AcProtect anti-dump tip

[Michel]

Hello !

I had some fights against the anti-dump trick of AcProtect. Now, it's solved and I would be happy if this simple tip may help someone.

The trick is that this protector replace a lot of instructions of the original prog by calls to some indirect jump table. This is done at the pack time, so it's not possible to intercept the substitution.
For example :
.....
00450AC9 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
00450ACB 2BC3 SUB EAX,EBX
00450ACF .....
in the original exe, has been replaced in the packed one by :
.....
00450AC9 E8 0BB02D00 CALL Target.0072BAD9
00450ACF .....

We can see that the number of bytes needed by the call (5) is the same as the length of the substitued instructions.

Of course, address 0072BAD9 is in the "Perplex" section. At this address we are in the first table :
.....
0072BAD3 FF25 1C9C1700 JMP DWORD PTR DS:[00179C1C]
0072BAD9 FF25 209C1700 JMP DWORD PTR DS:[00179C20] <- here 1
0072BADF FF25 249C1700 JMP DWORD PTR DS:[00179C24]
.....
Address 00179C20 is not in an image module, but in a private one which is builded by the AcProtect decrypt routines. So, your dumped cann't works as this module doesn't exist.
At 00179C20 we are in the second table :
.....
00179C1C 0017AF06
00179C20 0017AF0C <- here 2
00179C24 0017AF12
.....
So the final address of the call, where the instructions are finally executed, is 0017AF0C, in the same external module :
.....
0017AF0C 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
0017AF0F 2BC3 SUB EAX,EBX
0017AF11 C3 RETN
.....

Now, what to do if the module 0017... doesn't exist ?
The first an nicest way would to restitue the delocalized instructions at their right place and put away all the Perplex section (not needed for IAT).
But in my target, there are more or less 1000 substitutions, so, manually, as Ricardo could say, it isn't a job for his sister...
If someone can write a plugin for Olly, that would be very nice, but sorry, I don't have the skill for.
The second way should be to add a section, but windoze don't like sections at address below the image base, so the image base would be changed too : I don't have yet tried that...
To put the codes in a DLL would works, but it's a little hard and not very elegant.
What I propose is to patch the first table so the Perplex section remains but the 0017... module becomes no more needed. We can see that the first table has a 6 bytes step (length of the JMP []) and the last table has 6 bytes step too (5 for the codes + 1 for the RET). Thus, the idea is to put the codes directlly in the first table.
The steps are :

1 - knowing where the first table is :
When the OEP is reached, put a bpm on access Perplex section and run : you land in the table : up...down... take note of the first and last address : all the table is a one piece.

2 - patching
Restart Olly and break at the OEP again. Then assemble this little piece of code :

0044C945 BF F5B07200 MOV EDI,0072B0F5 <<- first address of table
0044C94A 8B77 02 MOV ESI,DWORD PTR DS:[EDI+2]
0044C94D 8B36 MOV ESI,DWORD PTR DS:[ESI]
0044C94F B9 06000000 MOV ECX,6
0044C954 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0044C956 81FF 5FC87200 CMP EDI,0072C85F <<- last address of table
0044C95C ^7E EC JLE SHORT Target.0044C94A

Put F2 after the JLE and run.
Now the table looks like this :
.....
0072BAD3 8BF1 MOV ESI,ECX
0072BAD5 8B4E 0C MOV ECX,DWORD PTR DS:[ESI+C]
0072BAD8 C3 RETN
0072BAD9 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
0072BADC 2BC3 SUB EAX,EBX
0072BADE C3 RETN
0072BADF 03C1 ADD EAX,ECX
0072BAE1 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
0072BAE4 C3 RETN
.....
After breaking, you can copy the patched table and past it in your dumped. All the rest of the Perplex section may be zeroed (more clear for IDA... If you are familiar with LordPE, you can also delete the whole Perplex and append a new section with only the patched table in).

I know this problem was already discussed on this forum, but I have searched and don't found no more the thread... Maybe there are other solutions ?

I don't talk about reaching OEP and IAT rebuilding because they are easy and this isn't a full tut, but if someone has any problem with that, maybe I can try to help him.

Regards and thanks for your lecture