hi folks,

im still dealing with some asprotect apps, rv and peditor. and i made some progress now i have a question, and hope someone could give me some explanations.

i came around some redirected import and found something
that Clandestiny posted some months ago on this board:

[...]
Take the 1st example:

25 0010D21C 011FC86C 0000 ?????? ??????

:u 11FC86C

mov eax,[1203678]
ret

[1203678] = 8171AD30 ; return value from GetCommandLineA

That's it for the redirected code that's there.

[...]

it is nearly the same thing for me. so now i know its redirected, but why i know its GetCommandLineA, for example?
Whats ment by "return value"? the address of the original import?
so a ":u 8171AD30" will show GetCommandLineA (a few lines below) ??

Am i right, or still on the wrong path?

Thanks for your help!
vbdisease

set a "BPM 1203678 W", you will see the result
Note: ASPR has anti-debug tricks, sometimes BPM breakpoints are skipped

Hi solomon,
it happens coz asprotect changes the dr registers so
the bpm wont work anymore
It does it with seh related api if i remember right

See ya
NikDH

yeah NikDH, thx for your hint.
I have not figure it out yet. One way to change DRx registers is using SetThreadContext( ). But this method needs at least 2 threads to cooperate. I don't know whether it uses this. I will try later.

hi,

thanks for your replies. i tried a bpm, but with no
luck, it seems, that this b*tch really manipulates the registers to clear the memory bpx. :-(

could someone explain how else to retrieve the missing imports?
here are my missing ones with the containg bytes ([address]):

[C2c960] = 81A081F4
[C2C928] = C0000A04
[C2C958] = FFC18FAB

So, bpm's dont work, any other helpful clue?

vbdisease

BPM really works if you know when to set this kind of breakpoints. I often set BPM after the IRETD instruction(inside NTDLL!NtContinue) for Win2K.

NtContinue/KiUserExceptionDispatcher will be called more than 20 times coz aspr uses many SEHs.

However, the best way to defeat this trick is to find out how it works.

"could someone explain how else to retrieve the missing imports?
here are my missing ones with the containg bytes ([address]):

[C2c960] = 81A081F4
[C2C928] = C0000A04
[C2C958] = FFC18FAB

So, bpm's dont work, any other helpful clue? "


The answer to your question is BPX GetVersion!

There is a vampire around feeding on asprotected apps. Read his tuts. +SplAj has an explanation for almost every single line of aspr code. Check Krobar's new tuts.

Happy deprotecting.

hi vb

the 'emulated' API are still the same in new asprotect 1.4 as in older versions. Just the format. Older was in a nice easy to see 'Cluster' of API. Now they are spread out and call dummy API first then POP EAX with the value of the real API. See my past post on ASprotect 1.4 made Xmas.

EXAMPLE
======

MOV EAX,EAX
CALL KERNEL32!GetModuleHandleA
PUSH DWORD PTR [00EA3650] <== GetVersion API result
POP EAX
RET

So, at first pass IAT tracer thinks API is GetModuleHandleA... WRONG!!!

The API to lok for :-
===============

FreeResource
(see a RET004)

GetCommandLineA eg EAX == 81A081F4
(SI 'd 81A081F4' on this and see the path to your target exe for any commandline passed, usually non cos you double-clicked only)

GetCurrentProcessId
(WinNT/2K version of PID)

GetCurrentProcess eg EAX==FFC18FAB
(Win98/ME version of PID - will be FFFFFFFF in WinNT/2K)

GetVersion eg EAX==C0000A04 (Win98SE i think ?)
(ur Windows version value , different for Win98,ME,NT,XP)

LockResource
(again see RET004 - look at ALPHABETIC API list in RV/Imprec to see a big clue)

Hope that helps. There are some past threads on this stuff on the MB

Spl/\j

vbdisease wrote:
[...]
Take the 1st example:

25 0010D21C 011FC86C 0000 ?????? ??????

