Hi folks,

I was wanted to ask about this... since AsProtect use so many seh in his dll... and i he uses various tricks to prevent single stepping... i was thinking of writing a loader that debug AsProtected program.. since seh is handled first by the debugger (hope i understand this right), our loader will be called when seh is called and can wreak havoc from there... handle the seh, and thus have access to the AsProtect prog and hence wait for the right moment, do an inline patch or dump the program where apropriate?

Me still research on debugging API but just wondering about this possibility.. is there any problem that i have not thought of?

Thanx,
crUsAdEr

Hi crUsAdEr:

/me thinks it is not so easy I attempted to do some thing like this with no success.

What you're saying is called a "tracer" and one that runs in user land, hence a ring 3 tracer. There are I think many levels of understanding that one must do before suceeding in this, I think. Especially relating to SEH.

Let's say your handler get contol when ASPR causes exception. So, what do you do. You must try to locate the original ASPR EH for this exception and pass this to it so that ASPR still thinks it is not traced. Also, all EH will get with TR flag cleared. So, you need to re-enable this in you EH (this can be quite simple as you get the CONTEXT structure passed to your EH). However, what about anti-trace tricks like INT3.

Disclaimer: I AM NOT AN EXPERT HERE AND WHAT I SAID ABOVE MAY BE BULLSHIT!!! So ignore and correct me if I'm wrong... rather than flaming me

Essentially, all ring-3 tracers must patch the Windows SEH so that it can get control and do the "right" thing in case of an application generated exception.

However the problem that I faced is that:

(1) None of the experienced people like +Tsehp and others answered to what exactly is the "right" thing and how to go about this! Probably they're just very busy.

Tracer "Gurus", please help us as I think there are several others who are itching on getting this right!

Thanks,

Signed,
-- FoxThree

PS: Just search for the word "tracer" on this messageboard and travel back in time to see the various peoples posts and ideas on this and how tough this can be

Tips/pointers to "old" ring3 tracer code will be of immense help

Hey fox3,

The thing abt this idea is this it is not a single stepping tracer... it is a debugger... our loader will just let the target AsProtect runs, and is only called when debug_exception occurs (like the way armadillo does it)... hence we 'll handl AsProtect seh outselves...

As about triggereing AsProtect se Handler, i doubt we need to do this cos as you have known... the original seh only clears debug registers and nothing else.. so can just happily skip them all together and correct eip, that is all...

Things like int3 is probably slightly harder to handle but i din seem to find any in AsProtect.dll yet... think Alexey plays a fair game and doesnt detect sice... which is real nice of him :>... no reboot ever occur when playing with asProtect....

Regards,
crUsAdEr

PS : wait till i get sometime.. then i will try... most likely wont work but ah well :>... worth a try

Hi crUsAdEr:

Sounds nice but...



...then how are you going to freeze the proggie at the "right moment" (say the OEiP) without single stepping. B'cos from what I understand you're going to rely on exceptions to get event notifications.

Am i right?

Signed,
-- FoxThree

Yeah when debug_exception occurs, the debugee would freeze rite?

There we can access its memory and patch all we want? That is how armadillo does it exactly... it debugs the program, then when the debugee reaches an encrypted code section, seh occur and Armadillo debugger decrypt the next area of code section, encrypt back the old code section that has already been executed!!

Hee.. i wasnt intending to frreze AsProtect at "popad, jmp eax".. i was intending to wait till AsProtect fully decrypt the prog and then dump it from there...

OEP can be found with other tools :>>... nah, i mean Soft ice and cuper bpm :>... not something that cant work on win2k yet... lol

cheers,

Hello!

>>i was intending to wait till AsProtect fully decrypt the prog and then dump it from there...

For this you need hook VirtualFree and make dump each time.

For memory patching, youWe must define point, when ASPR finishes CRCcheck of CODE section.
Nothing is impassible, lets do more cruel with cASPR! Lets make REPACK-STUDIO
Want YOU!?

WE WILL, WE WILL...

It's still possible to make a classic inlinepatch for asprotect. (more simple than a loader?? boh)

ciao
SilberFuchs

Yes, inliners are always possible and I prefer to do them instead of using loaders, but it's getting pretty time-consuming though (just did one on the latest DivX.dll, 5.0.1 GAIN).
Another point is that almost any inliner might suffer from being executed in different environments, so I think clean unpacking is still the way to go...

