Thread: Tried unpacking DVDIdle Pro - AsProtect
View Single Post
  #13  
Old 03-24-2004, 15:42
lownoise
 
Posts: n/a
Explanation of the stolen bytes
Malt,

Hope this info helps you and makes sense


When you start working on recovering stolen bytes you've to know some assembly and a basic knowlegde how the startup code from some compilers looks like
Asprotect tries to hide the stolenbytes with the use of some garbage code and emulating stolenbytes
If you know which compiler is used it will make your recovering of the stolen bytes much more easy, also knowing how many stolenbytes to recover will help you
I don't know fore sure but it looks like asprotect has some "templates" for the compilers thas are most used (delphi, visual c++, etc..)
For your app the compiler is ms visual c++ 6.0 . asprotect "hides" the stolenbytes for a c++ 6.0 app with garbarge code and emulating the stolenbytes.
Remember that for each app garbage code and stolenbytes are different!!!

Ok lets look to your trace log

00986A2A Main MOV DWORD PTR SS:[ESP],EBP
00986A2E Main MOV EBP,ESP ; EBP=0012FFC0
00986A30 Main PUSH -1 ; ESP=0012FFBC
00986A32 Main PUSH 425FA0 ; ESP=0012FFB8
00986A37 Main PUSH 41EF40 ; ESP=0012FFB4
00986A3C Main MOV EAX,DWORD PTR FS:[0] ; EAX=0098548C
00986A42 Main JMP SHORT 00986A45
00986A45 Main LEA ESP,DWORD PTR SS:[ESP-15] ; ESP=0012FF9F
00986A49 Main ADD WORD PTR DS:[986A52],0E57B ; FL=CP
00986A52 Main JMP SHORT 00986A56
00986A56 Main LEA ESP,DWORD PTR SS:[ESP+EDX+11] ; ESP=801102B4
00986A5A Main SUB ESP,EDX ; FL=O, ESP=0012FFB0
00986A5C Main XOR WORD PTR DS:[986A66],0A641 ; FL=P
00986A65 Main JMP SHORT 00986A6A
00986A6A Main MOV DWORD PTR SS:[ESP],EAX
00986A6E Main MOV DWORD PTR FS:[0],ESP
00986A75 Main SUB ESP,68 ; FL=PA, ESP=0012FF48
00986A78 Main JMP SHORT 00986A7B
00986A7B Main LEA ESP,DWORD PTR SS:[ESP-15] ; ESP=0012FF33
00986A7F Main ADD WORD PTR DS:[986A88],0E57B ; FL=CP
00986A88 Main JMP SHORT 00986A8C
00986A8C Main LEA ESP,DWORD PTR SS:[ESP+EDX+11] ; ESP=80110248
00986A90 Main SUB ESP,EDX ; FL=PO, ESP=0012FF44
00986A92 Main XOR WORD PTR DS:[986A9C],0A641 ; FL=P
00986A9B Main JMP SHORT 00986AA0
00986AA0 Main MOV DWORD PTR SS:[ESP],EBX
00986AA4 Main JMP SHORT 00986AA7
00986AA7 Main LEA ESP,DWORD PTR SS:[ESP-15] ; ESP=0012FF2F
00986AAB Main ADD WORD PTR DS:[986AB4],0E57B ; FL=CP
00986AB4 Main JMP SHORT 00986AB8
00986AB8 Main LEA ESP,DWORD PTR SS:[ESP+EDX+11] ; ESP=80110244
00986ABC Main SUB ESP,EDX ; FL=O, ESP=0012FF40
00986ABE Main XOR WORD PTR DS:[986AC8],0A641 ; FL=P
00986AC7 Main JMP SHORT 00986ACC
00986ACC Main MOV DWORD PTR SS:[ESP],ESI
00986AD0 Main JMP SHORT 00986AD3
00986AD3 Main LEA ESP,DWORD PTR SS:[ESP-15] ; ESP=0012FF2B
00986AD7 Main ADD WORD PTR DS:[986AE0],0E57B ; FL=CP
00986AE0 Main JMP SHORT 00986AE4
00986AE4 Main LEA ESP,DWORD PTR SS:[ESP+EDX+11] ; ESP=80110240
00986AE8 Main SUB ESP,EDX ; FL=PAO, ESP=0012FF3C
00986AEA Main XOR WORD PTR DS:[986AF4],0A641 ; FL=P
00986AF3 Main JMP SHORT 00986AF8
00986AF8 Main MOV DWORD PTR SS:[ESP],EDI
00986AFC Main MOV DWORD PTR SS:[EBP-18],ESP
00986AFF Main XOR EBX,EBX ; FL=PZ, EBX=00000000
00986B01 Main MOV DWORD PTR SS:[EBP-4],EBX
00986B04 Main PUSH 2 ; ESP=0012FF38

