Log in

View Full Version : Tshep help mE!!!


Nio-shai
September 19th, 2001, 18:59
hi Tshep

i 'v been trying to unpack a prog that uses the method of ASPR but it's not ASPR ...

i don't whant a serial or to crack this prog just to lern how to unpack it ....

url : h**p://www.softpile.com/Utilities/Password_Recovery/Review_08401_index.html



i'v found the EOP = 40c35a
and the start IAT = 12000
but the size had a problem ...
at ImpREC it tald me the size is = 2F8
at Revigin it tald me the size is = 370

but i used imprec to fix the AIT and i fixed it just like it should be

6bc968: is : lock resource
6bc950: is : get current process
6bc974: is : free resource
6bc928: is : get current process id
6bc960: is : get command line A
6bc990: is fixed to an user32 dll instad a keranel32.dll to :
dialog box inddirect param A

the fix is done and the prog DO RUN!! but!!! if i try to push the about or the register it crashes what can i do ??? i can't find anything to do about it !!! plz help !!!

tsehp
September 21st, 2001, 02:06
Quote:
Originally posted by Nio-shai
hi Tshep

i 'v been trying to unpack a prog that uses the method of ASPR but it's not ASPR ...

i don't whant a serial or to crack this prog just to lern how to unpack it ....



i'v found the EOP = 40c35a
and the start IAT = 12000
but the size had a problem ...
at ImpREC it tald me the size is = 2F8
at Revigin it tald me the size is = 370

but i used imprec to fix the AIT and i fixed it just like it should be

6bc968: is : lock resource
6bc950: is : get current process
6bc974: is : free resource
6bc928: is : get current process id
6bc960: is : get command line A
6bc990: is fixed to an user32 dll instad a keranel32.dll to :
dialog box inddirect param A

the fix is done and the prog DO RUN!! but!!! if i try to push the about or the register it crashes what can i do ??? i can't find anything to do about it !!! plz help !!!


get revirgin :P

Nio-shai
September 21st, 2001, 07:52
Tsehp !

i did used RV with both sizes
if i use the 2F8 size then it's like ImpREC
if i use the 300 size it gives me in the end of the table some
pointers that leads to nowhere!!!

come on Tsehp don't leave me hanging in the air .... and plz check
this prog ... i realy whant to lern so plz hlp me to lern what was wrong....


Kayaker
September 21st, 2001, 12:50
Holy shit. And when you're done with that one Tsehp, I've got a few crashing rebuilt programs that you could work on as well

Heh, heh, welcome to Asprotect. It looks like you've picked up most of the Asp tricks, the redirection to an address holding the API return value or to a short section of garbage code, the Kernel/User reference flip, the code running a few lines of API code before jumping into the API, etc. But I'm thinking your problem lies beyond Revirgin. As you say, the program runs but only crashes in certain cases.

Soooo.... what error message does it give? Have you traced to that address in the unpacked file and compared it with the original packed file? This may have nothing to do with imports, but just a code section that tries to access packing code (which now no longer exists).

The About box may be trying to access user registration info which would have initially been read from the registry during unpacking and stored in a high memory address. Often just bypassing the call or redirecting it to your own value might solve the problem.

Start by confirming all the missing unresolved IAT entries. What I do is do an initial pass with Revirgin then list out all the problem addresses. The ones listed "to_Resolve" can usually be fixed by selecting EnableTrace/Trace, and will likely be GetProcAddress and GetModuleHandleA. (BTW Tsehp, the trace feature for these 2 APIs works really well now on 9x

For the remaining ones it looks like you figured them out, but what I do to double check what's happening is to break in the original file after it has been unpacked, say with GetStartupInfoA, and unassemble each redirected IAT address with the 'u' command. This should immediately tell you what code is replacing what should be a direct jump to an API starting address.

As I say, if you've nailed down the imports, and made a proper dump, the problem probably lies beyond the call of duty of Revirgin. I think the IAT size difference between RV and Imprec isn't important, use the larger size and RV ignores what isn't important I believe.

Methinks you just need to dig a little deeper and treat this as trying to find a particular patch point. Good Luck.

BTW, just a minor point, but it's preferable to NOT use direct links to shareware sites in postings. I know it's convenient, but any click on the link can be directly referred back to here. We got enough problems as it is if you know what I mean

Kayaker

tsehp
September 22nd, 2001, 01:58
sorry for the short response, but I'm kind of busy those days.

the size is a pure guess, you can check it by yourself while looking at the it table, look at the pointers or stop the size just before the ascii characters begins.

rv & imprec will only fix iat, but you still have some kind of anti dump code now inside targets, look at the other asportect recent threads.

Nio-shai
September 22nd, 2001, 14:11
Kayaker hi!

tnx for replaying me since Tsehp is busy ...

well i found that it's true that when i want to see the the about
box in the PACKED file it first calls some :
LOCK RESOURCE
LOAD RESOURCE
and then it calles the dialog box!!!


but in the dump file those things doesn't exist!!!

but about the REGISTRATION box the windows not only crash it
also giving me the BLUE SCREEN !!! so i can't trace it !

but now for fixing the dialog box of the DUMP file ... i looked and didn't find a tut or an esey about how to fix those kind of thing so i'll be more then happy if some one can give me some help with this thing ...