:u 11FC86C

mov eax,[1203678]
ret

[1203678] = 8171AD30 ; return value from GetCommandLineA

But how you get 8171AD30 ? What is this value ?
This may be return value from GetCommandLineA ... ???
How you get GetCommandLineA ? Is there any comparison table
with return values, or how to know that is that api ?
I'm trying +Spj/\y tutorial Awave 7.3, but i can't find that unsolved
apis .... Pls your help. Thanx.

Hi Pepone

It is quite easy to prove the API.

1st set a BPX GetVersion and run target. Make sure you are in target memory after F12. Follow with F8 and see where target stores the <return-value>.
Now BD* and set a BPX GetCommandLineA and F5 . Again after F12 follow with F8 and see where <return-value> is stored. You see aspr builds a nice lookup array

Now do 'D <return-value>' and you will see the path of your target.......the command line

For API instructor I suggest you search Google for that fat hlp file

Spl/\j

Hi Spl/\j !
Thx for reply, i will try it. But I don't know what you mean with this API instructor. Google finds courses, trainings etc ...
Summary - bullshit ... So pls if you have that file, pls send it to me by email. Thx.

search for "win32.hlp".
or read MSDN for APIs

Hi Spl/\j !
Here is one my unsolved api from Awave 7.3 (your tut):
58 000BF0F4 00D0C864 0000 ?????? ??????
I load target(awave.exe) in Sice Loader and run it from there.
It pops up, i set bpx GetVersion. 2xF12 and I'm in target
and see maybe 4-5 apis and few mov eax,[xxxxxx]. I need that
unsolved api, so i type U 00D0C864. I see mov eax,[00D135E0],
and ret. OK, but what's now ? If I type d 00D135E0 - empty
memory, if F8 I'm back to apis screen. If i type GetCommandLineA
and F5, it pops up, but i never get to my value 00D135E0.
I go to GetCommandLineA, and d eax gives me full path of target.
But 00D135E0 is never used, so why use U 00D0C864 ?
You wrote: Make sure you are in target memory after F12(ok). Follow with
F8 and see where target stores the <return-value>. What to follow,
I don't know what kind of api is it(it's unresolved), so what to
follow ? Target stores the <return-value> ... Api to resolve is
target(if I understand that right), but it's unknown, so how
follow target, and get <return-value> ?
Write your solution like for baby, because if I don't understand,
I will write here again and again ...

Hi Pepone,

bpx on Getversion, run the target like Spl/\j has said, once sice break, F12 you will see this code section (you might have to press F5 once sometimes)
NOTE : the code will look DIFFERENT in sice cos of obfuscation but the execution sequence is the same!!!

