? Can anyone point me in next step? Thanks, -- bedrock |
If you dump with Ollydump at OEP instead of dumping with AsprDumper you will get 00 00 00 00 in that area where you had FF FF FF FF.
I noticed this while I was testing. |
Hmmm strange :confused:
I made my dump with Ollydump, i dumped at fake oep after all aspr exceptions had occured and then pasted stolen bytes in with hex editor SvensK, have you got working dump yet? -- bedrock |
Nah, I quit trying after 3.0.1 was released.
|
He he, i hadn't noticied 3.0.1 was out, i guess it's the same protection though :(
|
Ok, i downloaded 3.0.1 and dumped and fixed IAT, but i am back to same situation as 3.0.0.
I also found the CORE have updated there crack for this new version with the dll injection to patch bytes. TSRh released a crked exe for the previous version, so it must be possible to get a working dump of this target, but i am now lost, if anyone can help me pls? I just want to understand how to get this target dumped and working... -- bedrock |
@bedrock: I found an unpacker for exe32pack by you at the other forum.
If you're any good at unpacking that, unpack RaidenFTPD instead and crack that. It's a much better ftpd, according to me at least :) |
@SvensK,
exe32pack is easy to unpack, but Louis made some silent updates to defeat my unpacker, i wrote that just cause SmartFTP client used to be packed, but now author is not packing anymore :) But i want to lear aspr :p Maybe i look at Raiden for you EDIT: Ok, i just looked at raidenftpd, unpacking is striaght forward, but it seems raiden exe has lots of anti debug tricks, including IsDebuggerPresent and int 2F, after running unpacked exe inside olly i keep ending upu at Code:
hxxp://www.raidenftpd.com/en/pirate.htmTo unpack exe32pack with softice: Load exe in SI, and set bpm esp-4 rw, on second break step down a couple of lines and you will be at jmp eax, where eax = OEP, dump here and fix IAT with Imprec... done -- bedrock |
@bedrock: I have unpacked it already, but it crashes on:
004E8CEC . CD 2F INT 2F Guess I'll have to look into it some more later. Edit: I'm working with build 1320 btw and the OEP was found at: 00570DD8 > $ 6A 70 PUSH 70 Regards SvensK |
1 Attachment(s)
Gene6 FTP Server is now updated to 3.0.2 build 39
I have got following: OEP: 4915C8 Stolen bytes: 558BEC83EC10B828104900 And attached imports, but i cant make it run :( Can anyone help with this, i really want to get working dump? Thanks -- bedrock |
| All times are GMT +8. The time now is 01:20. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX