Hello:

I'm pretty new to the cracking scene and here is some of my analysis on a product called WinSniffer (winsniffer.com). Current Version is 1.3

I *think* it is ASPACKed (though no clue as to the version and such) [ How: Run WinHEX and search the memory for ASPACK String and lo there it is]

I'm trying to unpack this and am 95% successful (almost !)

Here is what I've done:

1. Loaded the target under revirgin (thanks, tsehp) and traced and found the OEP: [004104FF, am i right btw?]

2. Dumped the target at this location using procdump [is this correct way of doing things or should i use icedump]

3. Using Revirgin complete rebuilt the IAT. <--- ROCKS!!!

4. 2-3 IAT entries were not finding so I did trace and found them all.

5. Created a section and patched the generated IT.bin into this. So now I have a completely IAT re-built WSMDI.exe

6. Reset the OEP using the PEditor tool.




However, when I run this app, it crashes stating that 0x77fc97a0 referenced memory at 03f3df08 (inside ntdll.dll) I'm stumped as to why this has to happen. I followed Predator's tutorials to the word and I think I'm almost close to completely unpacking this program.

Any clues/insights as to what is happening will greatly help me. I'm attaching the revirgin generated IAT.txt file for analysis

Thanks to all the good "gurus" here in advance,

Hajo,


Yep aspr-protected..( not protected with latest aspr !)
Okee your oep=correct ,4104ff

First look at eax around 415240 after getmodulefilename , hardcode the number in your dumped.exe in someway or bypass.
Again on the call at 4105b6.

Didn't compare whole your resolved.txt file but the 2 api-calls on
0003B348 and 0003B34C aren't correcti think.Just replace by:

0003B348 017FC968 002F KERNEL32.dll
0003B34C 017FC960 002F KERNEL32.dll

After this all should work...



SpeKK

Hi

I have rebuild IT and found:

0003B348 KERNEL32.dll LockResource
0003B34C KERNEL32.dll GetCommandLineA

Include IT

Regards

Yep that's better !!

overlooked >>0003B34C KERNEL32.dll GetCommandLineA !
Now you don't have to correct the addresses i mentioned


Set bpx getversion when prog is loaded in si and see the api's are stored in memory (1803640 for getcommandlinea)



SpeKK

Hi SV/Spek:

Thanks for all your tip. Yep, I got it right this time and every thing seemed so cozy. Until I ran the executable. Just nothing! Absolutely nothing. I tried to debug it into softice but it wouldn't even execute 1 single instruction.

What's happening here? Any ideas. I tried to put INT 3 in the OEiP, still nothing, just hourglass and nothing!

Any ideas would greatly help clear my ignorance.

BTW, my unpacked executable is around 2.3 Megs. Is that what you guys have got too?

(My IAT is not EXACTLY same as you guys, if it helps)

Thanks

TRy find out why your iat is different...,
Try s.v's resolved iat in your dumped.exe (should work)
Yep dumping will give 2.3 mb but realigning the file will reduce it
to 500k.

SpeKK

Hi Spek:

Thanks for all your help. But I'm still not able to make this work. However, I aplogize for a small mistake that i'd made in my previous post. Actually, my IAT rebuilt is exactly the same (I typed as NOT). Sorry!

I'm attaching my IAT (rebuilt) .txt file. Just see if everything is fine. I'm rebuilding on Windows 2000 BTW. Is this a problem? Also, when I try to run this application, (after final rebuilding the 2MB one), it just fails to load NTDLL.dll by giving some page fault error. That is why my app is not running I guess.

Also, what version of ASProtect is used to secure this application? How do i find this? Is there any tool?

Thanks once again for all your help and time. I really appreciate it.

Regards
FoxThree

Strange ,

Yep just a little difference in iat at 3B178 (check out) , but i don't
think here lies your problem.(i paste you resolved.txt in my dumped and it ran without probs)

Try make a new dump.
(make sure you don't have any breakpoint set at dumping)

You can make them in several ways try this:
Icedump from the oep /pedump 400000 104ff dumped.exe
And now use r.v. to rebuild.
or
Trace till the oep> put a jmp eip at the oep >use pe- editor/procdump to make a full dump.
Use hiew to correct the location 4104ff (jmp 4104ff )into push ebp :mov ebp,esp and now rebuild.
I use w98 but w 2000 should be no problem ??


