Log in

View Full Version : Hard to unpack ?!


grasii
April 13th, 2002, 16:12
Hi there
Here is the problem:
Program: Advanced MP3 Catalog Pro 2.0 *ww.wizetech.com
Packed: unknown ->there are several sections with no names.
CRC check.
Brackes just under TRW. Tried to unpack but reached at 12B0C0C. From there next ret jumps me in kernel. Traced on untill reached BFF88059 CALL BFF76702 traced untill here 03EE INT 30 From here program launches beeing unable to trace no more.
Thanks to anyone that can help with some hints.

foxthree
April 13th, 2002, 19:16
Hi there:

It is protected by ASProtect, my friend. Wow, Alexey must be making lotz of money. Mind sharing some with us Alexey Search the board Grasii and you'll see how the author of this software wasted a good 99$.

Signed,
-- FoxThree

PS: btw, folks my new "tool" found the OEiP for this proggie within seconds... Await its release *SHORTLY*

nikolatesla20
April 13th, 2002, 20:21
heh heh foxthree , sounds interesting !

But I already found the OEP, it's at 0055BDA8 Sure are a lot of Delphi apps floating around out there...seems Delphi and asprotect go together well.

First DIP:
0055B5F4

Second DIP:
004FB310

Still workin on it, be done soon methinks...

-nt20

crUsAdEr
April 13th, 2002, 20:40
Hi folks,

just a reminder for the enthusiastics :>... let's try to refrain from posting too often on AsProtect if there is nothing new as Kayaker has said... to Tesla if you read the archive you will realise that me and fox3 are guilty for the last month's flood of posts on AsProtect that wipes out other interesting topics on RE...

just some thoughts,
binh

P.S : Tesla, i tried PM you but did not activate ur PM... well i am learning abt writing loader, would u ind sharing ur BPFTP loader source with me? Thanx...

foxthree
April 13th, 2002, 21:41
Hi there:

he he what can i say? "Guilty as charged"

However, on a more serious note, yes Tesla, I think binh has a point and so did Kayaker. If we started posting OEP and rebuilt RV.txt's, it might become easier for some body to just blindly follow a thread and have a unpacked app.

On a more lighter note, you're now an ASPR master ...

Signed,
-- FoxThree

nikolatesla20
April 13th, 2002, 22:42
OK I agree that yep we spend too much time on asprotect.

Just to let you know, I now have it unpacked and running.

Just a little side trick for you all, if you've ever unpacked a delphi app before, you can probably get away with filling in the blanks on the unresolved import table by just looking at another one that you've done before. Delphi uses pretty much the same imports all the time, and in the same order. That's how I did this one, I used RV and then just looked at another project's imports the fill in the missing functions and it works...But I'm sure you guys have thought of that already

Yes I am not going to post my resolved here this time either You have to do some work you know to get better ! But I will let you on a little secret - I followed the same style pattern as Spl/\j helped me with for BPFTP server. (YOu need to create a new entry point and have it call one of the first DIPS before going to the OEP) I thought I would use that technique on this proggie and it seemed to work.

Take a look at my other post for more clues:

h**p://www.woodmann.net/forum/showthread.php?s=&threadid=2964

Have Fun!

-nt20

+SplAj
April 14th, 2002, 08:48
Ok,

Kayaker made a very good point about disclosing 'lame' infos about specific targets...i.e. we are making easy cracks for the lamers.

However there are always newbies arriving here and need to get up to speed with aspr unpacking. Foxy, Bin81, and now Niko are a few of the current eager ones I helped because you showed a lot of enthusiasm and posted some details that proved you were truly interested in reversing not just cracking a particular target.

So, maybe we can agree some 'rules of engagement' as from today ?

1) whenever a 'new-person' asks about unpacking aspr or any packer we refer them to the excellent MB 'search' engine here.
There are a lot of infos available.........

2) If they show NO workings we ignore them ?

3) If they 'integrate' well by showing some points and approach they made and just need some 'fine tuning' we help as much we can.

However,
We refrain from attaching files that would help to make an easy crack. We do NOT attach anymore rebuilt IAT. Only refer to specific API that maybe under dispute. We only get to the stage of 'removing' the packer, no extra crack detail, but we can discuss the method, Like BPX FindFirstFileA for filesize check for example

BTW I deleted my 'attachment' to BP FTP Server thread by Niko.

Spl/\j

nikolatesla20
April 15th, 2002, 02:08
Well I killed the nag screen no prob.

The other limitations are you can't print a report or save export. One of the options in the program is you can export a CSV file (comma seperated file) to use in Excel and stuff, but if you are unregistered you cant do it. How many times will I need that anyway ? Prolly not much..

Now you can see then the problem with this is the code to save the exported data is encrypted unless you are registered. At least that is what it looks like to me, when I look at it in SI and in WinDASM. Right in the "Finish" event handler, the code checks for a valid string in the save box, and then it simply jumps over a bunch of mishmash ugly instructions. This is typical of encrypted Asprotected code. Asprotect inserts a jump before the encrypted fragment so it won't run.

Oh well guess I will need to get better at crypto before I think I can undo this. Of course there is another solution. Get a handle to the data buffer myself and save it out, by tacking on my own assembler routine into the program. Not super hard, just gotta make sure you can get to the buffer (which you can, it's just finding it that could take a while, and its structure).

Just thought I'd leave an update on progress.
Basically I think I might be finished with this target for now, I get bored easily
-nt20

Solomon
April 15th, 2002, 02:33
I totally agree with +SplAj

grasii
April 15th, 2002, 23:23
Thanks to everybody.
The problem wasn't how to crack that prog but the packer. I'v already cracked it and used an loader to make it work.
To nikolatesla20 there is another limitation: no more then 3 albums in a catalog. Cracked it too.
Thanks again. I'll study the asprotect and make it cry

+SplAj
April 16th, 2002, 07:15
Grasii

If you thought that I meant beginner==lamer then I am sorry for that. You may be a newb but please just show some willingness to learn and the infos/education will be delivered

Welcome

Spl/\j