In Win9x, with the aid of SuperBPM, IceDump, and FrogsICE, it is comparatively easy to bypass these tricks. Some tricks can be defeated manually using SoftICE/TRW2000.

But in Win2K, these tools don't work any more(I can't find the corresponding version of SoftICE to let it work with IceDump).

Recently I just want to go further on unpacking. Sure ASProtect is a good choice for practice I have the experience of manual-unpacking earlier versions of ASProtect. But it seems difficult to find the OEP of latest version because breakpoints seldom get hit.

I heard of the following anti-debug/anti-unpacking tricks may be used in ASProtect:
1. IDT check
2. clear debug register dr0~dr7
3. MeltICE
4. INT 3 backdoor of SoftICE
5. BPX detection
6. lots of SEH
7. CRC
8. polymorph
9. API hook & redirect & emulation
......
Some of the above are privileged operations, so they need administrator token in Win2K Server.

My question is:
How to bypass the anti-debug tricks in order to find the OEP? Is there a convenient way?
Yes this target has been talked about too much but I have no clue to find the OEP yet. And thank you for your guidance.

brand new emerging tool to do this :

the revirgin tracer, download and see the readme.

in summary, the rv tracer allows you to run the app and define like icedump's tracer some oep domains to freeze the app.

When you locate the oep, actually use procdump on the beta and it works, so you don't need anymore sice or another tool to be loaded.

my tracer actually have very small countermeasures against detecting it, but when some will appear, I'll code some countemeasures asap

In the mean time.....

If you have the DriverStudio version of SI and have D/L that latest
NTICE.SYS for XP/2K from Compuware then I can tell you the offsets to patch in Nmtrans.dll / Ntice.sys / and Siwvid.sys as to hide your softice in Win2K

Also to get to the OEiP for ASPR target in Win2K follow the Int2E about 21 times and your nearly there I wont post here (yet) exactly the solution cos RV will find the OEiP for you so Alexey
should not be concerned with a manual trick.

Also the problem I see from testing RV with the tracer is you HAVE to know what the f*ck you are doing with ASPR EiP tricks and one way is to follow the RET at the ASPR OEiP and see the 'higher' code (eg 550000) it rets to then set a trace between 401000 and that 550000.

Normally aspr dips a couple of times back into real code and sets a few redirection pointers , maybe Initializing some critical sections (greetz Nchanta) before finally being at the OEiP so you should LOG all those entries cos you will have to make a JMP patch to fix your dump as well as tracing the redirected code back to the original code and patching that as well.

I point you to w*w.glocksoft.com (AAAnalyzer 1.06 & EasyMailf as current ASPR targets) See the tricks :-)

have phun as usual :-)

+Spl/\j

Thank you +tsehp and +SplAj

Now I have all the SoftICE versions(got from w**.exetools.com), including DriverStudio v2.0, v2.01 and v2.5b2. And I downloaded the latest patch NTICE.SYS from Numega's site(http://www.compuware.com/products/numega/drivercentral/resources/whistler.htm).

INT 2E occurs too frequently coz many progs invoke this for sys service.

Patching SI DriverStudio 2.x in Win2K/NT4
=========================================

(c)2001 SplAj

Objective :- To hide SI from lame detector code :-)

1) NTice class driver check(meltice)
2) BHCK boundschecker check
3) GF,MJ check
4) UnhandledException check
5) SIWVID class driver check
6) Int 1
7) Actual installation of SI in the registry.....
etc

Approach :- Understand the tricks/methods of detection
and trick them in return :-)

WARNING
=======
Patching system drivers like NTICE.SYS is VERY risky. Please
do not blame the MB or it's owners/admins for any PSOD that may
occur after patching (....looks purple on my Sony ) You patch and
play at your own risk make sure you reset the CHECKSUM !!! - use LordePE.

I choose 'xTice' as the replacement for NTice. It can be any ascii

A) NTICE.SYS (in sys/drivers)
=============================

(Latest update ICEBABY from compuware: 'ver'== DriverStudio tm 2.01 (build57)
file size 1,275,590 says 4.2.1 (build 58) in properties.)

patch the following offsets : (but LOOK 1st !)

1) 1FC63 : GF.......MJ to xF........xJ
2) 4869B : Kernel32!UnhandledEx..... to 32!xnhand
3) CE2C0 : Unicode N.T.i.c.e to x.T.i.c.e
4) CE2E4 : Unicode N.T.i.c.e to x.T.i.c.e
5) CE990 : Unicode N.T.i.c.e to x.T.i.c.e
6) CEC30 : B.c.h.k.d to x.c.h.k.d
7) D6150 : Ascii NTice to xTice

reset checksum ! and make a backup !

B) NMTRANS.DLL (in SI directory)
================================

1) patch the ASCII \\.\NTice to \\.\xTice
(MUST match the 'x' to same as NTICE patch)

C) SIWVID.SYS (in sys/drivers folder)
=====================================

2 patches:- Look for UNICODE \S.i.w.v.....
and replace with \.x.i.w.v.......

reset checksum ! and make a backup !

