Hamy
April 30th, 2009, 09:58
Hey ya'll
I'm really a newbie. and I'm having a hard time with an ASProtect target. this one is a service means it'll start as a service that is defined in service manager. PEiD shows "ASProtect 1.2X - 1.3X" and Exeinfo shows "ASProtect ver 2.1-2.^".
I don't really have enough knowledge to go through unpacking myself. so first of all I tried Stripper... but no luck. then after some struggling with updating odbgscript, I tried ASPR2.XX_unpacker_v1.15E well.... actually it worked and it was able to unpack the target. after that I opened ImpRec and fixed the import table with the process that was already opened within ollydbg. everything was going fine untill I tried to open the unpacked file. it simply crashes at the first place. ASPR2.XX told me that there was no stolen byte. and tbh It doesnt look like stolen bytes to me. this is the log from ASPR2.XX:
--------------------------------------
-----------------------------------------------
Intrestingly when I set that OEP in ImpRec and the click IAT auto search, the address and size of IAT is a bit different than that log. (4 bit I think)
any way. this is a screen shot of entrypoint:
so there must be something that I'm missing. I will upload both original file and my unpacked file. I would really appreciate if someone could take a look at it and tell me what I'm missing here and what should I do. (ofcourse in a very newbie language
)
PS: this file needs another dll to work with, I'll send that too. and if everything goes fine. the process should exit after some seconds with no error (thats because its not running as a service)
thank you again for helping me out.
EDIT: The problem solved. I was putting wrong OEP address in ImpRec ( 00008A98 instead of 000B8A98 ) so that wasn't OEP at all.
I'm really a newbie. and I'm having a hard time with an ASProtect target. this one is a service means it'll start as a service that is defined in service manager. PEiD shows "ASProtect 1.2X - 1.3X" and Exeinfo shows "ASProtect ver 2.1-2.^".
I don't really have enough knowledge to go through unpacking myself. so first of all I tried Stripper... but no luck. then after some struggling with updating odbgscript, I tried ASPR2.XX_unpacker_v1.15E well.... actually it worked and it was able to unpack the target. after that I opened ImpRec and fixed the import table with the process that was already opened within ollydbg. everything was going fine untill I tried to open the unpacked file. it simply crashes at the first place. ASPR2.XX told me that there was no stolen byte. and tbh It doesnt look like stolen bytes to me. this is the log from ASPR2.XX:
--------------------------------------
Code:
7C80176B Breakpoint at kernel32.GetSystemTime
freeloc: 00E10000
00E5F9AF Breakpoint at 00E5F9AF
00E5F8B0 Breakpoint at 00E5F8B0
00E554EA Breakpoint at 00E554EA
00E1011A Breakpoint at 00E1011A
AsprAPIloc: 00E6269C
Aspr1stthunk: 004D5984
00E5F682 Breakpoint at 00E5F682
00E5E51A Hardware breakpoint 1 at 00E5E51A
00E5F798 Breakpoint at 00E5F798
2 standard functions
00E5F7CA Breakpoint at 00E5F7CA
00E5F835 Breakpoint at 00E5F835
00E10024 Breakpoint at 00E10024
Total API in this Asprotect = 0000000D
RemoveKey 004B8C20
GetTrialDays 004B8C30
GetKeyDate 004B8C50
CheckKey 004B8C80
GetRegistrationInformation 004B8C90
00E10250 Breakpoint at 00E10250
00E10034 Breakpoint at 00E10034
00E2ED60 Breakpoint at 00E2ED60
00E561A3 Breakpoint at 00E561A3
00E5EDF0 Hardware breakpoint 1 at 00E5EDF0
004B8A98 Conditional pause: eip < 01EC0000
Address of IAT = 004D51B8
RVA of IAT = 000D51B8
Size of IAT = 000007E4
00E10042 Breakpoint at 00E10042
Address of OEP = 004B8A98
RVA of OEP = 000B8A98
-----------------------------------------------
Intrestingly when I set that OEP in ImpRec and the click IAT auto search, the address and size of IAT is a bit different than that log. (4 bit I think)
any way. this is a screen shot of entrypoint:
Code:
00408A98 >/$ 72 1A JB SHORT de_bwmsv.00408AB4 <---- EP
00408A9A |. A1 E0D74B00 MOV EAX,DWORD PTR DS:[4BD7E0]
00408A9F |. 29D8 SUB EAX,EBX
00408AA1 |. A3 E0D74B00 MOV DWORD PTR DS:[4BD7E0],EAX
00408AA6 |. 890D E4D74B00 MOV DWORD PTR DS:[4BD7E4],ECX
00408AAC |. 83CB 02 OR EBX,2
00408AAF |. 8958 FC MOV DWORD PTR DS:[EAX-4],EBX <--- crashes here
00408AB2 |. EB 07 JMP SHORT de_bwmsv.00408ABB
00408AB4 |> 89D8 MOV EAX,EBX
00408AB6 |. E8 F1F9FFFF CALL de_bwmsv.004084AC
00408ABB |> C605 DCD74B00 >MOV BYTE PTR DS:[4BD7DC],0
00408AC2 |. 5B POP EBX
00408AC3 \. C3 RETN
00408AC4 > 56 PUSH ESI
00408AC5 . 57 PUSH EDI
00408AC6 . 8D3CCD 6CD84B0>LEA EDI,DWORD PTR DS:[ECX*8+4BD86C]
00408ACD . 8B77 04 MOV ESI,DWORD PTR DS:[EDI+4]
00408AD0 . 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
00408AD3 . 8947 04 MOV DWORD PTR DS:[EDI+4],EAX
00408AD6 . 8938 MOV DWORD PTR DS:[EAX],EDI
00408AD8 . 39C7 CMP EDI,EAX
00408ADA . 75 17 JNZ SHORT de_bwmsv.00408AF3
00408ADC . B8 FEFFFFFF MOV EAX,-2
00408AE1 . D3C0 ROL EAX,CL
00408AE3 . 210495 ECD74B0>AND DWORD PTR DS:[EDX*4+4BD7EC],EAX
00408AEA . 75 07 JNZ SHORT de_bwmsv.00408AF3
00408AEC . 0FB315 E8D74B0>BTR DWORD PTR DS:[4BD7E8],EDX
00408AF3 > BF F0FFFFFF MOV EDI,-10
00408AF8 . 237E FC AND EDI,DWORD PTR DS:[ESI-4]
00408AFB . 89FA MOV EDX,EDI
so there must be something that I'm missing. I will upload both original file and my unpacked file. I would really appreciate if someone could take a look at it and tell me what I'm missing here and what should I do. (ofcourse in a very newbie language
)PS: this file needs another dll to work with, I'll send that too. and if everything goes fine. the process should exit after some seconds with no error (thats because its not running as a service)
thank you again for helping me out.
Code:
http://rapidshare.com/files/227551304/Files.rar
EDIT: The problem solved. I was putting wrong OEP address in ImpRec ( 00008A98 instead of 000B8A98 ) so that wasn't OEP at all.