BTW : sorry about putting the link to the site .. didn't know about this .

Kayaker
September 24th, 2001, 13:52
Hi Nio,

It's kind of hard to say what your problem is. I do remember those resource api's you mentioned being associated with a FindResourceA call that I think can also be redirected by Asprotect. It's been a while so I forget the exact details.

What unresolved IAT entries did Revirgin come up with, and more importantly, what did you "fix" them to?

The other issue is, are you 100% certain that you've got the right OEP? That BSOD sounds pretty severe. If you've got a "workable" dump (i.e it crashes, but you might be able to patch it), you may get Runtime Error messages, but if you're getting a BSOD you may have deeper problems and should double check the quality of your dump.

Kayaker

+SplAj
September 25th, 2001, 04:19
Is the code similar to this :-

==> 00E5C898 55 PUSH EBP 
0187:00E5C899 8BEC MOV EBP,ESP
0187:00E5C89B 53 PUSH EBX
0187:00E5C89C 8B5D08 MOV EBX,[EBP+08]
0187:00E5C89F 8B4518 MOV EAX,[EBP+18]
0187:00E5C8A2 50 PUSH EAX
0187:00E5C8A3 8B4514 MOV EAX,[EBP+14]
0187:00E5C8A6 50 PUSH EAX
0187:00E5C8A7 8B4510 MOV EAX,[EBP+10]
0187:00E5C8AA 50 PUSH EAX
0187:00E5C8AB 6A05 PUSH 05
0187:00E5C8AD 8B450C MOV EAX,[EBP+0C]
0187:00E5C8B0 50 PUSH EAX
0187:00E5C8B1 53 PUSH EBX
0187:00E5C8B2 E8157BFFFF CALL KERNEL32!FindResourceA
0187:00E5C8B7 50 PUSH EAX
0187:00E5C8B8 53 PUSH EBX
0187:00E5C8B9 E87E7BFFFF CALL KERNEL32!LoadResource
0187:00E5C8BE 50 PUSH EAX
0187:00E5C8BF E8807BFFFF CALL KERNEL32!LockResource
0187:00E5C8C4 50 PUSH EAX
0187:00E5C8C5 53 PUSH EBX
0187:00E5C8C6 E8917BFFFF CALL USER32!DialogBoxIndirectParamA
0187:00E5C8CB 5B POP EBX
0187:00E5C8CC 5D POP EBP
0187:00E5C8CD C21400 RET 0014

Nio, this was Alexey latest trick a few months ago
Just make the Revirgin manual entry to be USER32!DialogBoxParamA
and you are fixed.......... this is an API twister i.e. Alexey made DialogBoxParamA call into aspr code to emulate it via DialogBoxIndirectParamA .

BTW the above code is from an Elcomsoft target Aeepro and I think your target is from the same stable................

+Spl/\j

Kayaker
September 25th, 2001, 22:16
Quote:
Originally posted by +SplAj

<SNIPPET> some poor hapless Assprotect code gleefully ripped out by the throat, stepped on, probed prodded poked mutilated and examined endlessly. Then mercifully put to death.
<ENDSNIPPET>

+Spl/\j



Yeah, that was it Splaj, thanks for reminding me.

As Far As You Know??!!

Kayaker

+SplAj
September 26th, 2001, 04:23
hwdy, did I 'really' say those <SNIPPET> nice thing about aspr <END> ???

nice forgery Kayaker ...... but you missed 'patch+play'

and I phear aspr is not 'dead' Alexey will return soon .......................

Bit quiet around here ?

tsehp
September 26th, 2001, 06:27
the site was impossible to connect since sunday, so there are not a lot of contributions, but the stats shows a lot of log attempts.

Woodmann is actually making a big decision, mine is already done : we have to change again the isp.

regards,

tsehp

ps : splaj, again some tracer fixing for te-lock then I'm back to our latest task ;-)

+SplAj
September 26th, 2001, 09:35
so they lie when it says server bizzy....... u & woody are the bizzy ones....

shame really after all hard work

lets have some fine French wine with some spaghetti bolognese again soon , you need a break

(thats a foreigners idea of fine cuisine :; )

Woodmann
September 26th, 2001, 13:30
Yes Bolognese sounds nice, can I have a lame watered down American beer please?

Peace, Woodmann

+SplAj
September 27th, 2001, 01:32
yes you can have a budwhatever.....but I suggest we share a crate of Champagne to really make a mess of the carpet

tsehp
September 27th, 2001, 07:01
yes splaj, you own us a real mess on my son's pants or mine if you choose, I'll be really happy to see this happen again ! he he!

one of my woman clients saw us when we were on 2nd floor of eiffel tower, you and wood should come back again pretty soon before terrorists make it blow away
(pathetic sense of humor, I know...)

Nio-shai
September 27th, 2001, 19:31
tnx all for u'r help the : Dialog Param A was the API that fixed it all

thanks u all !!!