[Garbage Code]

When you found the ebp==esp look down in your trace log for paterns of instructions
In you trace log we see a patern like

LEA ESP,
ADD WORD PTR DS:
JMP
LEA ESP
Sub ESP,EDX
XOR Word PTR
JMP

If we Remove the Patern of your trace we have the following instructions remaining

00986A2A Main MOV DWORD PTR SS:[ESP],EBP
00986A2E Main MOV EBP,ESP ; EBP=0012FFC0 ==This is the hint for the stolen bytes ebp=esp
00986A30 Main PUSH -1 ; ESP=0012FFBC
00986A32 Main PUSH 425FA0 ; ESP=0012FFB8
00986A37 Main PUSH 41EF40 ; ESP=0012FFB4
00986A3C Main MOV EAX,DWORD PTR FS:[0] ; EAX=0098548C
00986A42 Main JMP SHORT 00986A45
00986A6A Main MOV DWORD PTR SS:[ESP],EAX
00986A6E Main MOV DWORD PTR FS:[0],ESP
00986A75 Main SUB ESP,68 ; FL=PA, ESP=0012FF48
00986A78 Main JMP SHORT 00986A7B
00986AA0 Main MOV DWORD PTR SS:[ESP],EBX
00986AA4 Main JMP SHORT 00986AA7
00986ACC Main MOV DWORD PTR SS:[ESP],ESI
00986AD0 Main JMP SHORT 00986AD3
00986AF8 Main MOV DWORD PTR SS:[ESP],EDI
00986AFC Main MOV DWORD PTR SS:[EBP-18],ESP
00986AFF Main XOR EBX,EBX ; FL=PZ, EBX=00000000
00986B01 Main MOV DWORD PTR SS:[EBP-4],EBX
00986B04 Main PUSH 2 ; ESP=0012FF38


[Emulating Stolen Bytes]

Remember that Asprotect emulates instructions look at the first line

00986A2A Main MOV DWORD PTR SS:[ESP],EBP

If you know some assembly you know that ths instructions is the same as a Push Ebp

Knowing this and applying this to the trace log and removing the JMP instructions and comments our trace looks like this


00986A2A Main Push EBP
00986A2E Main MOV EBP,ESP
00986A30 Main PUSH -1
00986A32 Main PUSH 425FA0
00986A37 Main PUSH 41EF40
00986A3C Main MOV EAX,DWORD PTR FS:[0]
00986A6A Main Push EAX
00986A6E Main MOV DWORD PTR FS:[0],ESP
00986A75 Main SUB ESP,68
00986AA0 Main Push EBX
00986ACC Main Push ESI
00986AF8 Main Push EDI
00986AFC Main MOV DWORD PTR SS:[EBP-18],ESP
00986AFF Main XOR EBX,EBX
00986B01 Main MOV DWORD PTR SS:[EBP-4],EBX
00986B04 Main PUSH 2

And that are your stolenbytes

Hope this make sense for you

Regards Lownoise
Reply With Quote