ok u asked for D-D targets !!!

here is a nice aspr MULTI dipper as a newbie challenge :-

[http://***.timeutilites.com/downloads/atc.exe]

thanks to SpeKKel for that one....have phun we did

Spl/\j

BTW I have big trouble with RV1.3 destroying its own iat.bin after loading from disk and building. I think I saw someone else with this prob on the 'tools' pages ? Did anyone else come across this prob ?

The target is CV3.3 from Tamos...somethin new from Alexey ? RI have to speak to the Admiral and fire a shot across his bows

later

eh, SPLAJ..
Can't understand your love to ASsPR!
What you found interesting???


Paste my IT.BIN in dump at 22C000h.
Values for PEditor:
OEP=21CFA4
IT =22C000 SIZE=0000026C

I think, will better if you make dump at OEP.
Old size-check exists

Hi eval

I tink u misunderstand. I have rebuilt that time thingy a month or so ago. It's just a trget for those interested in D-Dip. Also rebult CV3.3 with RV1.2beta. Just sayin that RV1.3 destroyed IT/IAT bin file in both Win98SE & Win2Ksp3.......hmmmm

I just mentioned that aspr code is different now. The 61 ff e0 (Jmp EAX) is gotten to in a very 'decrypted' way.

Somethin different for sure in CV3.3 aspr

hmmm

Spl/\j

Thanx Spl/\j for the prog :>...

Finally get it to work :>... "wow" I must say, 10 dips in before OEP and only 2 should be missed... but the address of the dip in can give quite a hint though...

A few booby traps to check for AsProtect... this is really one program that integrates with AsProtects, luckily it is quite a simple program so i was able to find (hopefully) all the AsProtect checks...

Thanx splaj.. this one gives me some further insight of those dip before OEP... fox3, you should definitely try this one.... :>...

SPLAJ!

Maybe because of my poor english I didn't understand you..
But for me RV1.3 works fine! Nothing bad happens.
Here again I upladed resoleved&finished.txt and IT.BIN.
Now "autofix" option choosed.

OOPS, SPLAJ!
I look in your "resolved". All is same as my except IT length!
Your IT size is wrong. After "resolve again" RV1.3 displays 3B0.
This value can be used

Hi +splaj guru / binh81:

Thanks for this wonderful exercise. Whoops is what I can say.

In brief, I'm not able to unpack this one but I present below my analysis. Can you/binh81 verify this? I'm still trying and almost there :->

Okey: First like binh81 said there are 10 dips at 4504F8, 489A30, 450498, 4504A8, 489660, 450538, 4504B8, 450474, 450498 (2nd time), 4504A8 (2nd time)

Most of the dips it is:

PUSH EBP
4 lines of code
RET 4 (except in 2 cases where it is RET 8)

except for the "BIG" dip at 489660.

Now here is what I did. I bypassed 489660 (r EIP) and then search for the 61,FF,E0 (thanks +splaj). I find it at cs:11A3424. Note the value in EAX: 00489DB8.

----------> Marked this as OEiP (cs:00489DB8). Dumped here!

Now run RV 1.3. I Find the following values:

RVA: 0008D168
Lenth: 00000708

However, the resolved values look mighty strange to me 'cos KERNEL32.DLL is interleaved and same import call is made in 2-3 places (why?) I checked in SICE IAT Table and everything is fine! That is the way IAT is this for this prog. Ok, generated IAT.bin and pasted.

Did the usual change EiP CALL 489660/JMP 489DB8.

Run it. Just after click on Evaluate, proggy quits! So let's debug...

One redirected call I found at 00489E86!

So find it , traced and found that it calls 004898C4.

Patch it! at 489E86: CALL 4898C4.

Now run it!

Weird! Proggy said "Encrypt and Decrypt. Please run ASprotect on this app. API is incorrect" but runs. However each click on the top tabs is giving "Access violation at 45076E while writing to BFF77716 (addr of GetProcAddress)"

Questions:

(1) Is my EiP correct?
(2) Is my IAT correct ? ( I doubt this much!)
(3) binh81 says 2 dips neesd to be skipped, where as I found only one!

