Log in

View Full Version : bpr in asprotect...


Sempai
April 11th, 2002, 08:17
i've got a question concerning asprotect, as so many have..:-)

after retrieving the location of the popad, jmp eax using the
getversion/61,ff,e0 trick aswell as conferming it with winhex, i need to break on that location. using the breakpoint that is in the tuts all over such as: BPR xxx xxx+3 R IF EIP==xxx

problem is that sice wont break on it. i tried several targets, but i cannot get it to break. if anyone out there could give me a push in the right direction i'd be very thankfull.

foxthree
April 11th, 2002, 11:48
Use ElicZ's SuperBPM... However, it works on Win98 only. Also, put a BPM on the JMP EAX instruction and not on POPAD. *Sometimes* POPAD BPM does not work but JMP EAX works

Signed,
-- FoxThree

Sempai
April 11th, 2002, 14:10
thanx for the help, it's highly appreciated!

Nevertherless, it was not successfull.. i tried superbmp already (i use win98 2nd ed.) and also setting the breakpoint on the JMP EAX did not give the disired result. I have no clue what else i can come up with next...

Solomon
April 11th, 2002, 15:29
Hi

Just try to find the following "call [ebp+18]" in Win9x(not tested in WinME). Probably this is where KERNEL32 calls the SEH handler of ring 3 applications.
Set a *conditional* breakpoint there, then you can watch how the exception handlers of ASPR are called. Right after the *last* SEH structure of ASPR, there is a "JMP [EBP-14]" or "PUSH [EBP-14]; RET". When you are at this JMP, you can set a BPM/BPR on "JMP EAX" to stop at OEP.
I always use this method to find the OEP of ASPRed progs in Win9x(but I formated Win9x long time ago). Please refer to my previous post on IRETD/NtContinue in Win2K. good luck

Code:

015F:BFF768A0 MOV EDX,BFF768FA
015F:BFF768A5 PUSH EBP
015F:BFF768A6 MOV EBP,ESP
015F:BFF768A8 PUSH DWORD PTR [EBP+0C]
015F:BFF768AB PUSH EDX
015F:BFF768AC PUSH DWORD PTR FS:[00000000]
015F:BFF768B3 MOV FS:[00000000],ESP
015F:BFF768BA PUSH DWORD PTR [EBP+14]
015F:BFF768BD PUSH DWORD PTR [EBP+10]
015F:BFF768C0 PUSH DWORD PTR [EBP+0C]
015F:BFF768C3 PUSH DWORD PTR [EBP+08]
015F:BFF768C6 CALL [EBP+18] <----------KERNEL calls the exception handler of your applications
015F:BFF768C9 ADD ESP,10
015F:BFF768CC POP DWORD PTR FS:[00000000]
015F:BFF768D3 LEAVE
015F:BFF768D4 RET



Code:

001B:00B005CC XOR [EAX],EAX <--------- the last SEH of ASPR
001B:00B005CE POP DWORD PTR FS:[00000000]
001B:00B005D5 POP EAX
001B:00B005D6 CMP DWORD PTR [00B049DC],00
001B:00B005DD JZ 00B005F3
001B:00B005DF PUSH 0C
001B:00B005E1 MOV ECX,00B049DC
001B:00B005E6 LEA EAX,[EBP-08]
001B:00B005E9 MOV EDX,00000004
001B:00B005EE CALL 00AFC8FC
001B:00B005F3 PUSH DWORD PTR [EBP-04]
001B:00B005F6 PUSH DWORD PTR [EBP-08]
001B:00B005F9 MOV EAX,[EBP-0C]
001B:00B005FC CMP DWORD PTR [EAX],00
001B:00B005FF JZ 00B00603
001B:00B00601 PUSH DWORD PTR [EAX]
001B:00B00603 PUSH DWORD PTR [EBP-10]
001B:00B00606 PUSH DWORD PTR [EBP-14] <------signature of the last SEH structure
001B:00B00609 RET

Sempai
April 11th, 2002, 16:45
hello solomon..

many thanx for your effort in helping me out. but i'm afraid i must
be a little bit of a dissapointment to you. i simply cannot get
myself to find that CALL [EBP+18)] you mentioned. Shame on me,
i know.. :-)

so once again i would like to cry out for help, if it's not too
much trouble. thanx!