Just my thoughts, Pyrae

ARgh,

Can someone helps me please....

I spent the whole nite trying to figure this damn thing out to no avail... this loader works fine for win2k... but the instruction
CreateProcess doesnt seem to work, win 98 refuse to creat a new process for me... everythign runs smooth on win2k...
http://galileo.spaceports.com/~sydx/files/test.zip
(i cant seem to upload :<

This loader i have tested on win2k, should be able to dump the exe decrypted with most of IAT intact, except a few "special" API which prolly needs manual fixing... need to build a new Import Directory and that is it... I just want to make it works on win 98 first...

Helps will be greatly appreciated... UnAsProtect doesnt seem to be that hard...

SilberFuch, May I ask how do you inline patch it?

Seems like OEP is no longer hardcoded anymore, that would mean repacking AsProtected target program?

invoke UnmapViewOfFile, pMapping
invoke CloseHandle,hMapping ;here it is
nvoke CloseHandle, hFile

You should close the handle of mapping object.It didnt gaved error box this time but after 10 sec in my p3 600 it gaved nothing they were still in my program task list.

Also maybe you should add DEBUG_ONLY_THIS_PROCESS flag so you wont deal with other process exceptions events etc.

"Seems like OEP is no longer hardcoded anymore, that would mean repacking AsProtected target program?"

No, it's a classic inlinepatch.

change some byte in the file, and later in the memory...and find where and why Asprotect crashes. this is the point you must beginning. the cryptet things at beginning you can re-calculate.

find where are made the CRC's and try to get around them.

ciao
SilberFuchs

Binh18!

I little tested your "test.exe"
CreateProcessA can work, if I jump over
CreateFileA, CreateFileMappingA..
e.g. I patched in HIEW:
;from 40105B jump 401114
and CreateProcessA works very well
Seems problem is because CloseHandle not closes??

So patched "test.exe" starts process, then WIN386.SWP became 330mb.
I wait 2 min and kill process.
[maybe my patch is too lamE? or I must wait 20min?:-0]

Then I also run test.exe on XP. Much funny! Exactly after start,
youR progg sad to me:
"Dumping is completed successfully! Enjoy!"
Wow! I look at Dump.EXE... 0 Byte

Wow!
Congratz!
I managed your BUG

So you need insert before 00401109
another CloseHandle for CreateFileMappingA
e.g. before

invoke CloseHandle, hFile

you need:
invoke CloseHandle, hMapping

Now it works on XP!

Q: it only dumps file? (without import etc..)

On W98se happens, what previously I wrote.

Thanx Laptonic and eval, :>

No wonder none of my dumper ever work on win98, micro$oft should learn to program better to accomodate bad programmer like me :>>... funny they all works fine on my win2k box....

Here is a more stable version with more error checking, tested on win2k and win98...

It dumps the file no problem, fix section header, IAT can be almost fully rebuilt on old version of AsProtect, not the lastest one... It doesnt support older version of AsProtect, found in DigiSecret .. that is the only that i have tested and it cant dump... cos the code changed a bit.. but me has no plan of supporting it anyway...

Hope this works better... thanx a lot folks..
crUsAdEr

looks like my Opera is having prob with the board, cant upload anything... just download from the link i posted above... it is updated

Eh!
Only now I read LaptoniC's response
He already guessed bug. Sorrrry!

OK, redownloaded youR proG.
Now it dumps also on W98se;
Sections are fixed.
OEP & IT not exists.
XP & W98se same result.
Tested ASPACK current ver.


Can you tell me, what program exactly you tested?

Hi eval,

yeah... as i stated.. for new version of AsProtect liek icon catcher, AATools, Commview 3.3 etc.. IAT is not rebuilt...
that is because first thunk is now deleted all together and hence rebuilding it would need to create a new section at the end of the exe... too much work to bother...

For older version of Asprotect, like curretn RegetDx, Reg Organiazer, Advanced Archives Passssword recovery, Advanced PDF password recovery, it can rebuild IAt except those emulated API... dont plan to support them cos that would make it a readily available dumper that any lamer can use which is not the purpose of this exercise...