Can you guide me? I need only tips :-)

Signed,
-- FoxThree

I dont know what is wrong with my system but I have always problem with finding OEP of new aspr in Win98 SE.Searching popad freezes my system.I can only find by tracex and it gives wrong OEP sometimes like in this example.I have found OEP by Dafixer's tips.

Anyway I got same error like foxt3 here is the proc which gives error message when you change tab



I guess we should fix the pointer where it currently points to IAT.I am not familiar with new aspr

ps:If someone could explain how to find OEP and this "dips in win98 in a way that newbie can understand I will be quite happy

Hi Laptonic:

I've also got the exact GetProcAddress with the same asm code (I traced just now with SICE) write error like you've mentioned. We've both done something horribly wrong 'cos binh81 reports everything as fine. Anyways, waiting for inputs from +splaj guru/binh81.

Cool now about your questions:

Finding OEiP:

Like yoda, says in Star Wars, "Tricky this one can be !" :->>

Okey, two things, one what i've observed is most ASPR code after going into ASPR shell once comes back to break at 00401014. Now in between this if you run /tracex, you'll have to wait for like 10-15 mins. Instead do this, dl SuperBPM. Run it. Now load app into ICELoad. Breaks at 0x40001000. Now do a bpmb cs:00401014 x. Let it run. Voila! It breaks at 00401014 almost instantly ;-) Now trace back to ASPR Code. Now give a /tracex. It will speed your finding of OEiP by 40-50% atleast.

The Second thing is I've also had my PC crash when I search for signature bytes. I wanted to ask +splaj guru himself why this is so? But if you follow my earlier trick, you'll find POPAD. Now load SUPERBPM and bpmp at that mem location. F5 and voila you break at POPAD. Trace and find JMP EAX <grin>!

Hope this helps,

Signed,
-- FoxThree

PS: For Double Dips, there is nothing better than the big "writing" by +splaj on RegOrganizer 1.3Beta4. See it!

Hi Fox3,

Yep, look at you dip listing.. most are 450xxx which sets up AsProtect Flag and can not be skipped... 2 dips at 489xxx should be skipped, if you look at the 489A30, it will move 4898C4 into [489E86] but since you have patched it, it should be fine...

The messagebox of invalid AsProtect API is called when the program check for its API at 48AB00 if i am not wrong.. just change this dword to 00000000 will do the trick...

Yep, your crashing is caused by the code pointed out by Laptonic, basically [ebx] is one of your IAT entry, so if ATC.exe is AsProtected then [ebx] is redirect to AsProtect memory which is writable, however when we unpack it, [ebx] now points to Window API address and is protected so you can not write data there anymore, but look at the code,

push [ebx]
mov [ebp+4], ebx
pop [ebx]

the push and pop operation does nothing but indirectly checking AsProtect redirected API... so i just nop both these push and pop or use the "48 40" trick.. then the prog should not crash anymore...

I found another check when u click the Adjust button.. yep... so watch out...

Again, i did not find the need to patch OEP to call the big dip at 489660 at all... :>.. it checks keyfile atc.bin...

Hi Laptonic : here is how i find OEP with AsProtect in 3 second :>
run the prog, use WinHex to open the prog memory and search "61 FF E0"... yeah u will find it and then bpm there with super bpm... boom you are there... the OEP is always the saem with jmp eax... the dip ia another problem which i have a zen for it but i dont know why and how :>... guess i have done 7 prog with dip already :> so ah well... my softice crash occasionally when i do search in memory with it so i use winhex all the tiem nowadays.. nice prog :>

that is all for now..

Cheers

binh8!

That last check is very fun, you will laugh!
I'm interesting if you find it!

I will upload soon if..

Hi +splaj/bin81/LapTonic:

Finally, I have cracked this one... and what a fun it was...

Okey lemme explain:

First of all we have two problem with the dumped executble:

(1) On running and clicking on evaulate, we get the horrible "Encrypt/Decrypt... Please repack this with ASPR and blah blah"..

(2) On click of each tab, we get GetProcAddress write error!

