1.ReGet:
I've found OEP by 'bpx GetModuleHandleA if(*(esp+4)==0)' and every time Sice breaks, i check what esp contains; when it's 0x008FCE3B, i press F12 twice and here it is:

018F:004CF550 55 PUSH EBP ;here is OEP
018F:004CF551 8BEC MOV EBP,ESP
018F:004CF553 6AFF PUSH FF
018F:004CF555 6820614F00 PUSH 004F6120
018F:004CF55A 6854E94C00 PUSH 004CE954
018F:004CF55F 64A100000000 MOV EAX,FS:[00000000]
018F:004CF565 50 PUSH EAX
018F:004CF566 64892500000000 MOV FS:[00000000],ESP
018F:004CF56D 83EC58 SUB ESP,58
018F:004CF570 53 PUSH EBX
018F:004CF571 56 PUSH ESI
018F:004CF572 57 PUSH EDI
018F:004CF573 8965E8 MOV [EBP-18],ESP
018F:004CF576 FF1588124F00 CALL [004F1288] ;we came back from this routin 018F:004CF57C 33D2 XOR EDX,EDX
018F:004CF57E 8AD4 MOV DL,AH
018F:004CF580 891538FB5100 MOV [0051FB38],EDX
018F:004CF586 8BC8 MOV ECX,EAX

Okie, now i've got OEP. Then rebuilding IAT: some API have to be emulated:

-GetCommandLineA
-GetVersion
-LockResource
-GetCurrentProcessId
-FreeResource
-GetModuleHandleA
-GetCurrentProcess
-SetWindowLongA
-FindResourceA
-GetDlgItemTextA

So, i've done it. But in any way ReGet crashes. Let's have a look: idecided to trace just from the begining and to see what can cause that crash:

018F:004CF5D1 E84B4F0000 CALL 004D4521
018F:004CF5D6 FF15A0114F00 CALL [KERNEL32!GetCommandLineA]
018F:004CF5DC A3A4395200 MOV [005239A4],EAX
018F:004CF5E1 E8094E0000 CALL 004D43EF
018F:004CF5E6 A36CFB5100 MOV [0051FB6C],EAX
018F:004CF5EB E8B24B0000 CALL 004D41A2
018F:004CF5F0 E8F44A0000 CALL 004D40E9
018F:004CF5F5 E8D1EDFFFF CALL 004CE3CB ;here is our crash resides - F8
.............
018F:004CE3CB A1F86C5100 MOV EAX,[00516CF8]
018F:004CE3D0 85C0 TEST EAX,EAX
018F:004CE3D2 7402 JZ 004CE3D6
018F:004CE3D4 FFD0 CALL EAX
018F:004CE3D6 6810BC4F00 PUSH 004FBC10
018F:004CE3DB 68FCBB4F00 PUSH 004FBBFC
018F:004CE3E0 E8EC000000 CALL 004CE4D1
018F:004CE3E5 68F8BB4F00 PUSH 004FBBF8
018F:004CE3EA 6800A04F00 PUSH 004FA000
018F:004CE3EF E8DD000000 CALL 004CE4D1 ;let's look into this call
018F:004CE3F4 83C410 ADD ESP,10
018F:004CE3F7 C3 RET
.............
018F:004CE4D1 56 PUSH ESI
018F:004CE4D2 8B742408 MOV ESI,[ESP+08]
018F:004CE4D6 3B74240C CMP ESI,[ESP+0C]
018F:004CE4DA 730D JAE 004CE4E9
018F:004CE4DC 8B06 MOV EAX,[ESI]
018F:004CE4DE 85C0 TEST EAX,EAX
018F:004CE4E0 7402 JZ 004CE4E4
018F:004CE4E2 FFD0 CALL EAX
018F:004CE4E4 83C604 ADD ESI,04
018F:004CE4E7 EBED JMP 004CE4D6 ;here is a loop
018F:004CE4E9 5E POP ESI
018F:004CE4EA C3 RET

Here we'll spin a little in the loop and with this we'll find what realy cause the error. Tracing a while in this loop i've found next:

push 004xxxxx
call [004xxxyy] ;in the address 004xxxyy resides 009xyxyx!!!