Well don't know what version this is of aspr you can use some
file inspectors/analysers ....lot's to find on the web.

SpeKK

Hi SpeK:

Thanks for your patience with me. I'll try whatever you've said and I'll get back to you.

Once again,
Thanks, man

Signed,
FoxThree

Hi SpeK:

I tried whatever you said. It still did not work. I'm jus' getting lost. When it seems to work fine for why wouldn't it for me. Infact, like you said the IAT differs in only one place. In fact, this time I chose your IAT.txt and rebuilt. Still the same problem. When I try to debug the re-built application using W32DASM I get this:

The first thing it tries to do is to load up NTDLL.DLL at 77F80000. Then imme. it throws up this error in a dialog:

The thread tried to read from or write to a virtual address for which it does not have access at EIP 77e878c1.

Any clues. Also, if you don't mind can you upload your rebuilt WSMDI.exe so that I can try to run that here and see if that works?

Also I think the dump I get is just fine. I tried the same approach with a couple of other apps that are ASPROTECTED like CoolMouse without any problems:

The method I try is:

(1) Load Process into RV Tracer
(2) Wait till it breaks on OEiP (in our case RVA-104FF right?)
(3) Just switch to Pdump and dump the process (remove all the unnecessary options in PDump before doing this, right?)

Is this method ok? or is this a bug in RV?

Any other ideas/ suggestions? Is my Win2K a problem (it is without SP). What else? Man, I'm at the end of my wits here...

Thanks for all your patience,

FoxThree

Yeah, i do think it's a bug with RV because i have both won 98 and win 2k running, RV gave me slightly different IAT for the same program and sometimes RV does not export IT.bin properly and automatically gave IT an adress of 2ABCFEAA or womething weird like that when i select auto fixed section...

I just keep trying and it works sometimes... maybe i am doing something wrong but i do find RV behaving weirdly sometimes... or maybe it's anti-RV trick by AsProtect, Alexey frequent crackers'boards often i heard....

The only full proof method i tried so far is use ImpRec to get the normal IAT without auto trace (because RV doesnt provide that option or else i would prefer RV personally) and then manually replace the rest of the IAT input, normally about 40ish of them.. it's a sure work way!!!

AsProtect is really a bitch really...

Hi foxthree,

OK, i am not sure this help but try anyway... i was checking evaluator's post on deadlisting of IAT, i found that mine are quite different, evaluator : i am using win98se... but i notice the order are the same, as in the order of the offset and the Import...

There is one entry in winsniffer like this :
207 0003B348 017FC968 0000 ?????? ??????

try u 17fc968 will show u a proc with ret4 and below it another proc with ret4, compare the 2 proc they are slightly different... I tried putting this entry 207 as Free Resource and the prog quits silently... try with Lock Resource it runs...
Looking at the deadlisting by evaluator i found out that lock resource will normally come before Free Resource but i am not sure... digisecret and commview has the same pattern... maybe this is the problem for you?

Tseph, i found the bug in RV now, when i load saved resolved with RV, RV will not read the last import if it is the only import from another dll, like this case of winsniffer :
426 0003B6D8 7FF482A8 00D7 ole32.dll OleUninitialize
427 0003B6DC 7FF4F578 00C0 ole32.dll OleInitialize
428 0003B6E4 7FE54D20 0008 oledlg.dll OleUIBusyA
eof
RV will not load the last import from oledlg.dll unless i make it look like this
426 0003B6D8 7FF482A8 00D7 ole32.dll OleUninitialize
427 0003B6DC 7FF4F578 00C0 ole32.dll OleInitialize
428 0003B6E4 7FE54D20 0008 oledlg.dll OleUIBusyA
428 0003B6E4 7FE54D20 0008 oledlg.dll OleUIBusyA
Maybe that is why i get eratic results cos i tend to save then load stuff!!!

