Thread: ASPR v2.1x SKE - SEEKING HELP
View Single Post
  #8  
Old 03-18-2006, 01:07
Kameo Kameo is offline
Friend
  
Join Date: Mar 2004
Posts: 87
Rept. Given: 3
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 12
Thanks Rcvd at 1 Time in 1 Post
Kameo Reputation: 1
@britedream:
How do you know how to get to this address ???

@typed:
Seems to be a nice tut. I can read english, french, arabic, spanish, italian and german... but definitely not russian. However i'mma gonna see if i can not get a translation tool to work out this tut.

--------

So let's sum up a little bit, what i did:

Scan through PEID and RDG appears that the target is packed with ASProtect v2.11 SKE.
Load it into OllyDebug (v1.10), cleared all breakpoints and ignored all exceptions.
Used script provided by scherzo few lines before (with OdbgScript v1.47) to reach the stolen oep.

Then "Search for -> All intermodular calls".
Sorted results by 'Destination' and i saw several 'CALL 00B30000', so i guess that this
target uses Advanced Import Protection.
Double-clicked on the first 'CALL 00B30000' to get back to CPU window, performed a
"Find references to -> Call destination", now i've got all my AIP addresses!
The first one being, 00AD0352, and the last one, 00AD1C59.

Back to CPU window and to OEP: Scrolled down a bit searchinf for a valid call in order
to retrieve informations about the IAT section. And i found these ones:

00AD0396 FF15 40504000 CALL DWORD PTR DS:[405040] ; kernel32.GetStartupInfoA
00AD03A9 FF15 60504000 CALL DWORD PTR DS:[405060] ; kernel32.FreeEnvironmentStringsA

So i guess that IAT is stored in 00405xxx section.
Let's check into memory-map, ALT-M give me this:
Memory map
00400000 00001000 ASPR211p PE header
00401000 00004000 ASPR211p code
00405000 00001000 ASPR211p data <-- this section contains iat?
00406000 00001000 ASPR211p
00407000 00001000 ASPR211p .rsrc resources
00408000 00024000 ASPR211p .data imports,...
0042C000 00001000 ASPR211p .adata

So ok, i've got all my informations now:
stolen oep: 00AD02C2 (yours might be different...)
code section: 401000
code size: 4000
iat section: 405000
iat size: 1000
AIP call destination: 00B30000
first call to AIP: 00AD0352
last call to AIP: 00AD1C59

Let's resolve the broken iat with:
'ASProtect 2.0x Fix IAT with Import Elimination #4b.txt' script by Pnluck.

"Is the IAT of this PE corrupt?", i answered yes.
"Enter the address of code section", i put '401000'.
"Enter the address of the section where is the IAT", i put '405000'.
"Enter the size of same section", i put '1000'.
The script pops this message: "The iat start at 000405000".
"Enter the AIP call destination", i put '00B30000'.

and i ended with this message box "Error: eax or edi value is 0, do you want to continue?"
no matter what i decide, the target either crashes or exit without any call being resolved...

I tried with other iat fixer's scripts, sometimes is resolves 1 or 2 pointer, but right after,
it ends crashing olly.
But what really bothers me, is that, when some calls are resolved they become
'CALL 01210004' instead of 'CALL 00xx0000', shouldn't it be something like 'CALL DWORD PTR DS:[405xxx]' ?

I'm realy wondering what i'm doing wrong.
Reply With Quote