Hi guys:

After unpacking 2 asprotected apps (Hi Alexey), I was trying a go at Advanced PDF Password Recovery Pro 1.61. My analysis is not yet complete but there seems to be a new variant of ASPROTECT on the scene.

(1) Revirgin tracer does not work completely but get stuck in some local loop which goes on and on for about 1/2 hour
(2) I haven't tried /tracex as I don't have access to Win98 machines but like +Spl/\j wrote in one of his tuts, Alexey knows about this and might've coded asm loops to frustrate us ;-)
(3) All the old tricks of +spl/\j (bpx GetVersion, S EIP L FFFFFFFF 61,FF,E0) is gone. Now bpx in GetVersion get called a whooping 100+ times or more (again in a local loop)
(4) Same is the case with bpx GetProcAddress

So finding OEiP itself is now much harder. Anyways, I 'm yet to try Solomon's suggestion on BPX IRETD and a couple of other my own tricks <grin>

But just thought +Spl/\j, +tsehp and other gurus might be interested.

Signed,
-- FoxThree

H'm you're steaming up in asprotect ?!

Okee this new aspr is threaded on the general forum>>search
asprotect1.4 by splaj..!

btw oep:4152b4
iat :404a0
length :3d0

Fully rebuilded. (like evaluator said:It's time for a new update)

Ciao SpeKK

Hi Spek:

Thanks for your information. Yes, I got the link. Also, thanks for providing me reference values ;-)

BTW, how did you find OEiP. I seem to be stuck there itself DuH? (/tracex?)

Signed,
-- FoxThree

Yep, got the full dump working....

foxthree, Revirgin tracer works no problem on mine, spl/|j's trick of finding "61 FF E0" with bpx ntcontinue by Solomon works as well... i actually manuallly trace it :>>>... spent like 3 hrs, actually the prog wont crash if u set a series of breakpoint and then trace slowly....

This version of AsProtect has one user32.dll that ReVirgin can not solve, and i've seen all the AsProtect trick summed up in this version... perhaps there are more but so far all that i have known or not known are inside this prog :>..

Hi Spek/binh81:

Thanks for helping me out guys. I've almost rebuilt the IAT based on your advice. (That tip by +spl/\j == ROCKS!)

But like binh81 correctly pointed, my final IAT does indeed miss one USER32.dll call.

How can I find this one out? I tried setting bpx on GetVersion and then doing a :U 007FCA58 but still couldn't figure out what is there at that location (just a PUSH EBX is there?)

How to figure this one out? I'm attaching my rebuilt IAT.txt with this post for your reference. I'm rebuilding on Win2K btw.

Thanks for all your help and advice.

Signed,
-- FoxThree

an easy way is the alphabetical order :>>>

This is nice if u see all the import are in alphabetical order :>... so the missing one must be something between DestroyWindow and .. cant remmeber the other one but u get the idea :>...

then look at the substitute procedure itself, it has a "ret 14" at the end... very few has this.."ret 14"...

then it calls 3 function from kernel32.dll

u can disassemble user32.dll to look into it.. it should be obvious from there :>>>


*******************************
KEEP TRYING, YOU WILL LEARN SOMETHING NEW
LEARN, LEARN MORE, LEARN FOREVER!!!!!

Hi Spek/binh81:

I've followed ur advice. However, I have a few questions. Firstly, I've followed all your steps and [hopefully] reconstructed the IAT. BTW, binh81, thanks for your tip. I think the missing API is DialogBoxIndirectParamA right?

After final rebuilding, my app crashes at 0x0041CD4D which accesses some himem area and there you find intstruction ADD EAX,AL (which looks like some unpacked region).

Why this is happening?

Also, SpeK: you've written the OEiP is 4152B4: However when we run under Revirgin (thanks again binh81), it does break there but the instructions there are:

004152AF pop edi
004152B0 pop esi
004152B1 pop ecx
004152B2 ret
004152B3 add cl,ch
004152B5 add cl,ch
004152B5 add cl,ch
004152B5 add cl,ch
004152B5 add cl,ch
004152B5 add cl,ch
004152B5 add cl,ch
004152B5 add cl,ch

Firstly: This is strange; there is no such address called 4152B4(which most probably means the unpacker is still working)
Secondly: Most Entry Points have the following sequence right

push ebp
mov ebp, esp

Why the above piece of code does not have this but still is referred to as OEiP?

Forgive my ignorance.

Thanks in advance,
Signed,
FoxThree

The OEP is slightly different for this one, MOST prog has the OEP as "push ebp, mov ebp, esp" but NOT all....

Secondly, i think the API for user32.dll is DialogBoxParamA, cant remeber now that i have uninstalled it alredi...

Try to use spl/\j' s "61 FF E0" to find OEP. it's difinitely more accurate.. i use RV tracer to check if AsProtect does something else funny before handing over at OEP...

Yeah, that's all for now... keep trying :>

Yep,

Maybe oep is different (traced by tracex).
The user api is DialogBoxParamA (like bin said)check it out Looks
much at the code aspr is calling..... .(in SI: u DialogBoxParamA)
Crashing your prog could be done by (i thought there were 2)
the api's calling for exmpl: getversion + ret 004 !! in aspr no problem but in your rebuilded When you use getversion it leads to crashing..So instead use kernel ord 002f.
Try search some info on the board about this...

Succes


SpeKK

Hi Spek/binh81/others:

Atlast, I've succeeded in unpacking APDFPRP. I owe it a lot to you guys. I'm really learning a lot I think. Yes, it was DialogBoxParamA. I think it is internally calling DialogBoxIndirectParamA, so I got confused :-(

My big thanks to you guys and mainly to +spl/\j and evaluator without whom the great ASPROTECT 1.4! hint wouldn't have been made!

Thanks once again guys. I'm humbled.

Signed,
-- FoxThree