That is all for now, please correct me if i am wrong...
Thanx

And it's just a biginning You'll forget about RV and ImpRec soon.

---
Alex VeryLongRussianSurname

Hi binh81:

Thanks for your tips. I tried every one of them. I concur with you: There are few bugs (like the weird RVA problem when pasting IAT) when I run on Win2K. I do not have a Win98SE at present where I can test whether my earlier built IAT would work.

I've tried whatever you've told but still no luck. Same old NTDLL.DLL problem. Ugh!

Also, I noticed a few things:

(*) In my rebuilt IAT there were 2 references to LockResource. Why? (ASprotect trick or RV bug)
(*) Why are the hint values in RV off by 1 i.e if in the hint value for an exported API in KERNEL32.dLL is say c5, in RV it comes as c6. Why? Is it OK? Any explanations (Tsehp?)

All I can say at the moment is that, by mistake, I chose a wrong ASPROTECTed target. I should've chosen something in the tuts tried and then came back to this. What really frustates me is that I still do not know what I've done wrong. Spek says it works fine for him in Win98 (with *my* rebuilt IAT)? So what gives in Win2K?

May be like Alexey has written above: Is it time to upgrade Revirgin?

With many more such questions in mind:

Signed,
-- FoxThree

PS: BTW, binh81 the bug about OLEDLG.DLL is very correct! I'm also able to reproduct it here!

hhh, i believe reversing gods are able to reverse anything in the world....ones protect, others deprotect, who wins :-))

Misrible Kilby says nobody wins !

However we have fun, and Alexy earns money.

So things arn't too bad.

Is it me or is everything wrapped by Asprotect written in Delphi ?

Kilby...

Haha, sweet dreams, you must be knowing..............!!


Btw foxtree check you pm.

SpeKK

Foxthree, maybe you do something wrong when you paste IT into the dumped file, some how i can not download your IT.bin to compare so here is my win2k executable version...

Hope this help.. yeah u should try comview with Spl/\j's excellent tutorial... that throw my AsProtect fear away :>

damn.. teh file is too big...

Hi binh81:

Great news man! I don't know may be i'm doing something wrong. BTW, did u try zipping the file and then uploading that might help. I really dont' know where I'm missing I did exactly everyting by the book. Yes, I've gone through +Spl/\j's tut on CommView 3.1. However, where I get stumped is the place where he says "S EIP L FFFFFFFF 61,FF,E0". When I do this, I'm always getting Pattern not found. In many of his tuts he is followig this approach but no where has he mentioned from where should we issue this search command. That is pretty confusing and frustrating.

If poss, try upping the executable. I'll diff it and see where I'm wrong. Thanks a bunch, man

Signed,
FoxThree

PS: I've tried the same on Win2K SP2 with still the same results :-(

Hi Guys:

Finally I got it working on Win2K and it was neither RV bug, neither Alexey's coolness of ASProtect. It was DUMB bug in HexWorkshop 3.1. (As binh81 correctly pointed out, thank binh81).

See RV correctly resolved the IAT. But when I pasted the rebuilt IAT on the app, Hex Workshop would show as pasted but wouldn't really do it! DoH! All the while I was thinking that the IAT was correctly pasted.

So taking binh81's lead I tried another app, UltraEdit. lo! it works.

Pretty dumb of me heh! But finally, what matters is that I fixed it.

Take care fellow newbies: DO NOT USE HEX WORKSHOP for APPS MORE THAN 2 MB. [ you can test this by urself ]

My sincere thanks to SpeK, binh81, tsehp (U ROCK!!!) ...

My not so thanks to Alexey (for gloating and making it sound like some ASPROTECT trick! Alexey: IT IS NOT!!! RV ROCKS ;-))

Signed,
--FoxThree

PS: One good thing in this whole exercise was I learnt so much about ASProtect through so many quality tuts (hi +spl/\j) Alexey watch out <grin>

U can run the app first, then use winhex to open its memory while it's running, then do a search for "61 ff e0' then you will find the occurence of it...

also you should read soloman's tip for finding OEP manually on win 2k, work great :>