Thus our dump won't work! Such a call won't work correctly, if to make more precise, it won't work at all. That's why let's see what APIs are called and redirect them:

calls (in reverse order):
0x004F168C 98 57 91 00 -> BF F4 56 BF - RegisterClipboarFormatA
0x004F1588 8C 57 91 00 -> F0 14 F4 BF - RegisterWindowMessageA
0x004F1624 68 56 91 00 -> B5 56 F4 BF - wsprintfA

Once we've done this, our dump will be located in the memory without errors, but actually it does nothing. I can just kill the process thru the process viewer in PEditor. While finding OEP, i came across three addresses that should be emulated too(??):

seg000:00479787 ; ---------------------------------------------------------------------------
seg000:00479787 mov eax, [esp+4]
seg000:0047978B mov ds:dword_0_51CB08, eax
seg000:00479790 retn
seg000:00479791 ; ---------------------------------------------------------------------------
seg000:00479791 mov eax, [esp+4]
seg000:00479795 mov ds:dword_0_51CB0C, eax
seg000:0047979A retn
seg000:0047979B ; ---------------------------------------------------------------------------
seg000:0047979B mov eax, [esp+4]
seg000:0047979F mov ds:dword_0_51CB10, eax
seg000:004797A4 retn
seg000:004797A5

Strange, but this addresses aren't used at all! Or amybe i'm mistaken! Okie. Let's keep on looking: in dword_0_51CB08 - 8FCD58h. It's a function, but what func?:

018F:008FCD58 833D6046900000 CMP DWORD PTR [00904660],00
018F:008FCD5F 750D JNZ 008FCD6E
018F:008FCD61 A170459000 MOV EAX,[00904570]
018F:008FCD66 8B1574459000 MOV EDX,[00904574]
018F:008FCD6C EB0B JMP 008FCD79
018F:008FCD6E A160469000 MOV EAX,[00904660]
018F:008FCD73 8B1564469000 MOV EDX,[00904664]
018F:008FCD79 52 PUSH EDX
018F:008FCD7A 50 PUSH EAX
018F:008FCD7B E8D4FDFFFF CALL 008FCB54
018F:008FCD80 C3 RET

In dword_0_51CB0C - 8FCD84h:

018F:008FCD84 833D6046900000 CMP DWORD PTR [00904660],00
018F:008FCD8B 750D JNZ 008FCD9A
018F:008FCD8D A170459000 MOV EAX,[00904570]
018F:008FCD92 8B1574459000 MOV EDX,[00904574]
018F:008FCD98 EB0B JMP 008FCDA5
018F:008FCD9A A160469000 MOV EAX,[00904660]
018F:008FCD9F 8B1564469000 MOV EDX,[00904664]
018F:008FCDA5 E81EFEFFFF CALL 008FCBC8
018F:008FCDAA C3 RET

And in dword_0_51CB10 - 8FCDACh:

to be cont...

018F:008FCDAC 55 PUSH EBP
018F:008FCDAD 8BEC MOV EBP,ESP
018F:008FCDAF 53 PUSH EBX
018F:008FCDB0 56 PUSH ESI
018F:008FCDB1 8B5D0C MOV EBX,[EBP+0C]
018F:008FCDB4 8B7508 MOV ESI,[EBP+08]
018F:008FCDB7 8BC3 MOV EAX,EBX
018F:008FCDB9 E8D657FFFF CALL 008F2594
018F:008FCDBE A360469000 MOV [00904660],EAX
018F:008FCDC3 8B1560469000 MOV EDX,[00904660]
018F:008FCDC9 8BC6 MOV EAX,ESI
018F:008FCDCB 8BCB MOV ECX,EBX
018F:008FCDCD E8B258FFFF CALL 008F2684
018F:008FCDD2 891D64469000 MOV [00904664],EBX
018F:008FCDD8 53 PUSH EBX
018F:008FCDD9 8BCE MOV ECX,ESI
018F:008FCDDB 8B155C469000 MOV EDX,[0090465C]
018F:008FCDE1 A158469000 MOV EAX,[00904658]
018F:008FCDE6 E811FBFFFF CALL 008FC8FC
018F:008FCDEB 833D8445900000 CMP DWORD PTR [00904584],00
018F:008FCDF2 7505 JNZ 008FCDF9
018F:008FCDF4 E85FFFFFFF CALL 008FCD58
018F:008FCDF9 5E POP ESI
018F:008FCDFA 5B POP EBX
018F:008FCDFB 5D POP EBP
018F:008FCDFC C20800 RET 0008