You have the source code, i have done half of it :>, since you said we should do this project together, you should do the other half :>... fix up the rest, eval :>>>
Also tell me those prog i tested works on ur machine?

cheers,
crUsAdEr

Hello to everyone,
i post here first time and first at all i think this is an good working board so i will thanks the admins.
And yes it is possible to inlinepatch newest ASPR and it based near to every time the same...
for examples you can look at Laptonicīs group site most of the FlawLeSS patches are ASPR.
For some days i talk with BlackCode and he say to me that there was an tool on anti*rack.de with the name KanXue Studio (unpacking ASProtect protected executables)
after downloading i was suprised its work realy great maybe its interesting for others too.

PS.:Silberfuchs ich dachte schon Du bist verschollen

Yes this was one of the questions that I'm currently researching on: How does the "loader.exe" from KanXue studio find the OEiP of ASPR apps absolutely (not the sigs but the OEiP). It doesn't look to me like a tracer as it works pretty fast.

I tried to disasseble the Loader.exe but it says Linker v 7.0 (.NET compiler) and has only one .text section???

Any tips?

Signed,
-- FoxThree

It use virtualprotectex api which is the same api used by olydebug to put bpm.

Hi,
Sorry if this seems like a newbie question.. I'm a bit late coming into the RCE scene and ASPR 1.3 was already out.

Anyway I'm a little confused on how you all are referring to older and newer versions of ASPR.

From what Crusader says, I'm getting the impression that as of right now, for the absolute latest version (v1.4x? 1.5? ) of ASPR, the only thing feasible right now is the inline patch (which is awesome, checked it out on Tag & Rename beta.. worked great). Am I right by saying ASPR author has taken things a step further and made it impossible to RV because 1st thunk is "deleted"? ie now more difficult than ever to rebuild IT?

I understand 1.3 had the Getwhatwewant api cluster (all the emulated API's done in one spot). The "supposed" v1.4 has the little trick:
call getversion
push [blah]
pop eax

to trick to think it is calling getversion when it's really something else..

is there a 1.4x or 1.5 now that goes beyond this?

The most recent ASProtected I've dealt with is HelpJotter. It has 11 unresolved entries, many of them with the above emulation trick, a couple redirects, etc..

Thanks

Hi Lbolt99

You are mistaken that RV cannot resolve aspr now. The only extra problem for unpacking lately is getting the target to stop at OEiP. Alexey put a LOT of decrypt code and heavy looping around the final POPAD, JMP EAX instruction to make it boring.

The trick you mention with

call getversion
push [blah]
pop eax

is correct. In my experience the 11 unresolved API are usually :-

GetProcAddress
GetModuleHandleA
GetCommandLineA
GetModuleHandleA
LockResource
GetVersion
GetProcAddress
GetModuleHandleA
GetCurrentProcessId
GetCurrentProcess
FreeResource

I unpacked few targets over the last evenings, all MAY 2002 compiled exe's , so should be using latest aspr release.

Alexey is playing a very good game with NOT releasing any shareware aspr anymore. It stops specific unpackers for specific versions. He changes subtle things all the time. Now he even taunts us by saying on his web site :
'07.04.2002 New ASprotect beta (for registered users only)'
LOL

Spl/\j

Yo Spl/\j,

How have you been?? Still recuperating from the car accident?? Or is your wife banning you from RCE board now :>>>

Hi Lbolt99, sorry i confused you... i was talking about newest AsProtect stripping the "virgin" first thunk from the protected target now, so my dumper cant find where to put import ASCII anymore... and creating a new section require more work to do... that is why the dumper can not rebuild import on newest AsP proggies.. THat only concerns my dumper.. revirgin use the tracer to tracer the redirected import and hence will always work!!!!

regards,
crUsAdEr

Yo Crusader:

Did you check out Tesla's First Thunk Rebuilder (has a ASPR-like user interface too. ) A perfect remedy for your dumper! May be Tesla would share his source code with you...

Greetings +Splaj "guru":

Howz it going? Long time no post Your advices to me are proving to be immensely helpful. Thanks for the same! Did you happen to have a go at SEPP (Virus) ?

Signed,
-- FoxThree