Solomon
April 12th, 2002, 03:26
I don't think it's a shame coz everyone starts from newbie.

Here is how I find the *LAST* SEH of ASPR:
1. find ANY of the SEH structures in ASPR. In most cases, it contains a "XOR [EAX], EAX" instruction.
2. press F8 to step over "XOR [EAX], EAX" where EAX is 0. In Win2K, this will lead you into KiUserExceptionDispatcher(), but in Win9x, you will land in the ASPR exception handlers. Just trace till the exception handler returns, then you will see the "call [ebp+18]". This is the case in Win98. I don't know what it looks like in Win98SE/WinME.
3. put a BPX on "call [ebp+18]", e.g "BPX XXXXXXXX if *(ebp+18)< 1000000" and keep pressing F5.
Each time when this breakpoint is hit, type "u *(ebp+18)" to see whether it's the last SEH structure.

Sempai
April 12th, 2002, 19:07
hi solomon...

many thanx for your help once again.

All went fine and i was able to reach the JMP [EBP-14]. But from there i dont seem to be able to find the popad,jmp eax anymore!

most likely i'm doing something not quite right, but perhaps you could shine your light over it once more...?! thanx in advance.

nikolatesla20
April 13th, 2002, 03:13
What I have found is that Win98 is kinda "stupid" with SoftICE.

For example, if you just CNTRL+D into SI, and then switch address contexts to see the memory of a program you want to spy on (use the "addr" command) , try telling SI to unassemble an address and it won't. In Win98 it will say "invalid address". You have to type the SELECTOR in the address to make it work right.

For example:

Instead of u 00456432

I have to put:

u 0167:00456432

Note that I only need to do this when I get into the program's space with the context switch command. But I noticed you also seem to need it when trying to set BPM's sometimes in Win98.

In Win98 you have to "force" SI to the right address space in this way. In Win2K you don't, everything works correct.

So Run your packed app, and then CNTRL+D into SI, switch into its address space ( "addr <process name>", and do the search for the popad, jmp eax.

s 30 L FFFFFFFF 61 FF E0

When the address pops up, put in your break range but don't forget the address selector.

bpr 0167:<address of popad> 0167:<address of popad +3> R IF eip==<address of popad>

Now, the 0167 is arbitrary. It might be different for you, just do a bpx GetVersion, and when you land in your app, write down the selector of where the code is. That is the selector you want to use later for this BPR.

This should work then. I just did this last night to break into commview 3.3. I use WIndows 98 at home.

Just as a side note, Yes Win98 is 32 bits and so memory is flat, but for some reason SI doesn't see it correct like I said, you have to make sure it sets the bpm's correct by using the selector if you have to , to force it. Win2K doesn't have this weirdo operation - for example I can unassemble even if I just switch contexts in Win2K.

-nt20

Solomon
April 13th, 2002, 06:28
There are ONLY several decrypt loops(many more in latest ver of ASPR) between "JMP [EBP-14]" and "POPAD/JMP EAX". So I often manualy bypass these loops by setting a breakpoint at the end of each loop and press F5. Sure we can also search for the address of "61 FF E0 " first(assume it's xxxxxxxx), then type "g xxxxxxxx" at JMP [EBP-14].

Sempai
April 14th, 2002, 14:40
thanx nikolatesla20: i tried your trick, but was not successfull with it. i suspect something not to be quite ok with the location of the popad, even if i verified it with winhex.
thanx anyway, i'll keep trying.

Solomon: thanx once again, but the problem is that when i am at the jmp [ebp-14], the popad cannot be found anymore. searching for 61,ff,e0 gives not the desired result. seems strange to me, or am i mistaken..?

thanx anyway, to all that is out there giving me a hand in this
problem.

Solomon
April 14th, 2002, 15:14
sorry I have not express it clearly. I mean using WinHEX or any other tools to search 61,FF,E0 in the process memory first.

Quote:
Originally posted by Sempai
the problem is that when i am at the jmp [ebp-14], the popad cannot be found anymore. searching for 61,ff,e0 gives not the desired result. seems strange to me, or am i mistaken..?