Frankly i don't know what to do with them. Does someone know? And thru Ġrefs i've found next:

seg000:004797DB sub_0_4797DB proc near ; CODE XREF: sub_0_404A32+F8p
seg000:004797DB cmp ds:dword_0_51CB14, 0
seg000:004797E2 jnz short locret_0_4797F9
seg000:004797E4 mov eax, ds:dword_0_51CB08
seg000:004797E9 test eax, eax
seg000:004797EB jz short loc_0_4797FA
seg000:004797ED call eax
seg000:004797EF mov ds:dword_0_51CB14, 1
...............
seg000:004797A5 push ebp
seg000:004797A6 mov ebp, esp
seg000:004797A8 push ecx
seg000:004797A9 mov eax, ds:dword_0_51CB10
seg000:004797AE mov [ebp+var_4], 8Ch
seg000:004797B5 test eax, eax
seg000:004797B7 jz short loc_0_4797C3
seg000:004797B9 lea ecx, [ebp+var_4]
seg000:004797BC push 4
seg000:004797BE push ecx
seg000:004797BF call eax
seg000:004797C1 leave
seg000:004797C2 retn

That's all what i menaged to find. Can someone help me to unpack it? Or just to say what is wrong?

2.One more question about CRC check in AsProtect: i've tried to find it thru CreateFile, but i failed because of SEH used in AsPr. I've read crUsAdEr's tutorial where he suggested to trigger by 'r eip=eip+2':

018F:00B9ED44 01E9 ADD ECX,EBP
018F:00B9ED46 648920 MOV FS:[EAX],ESP
018F:00B9ED49 3100 XOR [EAX],EAX ;once we're here do 'r eip=eip+2'
018F:00B9ED4B EB01 JMP 00B9ED4E
018F:00B9ED4D 68648F0500 PUSH 00058F64

But, unfortunately, i've found myself somewhere very-very far. What's wrong?

3.Armadillo:
As crUsAdEr advised to set a bpx on SetProcessWorkingSetSize. That's a good idea. Okie, i've made it and found OEP, but setting bpx on WriteProcessMemory was pointless - Sice didn't break and i couldn't find decrypting routin (in Sice). I tried to look into 'call edi', but it's the place where the program begins (->jmp OEP) and thus there is no decrypting routin. I decided to dump the process and to search the deadlisting. I found an appropriate code:

.text1:0041B8AE ; ---------------------------------------------------------------------------
.text1:0041B8AE
.text1:0041B8AE loc_0_41B8AE: ; CODE XREF: sub_0_41B77D+17j
.text1:0041B8AE push 0
.text1:0041B8B0 mov ecx, [ebp+arg_0]
.text1:0041B8B3 push ecx
.text1:0041B8B4 call loc_0_41B967
.text1:0041B8B9 add esp, 8
.text1:0041B8BC and eax, 0FFh
.text1:0041B8C1 test eax, eax
.text1:0041B8C3 jnz short loc_0_41B8CC
.text1:0041B8C5 xor al, al
.text1:0041B8C7 jmp loc_0_41B963

Here it is. But it's not used while program loading. What's the prob? Should it be executed or no? And why breakpoint on WriteProcessMemory doesn't work? And who knows how to rip a prog from Armadillo, or to take of the f*cking protection?
PS: taken proggie was protected with Armadillo 2.53

hi Risotto,

To know what the routine does, the best way is to dump the AsP.dll and disassemble it... i cant recall on top of my head rite now...

My guess about the loop is that ReGet is initialised before that and hence your dump crash, try to dump it rigth after or before IAT mangling...

By the way, the sice command is " r eip eip+2" without the equal sign i think...

About armadillo, you dont even need to dump, just disassemble the protected exe directly you will find the routine above... it should work, my method have only been tested on 2.52 and below... i know they make some changes in 2.53, my dumper fails on it... but no time to look into it at the moment... Have you tried to change the push 1 to be come push 0???

The copymem routine will have to be caledd to decrypt the code section for the target to run, but if your debugger is detected then it will just quit silently... also if the program is not protected by copy mem then of course the routine is not called.. i am just guessing though... are you playing with notepad or what??

That is all for now,
regards,
crUsAdEr

P.S : on the second thought, do look at a thread about reget started by Solomon recently.. i think the 2 routines you posted are the decrypting routine that is used to decrypt certains area of the code section...

What ver of reget are you looking at? v2.1a is not too difficult but as you progress thru the various betas of 3.0, it gets progressively difficult as they keep adding various protections and using more features of Aspr.

Lots of ppl here have reversed various betas of 3.0 who may help, not sure about 2.1a but there's a ready made crack for 2.1a if you look... I initally got stuck at what looks like where you are but reversed the crack to see what they did, you can learn a lot from another's crack if you can find it.