REBOOT and check for the presence of SI with 'detect.exe'
included as a zip attachment.

+Spl/\j
(c)2001

the attachment ..........

That's great!
The unicode string "\\.\Siwvid" in NTICE.SYS also need to be changed, or SoftICE window will not pop up

After the above modification, SoftICE can be detected only by int 1.

Many Thanks!


BTW:
I got many errors(runtime access violation error) when running the dumped G-lock EasyMail v3.22 build 100. Don't know why.

I took the following steps to dump it:

1. Find the OEP manually(OEP = 006EAFC0):
xxxxxxxxx: POPAD
015b4283: JMP EAX

2. change the JMP EAX to JMP EIP, then use ProcDump to make a full dump, with the following options checked:
Recompute object size
Optimize PE structure
Use actual import infos

3. Use "Import REConstructor 1.2 Final" to resolve the import functions and paste the new IT into the dumped exe. Only 5 functions have to be manually resolved:
2F5280: GetCommandLineA
2F541C: (use GetModuleHandleA to emulate RET 4)
2F5488: GetVersion
2F54FC: GetCurrentProcessId
2F550C: (Use SetLastError to emulate RET 4)

4. Change the EntryPoint of the dumped exe to 2EAFC0(6EAFC0).

then run it,but too many runtime errors What's wrong with what I did?

Sorry for so many questions/requests

Solomon

great work to find that last code before JMP EAX .... I so enjoy that in Win2K. More satisfying than waiting 30 mins for Icedump to do everything

Please use RV now in Win2K, Tsehp worked VERY hard to bring us the tracer and API emulator. Works great :-)
For any RET004 use LockResourse API , this is the correct one. Anything else will corrupt the stack (plain ret) or EAX has a new value or worse 0 !!!

RV is auto coded to paste LockResource ..............

I unpacked and fixed EasyMail3.22 in 15mins under Win2K + RV. Thats 4x as fast as usual than in Win98/ME.

I enclose my RV resolved.txt and IAT to paste at 0x3FD000

Also patch those bytes at offset 0x2C7068 ..4E 4F 54 20 etc
with an hex '0D' then any name you like to replace the rest of text 'OT REGISTERED'.. like +Spl/\j :2001 - fits perfect

Also try LordPE to dump...........

+Spl/\j

the api emulator works now on win98, oep are also very easy to find using rv's tracer on win 2k, read the manual.
I usually choose eip stop domain 400000 until 600000 and press "until back" all the time, until the listing shows the usal
push ebp
... without any rets in proximity.

then you dump with procdump (rv's new function pretty soon I promise)

only a very small problem resides, aspr just tests sometimes for the iat tracer to have arguments, like a call to an api function, so that's why some getprocaddresses are not found and the tracer lands into nowhere, actually enter the api address manually and I also soon fix this.

another target from glocksoft, awaiting better....

analyser.exe has some tests to detect if aspr is present or not.
first dump and resolve with rv, the last entry that is not found by api emulator doesn't work with the tracer (soon ) but you can enter address of getprocaddress

then dump with rv + procdump oep is 504154
empty all the bytes around 508430 , it's still the mem alloc trick, first discovered by splaj on wswatch

you've got a redirected call by aspr here :

seg000:00504170 change this
seg000:00504170 ; was redirected into aspr to reach 503cec
seg000:00504170 call sub_503CEC
seg000:00504175 nop

and finally remove the nag here :

1
seg000:00447CD1 change this
seg000:00447CD1 mov eax, 2
seg000:00447CD6 nop
seg000:00447CD7 test eax, eax

included is the usual it.bin + rv resolved import's text file.

does someone has the new aspr sdk ? I'll be interested to see how it is asked to include such tests inside the target.

regards,

I learned a lot from this post and successfully unpacked several asprotected progs with RV. Thank you masters

BTW:
some data for Advanced Administrative Tools v4.31 build 720
OEP = 0061A598
RVA of IAT = 2221E0, length = A34
one redirected call:
CS:0061A5B4 call [0061EE4C] ===> call 00619B7C

What SuperBPM does in Win9x, tries NTdump's (part of NTiceSET) "Preserve BPM" to do in NT.

A small post much later

I did the patching required to hide ntice DS 2.7, sice window wouldnt show when requested. Found some patches that did the same thing as posted here - they did the same.
Just curious if this is a common problem?

Uradox:

One can assume that you have made a patch in the wrong place. Did you try the patch posted by nikolatesla20 in the Tools of the Trade Forum here on 10-23-02, titled: "Driver Studio *2.7* anti detect patches" It works fine on my Win2k Sp3. We have not had reports here of anyone losing the SI window after using that patch.

If you used the exact addresses shown in the Solomon thread it is extremely unlikely that they would work because that was a discussion of "'ver'== DriverStudio tm 2.01 (build57) file size 1,275,590 says 4.2.1 (build 58) in properties.)" +Spl/\j cautioned to "Check first" for the proper addresses. Did you "check"???

Try reloading SI and try nikolatesla20's patch.

Regards.

Ah yes my stupidity for not checking offsets
Sorry