CODE:0040CC48 pusha
CODE:0040CC49 push 414652h ; location where API result will be stored (-10)
CODE:0040CC4E push 0
CODE:0040CC50 push offset next1 ; is pop at "pop edx"
CODE:0040CC55 mov eax, dword ptr ds:GetModuleHandleA+2
CODE:0040CC5B jmp dword ptr [eax] ; get module handle
CODE:0040CC5B ; ------------------------------------------------------
CODE:0040CC5D db 0EBh ; d
CODE:0040CC5E db 25h ; %
CODE:0040CC5F ; ------------------------------------------------------
CODE:0040CC5F
CODE:0040CC5F next1: ; DATA XREF: API_emul_result+8o
CODE:0040CC5F push offset Get_GetVersion ; location where API result will be stored (-10)
CODE:0040CC64 jmp store_API_result
CODE:0040CC64 ; ------------------------------------------------------
CODE:0040CC69 db 0FFh ;
CODE:0040CC6A ; ------------------------------------------------------
CODE:0040CC6A
CODE:0040CC6A Get_GetVersion: ; DATA XREF: API_emul_result+17o
CODE:0040CC6A push 41464Ah ; location where API result will be stored (-10)
CODE:0040CC6F push offset next2 ; is poped at "pop edx"
CODE:0040CC74 mov eax, dword ptr ds:GetVersion
CODE:0040CC7A jmp dword ptr [eax]
CODE:0040CC7A ; ------------------------------------------------------
CODE:0040CC7C db 0FFh ;
CODE:0040CC7D ; ------------------------------------------------------
CODE:0040CC7D
CODE:0040CC7D next2: ; DATA XREF: API_emul_result+27o
CODE:0040CC7D push offset Get_GetVersionExA ; is poped at "pop edx"
CODE:0040CC82 jmp short store_API_result ; edx will point to next get API results loop
CODE:0040CC82 ; ------------------------------------------------------
CODE:0040CC84 db 0EBh ; d
CODE:0040CC85 ; ------------------------------------------------------
CODE:0040CC85
CODE:0040CC85 Get_GetVersionExA: ; DATA XREF: API_emul_result+35o
CODE:0040CC85 push offset unk_4145B6
CODE:0040CC8A push offset next3 ; location where API result will be stored (-10)
CODE:0040CC8F mov eax, dword ptr ds:GetVersionExA
CODE:0040CC95 jmp dword ptr [eax]
CODE:0040CC95 ; ---------------------------------------------------------
CODE:0040CC97 db 0FFh ;
CODE:0040CC98 db 25h ; %
CODE:0040CC99 ; ---------------------------------------------------------
CODE:0040CC99
CODE:0040CC99 next3: ; DATA XREF: API_emul_result+42o
CODE:0040CC99 push 41464Eh ; location where API result will be stored (-10)
CODE:0040CC9E push offset next4
CODE:0040CCA3 mov eax, dword ptr ds:GetCurrentProcess
CODE:0040CCA9 jmp dword ptr [eax]
CODE:0040CCA9 ; ---------------------------------------------------------------------------
CODE:0040CCAB db 0E8h, 25h
CODE:0040CCAD ; ---------------------------------------------------------------------------
CODE:0040CCAD
CODE:0040CCAD next4: ; DATA XREF: API_emul_result+56o
CODE:0040CCAD push offset Get_GetCurrentProcessId ; location where API result will be stored (-10)
CODE:0040CCB2 jmp short store_API_result ; edx will point to next get API results loop
CODE:0040CCB2 ; ---------------------------------------------------------------------------
CODE:0040CCB4 db 0E9h
CODE:0040CCB5 ; ---------------------------------------------------------------------------
CODE:0040CCB5
CODE:0040CCB5 Get_GetCurrentProcessId: ; DATA XREF: API_emul_result+65o
CODE:0040CCB5 push 414656h ; location where API result will be stored (-10)
CODE:0040CCBA push offset next5
CODE:0040CCBF mov eax, dword ptr ds:GetCurrentProcessID
CODE:0040CCC5 jmp dword ptr [eax]
CODE:0040CCC5 ; ---------------------------------------------------------------------------
CODE:0040CCC7 db 0FFh ;
CODE:0040CCC8 ; ---------------------------------------------------------------------------
CODE:0040CCC8
CODE:0040CCC8 next5: ; DATA XREF: API_emul_result+72o
CODE:0040CCC8 push offset Get_CommandLinea ; location where API result will be stored (-10)
CODE:0040CCCD jmp short store_API_result ; edx will point to next get API results loop
CODE:0040CCCD ; ---------------------------------------------------------------------------
CODE:0040CCCF db 0E9h ; T
CODE:0040CCD0 ; ---------------------------------------------------------------------------
CODE:0040CCD0
CODE:0040CCD0 Get_CommandLinea: ; DATA XREF: API_emul_result+80o
CODE:0040CCD0 push 41465Ah ; location where API result will be stored (-10)
CODE:0040CCD5 push offset next6
CODE:0040CCDA mov eax, dword ptr ds:CommandLineA
CODE:0040CCE0 jmp dword ptr [eax]
CODE:0040CCE0 ; ---------------------------------------------------------------------------
CODE:0040CCE2 db 0E9h, 25h
CODE:0040CCE4 ; ---------------------------------------------------------------------------
CODE:0040CCE4
CODE:0040CCE4 next6: ; DATA XREF: API_emul_result+8Do
CODE:0040CCE4 push offset Done
CODE:0040CCE9 jmp short store_API_result ; edx will point to next get API results loop
CODE:0040CCE9 ; ---------------------------------------------------------------------------
CODE:0040CCEB db 0E8h, 61h, 0C3h
CODE:0040CCEE ; ---------------------------------------------------------------------------
CODE:0040CCEE
CODE:0040CCEE store_API_result: ; CODE XREF: API_emul_result+1Cj
CODE:0040CCEE ; API_emul_result+3Aj
CODE:0040CCEE ; API_emul_result+6Aj
CODE:0040CCEE ; API_emul_result+85j
CODE:0040CCEE ; API_emul_result+A1j
CODE:0040CCEE pop edx ; edx will point to next get API results loop
CODE:0040CCEF pop ebx ; pop address where results to be stored
CODE:0040CCF0 push offset next7
CODE:0040CCF5 retn
CODE:0040CCF5 ; ---------------------------------------------------------------------------
CODE:0040CCF6 db 0E9h
CODE:0040CCF7 ; ---------------------------------------------------------------------------
CODE:0040CCF7
CODE:0040CCF7 next7: ; CODE XREF: API_emul_result+ADj
CODE:0040CCF7 ; DATA XREF: API_emul_result+A8o
CODE:0040CCF7 mov [ebx-0Ah], eax ; store emulated API results
CODE:0040CCFA jmp edx ; jump to next loop
CODE:0040CCFC ; ---------------------------------------------------------------------------
CODE:0040CCFC
CODE:0040CCFC Done: ; DATA XREF: API_emul_result+9Co
CODE:0040CCFC popa
CODE:0040CCFD retn

