ASPR 1.2 question

I've attached my Imprec plugins folder. In addition to excellent tutorials by LaBBA, R@dier you may also refer another excellent tutorial by Britedream on Stolen bytes.

http://grinders.withernsea.com/tutorials/britedream.rar

Regards,
ferrari

[JMI]

A solid recommendation, as I believe Britedream was the ultimate source of much of the unpacking information I have reported here. I've downloaded your target, and, time permitting, will take a quick look at the unpacking issues. May I recommend that you not only read the tuts you've downloaded, but that you start making your own set of compiled notes on features of various versions of your protector targets.

For example, you could start collecting the patterns of stolen bytes reported and discovered. You could start recording patterns of code found at or around the stolen bytes. You could start studying, from the trace, the patterns from the ASPR DLL. For example the Huge loop at the start of the program which is followed by another loop which seems to match the number of times you passed an exception with F9 and/or SHIFT+F9; that your OEP is probably sitting naked in the trace, if you only know where to look and that it probably is listed in the trace in a PUSH DWORD PTR DS:[ADDRESS] instruction a couple of instructions above the PUSHAD and PUSHFD which occur shortly before the REP STOS BYTE PTR ES:[EDI] routine to erase all the code that got you there in the first place. In other words, the run trace is worth close study because it is the track of ASPR's unfolding of the path to the OEP.

Understanding what it's doing will help with the next target and you might note the differences you discover in the general pattern. In this effort it really helps to remove all the loop code repeats, simply noting the registers going into the start of the loop and coming out.

Once you get comfortable with the unpacking, you then have to move on to the issue of whether or not their is additional code in the target which has to be changed to make it actually run fully. But for the first step, you just want to master manual unpacking and then worry about the next phase.

ferrari: I've downloaded Britedream's tut both here and from somewhere else and, for some reason, I'm not seeing the illustrations. Yours has the first two only, and the other one I downloaded didn't have any. Maybe I'm just using the wrong file to open it. It's opening in Word and it's time to try something else.

Regards,

I dowloaded the file(.doc in word XP) to check and I'm able to see all the "9" illustrations. If you still got any problems then tell me. I've extracted all the images and I'll upload the file for you if needed, otherwise I might unnecessarily increase Aaron's database

Regards,
ferrari

[JMI]

Thanks for the offer ferrari, but for some reason which I can't explain at the moment, it is suddenly working. The first several times I opened it, there was only the graphics on the first page. Now, if I wait awhile, they slowly appear on the other pages as well.

Be careful of road rash out there and remember that the Diety gave you only one set of family jewels and did not intend that you use them to smash into handrails and other such solid metal objects.

Regards,

[gabri3l]

Thank you guys for the help. Good advice JMI! i have about 2 pages of notes just trying to unpack this program. (and a few more notes on a taco bell napkin) . Hopefully I will be able to figure out what I'm doing wrong so i can move on and compare them to another program.

Time willing, I hope to get a better unpack and rebuild of the program. And maybe work on cleaning the code up. I must have missed something if asprotect says that it is still packed. On Woodmanns forum there was some info on cleaning up an ASprotect unpack. I've bookmarked it to refer back to. Much Thanks Ferrari for your plugins folder. I only had aspr 1.2 and aspr2 did not even know there was one for aspr 1.23. And for the britedream tut. When im done working on this program I feel a target with stolen bytes calling me.

One good thing is that I feel like I'm getting a better idea of whats actually going on rather than just blindly following a tutorial.

[JMI]

gabri3l:

I have a question for you. I was not able to find a copy of v1.3 of the target because it's been replaced with v1.3a. Attempting to follow the code in OllyDBG it seems strange because the code for the SEH and exceptions all occur in what is listed as the main code section of the file. By this I mean that from the initial start at 0040100 all of the exception code takes place in the 00400000 range, while most ASPR files I've looked at in Olly have had these routines in a far distant address, well out of the 00400000 range of the target ".code" section. Although PEiD identifies this as ASPR I'm wondering if that is really true, considering that your version still identified ASPR even after you removed it.

Using the F9 and SHIFT+F9 technique I am eventually raising the following messagebox:

"Don't know how to step because memory at address XXXXXXXX is not readable.Try to change EIP or pass exception to program"

and one can't set a "breakpoint on entry" to the ".code" section, because it is already IN THE CODE SECTION.

I have found discussion of such a message and possible workaround on the OllyDBG Forum here:

http://ollydbg.win32asmcommunity.net/index.php?action=vthread&forum=1&topic=612

But haven't had time to work through it yet. Still learning Olly's traits and settings.

Does your v1.3 have it's exceptions within the 00400000 range, or does it leap off into a far address with the first or second F9/SHIFT+F9?

Regards,

[gabri3l]

JMI, I just checked and you are right 1.3a is the version I'm using as well. Though all my exceptions occur outside of the code section. all in the 00AXXXXX range.

Exceptions:
00A10671 <-- First exception
...25 exceptions later...
00A10019 <--Last exception

I set a breakpoint on: 00A10053: JMP Dword PTR SS:[EBP-14]
Step into the jump And begin my trace
I get the entry point: 0047ED5F

I'm using XP SP1 on my home comp and NT on my work comp both give me exceptions outside the programs address range. After pressing F9 to start the program I press Shift+F9 twenty six more times to end on the last instruction. That may drop you to the equivalent of the code in my first post.
In HAVOK's paper in codebreakers he talked about how ASPR would jump to your .code section and then jump right back out again to make it harder to find the OEP. But as the exceptions are occuring inside the code I'm lost. I'll read up on it and see if its mentioned anywhere.


But yes I was confused as to why i keep getting an already packed error. However i use stripper to dump it and it gave me the following

03:52:15 - asprotect detected..
Image Base :00400000
03:52:15 - dumping victim..
03:52:15 - processing import table..
ImportAddressTable RVA :000990f8 - kernel32.dll
ImportAddressTable RVA :00099378 - user32.dll
ImportAddressTable RVA :00099024 - gdi32.dll
ImportAddressTable RVA :00099000 - advapi32.dll
ImportAddressTable RVA :0009936c - shell32.dll
ImportAddressTable RVA :0009932c - msacm32.dll
ImportAddressTable RVA :000995cc - winmm.dll
ImportAddressTable RVA :000995bc - version.dll
03:52:16 - fixing import table..
ImportAddress RVA :00099224 - kernel32.dll!LockResource
ImportAddress RVA :00099234 - kernel32.dll!GetCurrentProcessId
ImportAddress RVA :00099258 - kernel32.dll!FreeResource
ImportAddress RVA :0009925c - kernel32.dll!GetModuleHandleA
ImportAddress RVA :00099284 - kernel32.dll!GetCurrentProcess
ImportAddress RVA :0009929c - kernel32.dll!GetVersion
ImportAddress RVA :000992f4 - kernel32.dll!GetCommandLineA
ImportAddress RVA :000993d0 - user32.dll!DialogBoxParamA
03:52:18 - no stolen bytes are found..
EntryPoint RVA :0007ed5f
03:52:18 - saving unpacked file..
03:52:18 - file was unpacked successful..
03:52:18 - done..

A perfect unpack... Now if I could only do that.

Just a thought: Maybe my problem lies not in my dump or my IAT but rather my resulting file structure. My unpack will run, but there may be garbage in there thats throwing both w32dasm and asprotect off. I'll try and study up on my PE structures tomorrow.