Solutions:

(1) This is complex. This is all because of indirect calls to ASPR code. The author must love calling into ASPR ;-)

There were (atleast) 3 re-directed calls.

a. at 00489E86: CALL [48AFA8] <-- replace with CALL 4898C4
b. at 004473A5: CALL [EBX+..] <-- replace with CALL 48460C
and the *final* one that completes the trick...
c. at 004843EA:

Here you'll find

at 004843EA: LEA EAX, EBP-0C
: CALL 004504E4 (Ugly function that causes the SEH to be trigged )

If you, see this call is in a SEH, and when the SEH get triggered, you get our friend the ASPR MsgBox !

So we should make the SEH not to trigger. Just see the line below the CALL...

CMP DWORD PTR [EBP-0C], 00

So this is the trick, normally the code does not come here and even if it does EBP-0C will not be 00 with ASPR Ugh!

So as +splaj guru would say , "patch"

at 004843EA: MOV DWORD PTR [EBP-0C], 00

(Opcodes: C7 45 F4 00 00 00 00
90 <--- NOP to make it 8 bytes )

Press F5 Yayyyyyyy.... No more ASPR boxes... Phew!!!

For (2)

it is very very simple and binh81 nopping will not work

So my little trick: Look at the address 004507EA or something.... bpx there. See up there is a PUSH EBP (function prologue heh!!)
Put a simple RET there ... So no longer memory write checks will be done.

[Note fellow RCEs: we're successful in this because the function itself is returning RET and PUSH is called within the function. If the function returned anyting other than a simple RET such as RET 4 or RET 8, we will have a corrupted stack if we replace with simple RET]

Boom.. Boom... No more GetProcAddress Errors!!!!

Phew... was it a debuggin' session or what!!!!

Anyways, my most humble thanks to +splaj (for introducing me to the art of D-D , binh81 for being there )

One small question though:

What does the attached piece of code do and why does it generate a SEH?

Answers are gratefully accepted.

Signed,
-- FoxThree

PS: Still have 9 runs to go... close.. but still running...

Hi eval,

yeah i did find it... :>...

Hi Eval:

Is my explanation above enough?

Signed,
-- FoxThree

Hi fox3,

Not sure about the differences between my dump and urs... but i did not patch that many bytes... think must be all the dipping... nopping out push[ebx] and pop [ebx] works fine on my machine... no problem... how can there be problem when u already nop it out? must be error somewhere else...

think even for "Invalid AsProtect API" massage, i only change one dword value...

okie.. just confirmed, i made 3 patches only... the prog seems to run fine, updating my time well... think i am gonna keep this :>... cos sice keep stopping my clock when it pops up...

Ah well... i'll see how :>...

regards

Thanks guys for the tips

Hi, FOX3!

Too many ENgLiSh!

Here I upladed ATC.ex without code!
Paste code yourself and be fun!!

well I see you all liked that one

I could re-live my experience from reading your posts... the misssing aspr dll message...the GetModuleHandle POP error etc etc... great reading.

It's good to make your own journey into the codewoods without holding hands....now you can fix anything

BTW SpeKKel discovered this target the day after I posted that I have ever only seen a 2 x dipper....wtf do I know !

BTW2 Thanks 'Eval the Terminator' for being around as usual...... Alexey must phear him

Spl/\j

Hee,

I agree with SplAj... eval, you should learn English well and write some neat tutorials for us :>... i teach u english, you teach me cracking :>??? How about that...

Just a random mroning blue thought...

Take care guys,

Hi all

Nice target +SplAj

I'm surprise that nobody have problem with 'Select' Time server button.
There is a little check:
0177:00450727 8B35D8C44800 MOV ESI,[0048C4D8]
0177:0045072D 8B463C MOV EAX,[ESI+3C]
0177:00450730 8B440628 MOV EAX,[EAX+ESI+28]
0177:00450734 663D0010 CMP AX,1000
0177:00450738 7404 JZ 0045073E
Is EOP 1000 ?

Regards SV

Yeah sv,

Did not test that button :>... wonder if there is anymore checks :>...
kinda effective way of protecting heh.. put a lot of small checks everywhere....

Thanx,

Hello,

If you guys are interested in this I posted a msg in RSE general about removing ASPR from a .dll file. It's a pretty weird implementation. I've found out so far that it dips twice before (what I think) is the OEP, but it accessing Aspr API functions (GetRegistrationInfo, etc) in the target dll. I've been working on it for several days now, and getting a crash course in how DLLs work in the process.