Hope the comments are nto too confusing, do a bit of tracing and study the loop above and you will see how the API results are pre-stored... take note of the address of [ebx-A]


P.S : maybe i need to learn VB code :<... think it looks real hard to follow once i cut and paste.. but ah well :<

Hello crUsAdEr !
It's nice, that you write it for me ... but pls, I still don't know, why to use U 00D0C864 ... You write to me process, how it works, but how I can get correct api, if U 00D0C864, where the value is stored is never used. Pls step by step ... I'm in program, bpx getversion is used, after 2xF12, I'm in program, and I see 4 apis, mov eax between them. What to do now EXACTLY, STEP by STEP (and don't forget U 00D0C864) ... I'm now confussed, because you write to me process how it works, but I need EXACTLY instructions, what to do now(of course address will be different).
Pls STEP by STEP, like for a baby ...)) What to write, what to watch ....
P.S. Pls be patient with me ....

Hi Pepone,

Hmm, like zero says, baby should be drinking milk and hence banned from cracking!!! Only alcohol allowed for cracking....

On a serious note, Spl/\j has already explain why those value correspond to those API in his very commview tutorial.... those API is emulated so if you code a little proggi your self to obtain eax from those API you will see those values...

About steps by step on how to unpack AsProtect... honestly i have seen enough instruction on how to do it everywhere on this board, more than i ever seen in any other protection... so look around, read the tutorials available as well search the board.... download the AsPr.dll from evaluator's post or get more version at fravia's site if you want the same offset as what i posted above....

Hi Crusader !
Instead saying to me to read more tutorials, pls explain continuity between U xxxxxx, and your explanation of API pre-storation process. It will help me much more. In tutorial it's used U xxxxxx, but you have write no single word about it ........

Get the Remote Desktop Control package for SoftIce and see if someone will control SICE on your machine over the internet to show you what do to

2Lbolt99: Ha, very funny ... Instead bullshit, answer my questions ... and then we can laught together ...

Hi Pephone,
So many ppl had help you....
Spoon feeding is only for 3yr old kid.So don't be a lazy lameass read tutes ....