Hi!
to crUsAdEr:
Firstly, can you make more precise what is SEH for AsPr? I mean whether it's a constant feat. or it is implemented when debuger is detected? And what is the main aim og this SEH tricks? "To_show_me_that_i_am_on_the_wrong_way"? While looking CRC check i couldn't overcome this tricks. Can you help me pointing out what should i do to defeat SEH tricks in AsPr? Here it is a snippet code:

018F:00B9ED44 01E9 ADD ECX,EBP
018F:00B9ED46 648920 MOV FS:[EAX],ESP
018F:00B9ED49 3100 XOR [EAX],EAX ;once we're here do 'r eip=eip+2'
018F:00B9ED4B EB01 JMP 00B9ED4E
018F:00B9ED4D 68648F0500 PUSH 00058F64

Are my coments wright? It's like in you essay, but nothing happens and i get into kernel debris. And one more question: as far as i know SmartCheck can be used not only for VB applications and that's why i decided to use it, to find where is CRC check, but where i have configered it in the wrong way(???) or whatever, but i cannot intercept APIs just from the begining! Actually, i've marked the check box "Start event reporting when starting this prog", but i cannot see needed API like ReadFile, CreateFileA, etc, etc.

To Lbolt99:
No, it's not 2.*, it's 3.0.118 (the last version, as far as i found). Reversing 2.* ver. is very easy, but what 3.0 is concerns, i wasn't able to do it. I even cannot unpack it correctly!

BTW, crUsAdEr, i've already tried to bup a break point on changed byte (i need to change Size of Image) and Sice didn't break! Why?
And what you mean saying to IAT mangling? When AsPr creates redirected APIs? Or whatelse? And what can be accomplished by preventing (as you've said NOPing) this mangling?

PS: Sorry for so many question, i just try to clerify some things.
Thanks

Howdy,

What seh is for??? ask Alexey :>>... well seh is used to clear your bpm as well as make tracing harder.

Like i said in the earlier post, there is no equal sign in the command if I am not wrong, or else someone please correct me. The syntax is "r eip eip+2".. do read your sice manual or at least some tutorial on sice. Basically the idea is that we increase eip by 2 so that the faulty instruction is not executed and hence seh is not triggered.

Again, i think my essay did cover CRC of AsProtect, you can look at the dll again to get the idea... for unpacking this is not very important, if you really want to patch it, debugging some inline patched AsProtected proggy you will know where AIPH patch the CRC checks... Like Lbolt99 has said, reversed some inline patched proggy at Desperate site by Flawless will help as well... I have not use SmartCheck for that purpose yet so I am sorry i wouldnt know...

Yep, API mangling is API redirection... well, if you trace the API mangling routine above, just follow the loop around it a few times, you will see that API address is first obtained, then passed through the redirection routine as i partially explained in my essay... hence you will need to NOP the redirecting routine, NOP at the right place and you will only need to NOP a few bytes... If you choose to do it this way, rebuild IAT without help of tools like revirgin, then DO read some old unpacking tutorial, those written before the likes of Revirgin and Imprec were born... check out R!sc's site as well as some old unpacking tutorial on krobar site.. also i fi remember correctly, there are a few tutorials on Tsehp site about defeating VBox by patching the IAT redirection routine... this is a real neat method once you get used to it...

Enjoy,
crUsAdEr

G'day, crUsAdEr!
Just one question more: can you post links of what you've mentioned above? Espacialy R!sc's, 'cause i'd like to read his tuts. And one thing more: i'm interested not in crack but in defeating, so i'd like to know the way the protection goes...
Thanks for help.

Hi Risotto,

Remeber, always try to search around... check out the the off topic or tools of trade forum, i cant remember exactly, i did posted the link some where ago... i dont know where i got Jeremy Gordon text from, just try it with google... you best friend...

The best way to know how the protection works is devote like a few hours to dump the dll from AsProtect, once you have the dll disassembled in IDA... everything is there for you to see....

Regards,
crUsAdEr

Hey!

In your tut you wrote how to obtain aspr.dll, but can you give me some details: how to find the Vaddress of the above mentioned DLL in order to dump it? Because i've spent 2 hours tracing those loops about which you wrote and it's really amazing.

PS: CRC Check in AsProtected is defeated. Actually, it wasn't the first time i dealt with CRC Check - i was stoped by SEH, but now everything is clear.
PSS: BTW, i know that search engines are very useful. I had to make more precise asking you about links: i'd have liked you to give me R!sc's one, but not Jeremy Gordon's SEH article - i've found it in 2 min.

!yeH

Hey hey,

To dump the dll, you have to get to the OS loader part, which is when AsProtect just jump into high memory, decrypt the dll, dump it before relocation... the offset will be different for diff version of AsProtect, also diff OS also will give diff ofset...

bpx on VirtualFree, break once or twice, till you reach end of the decrypting loop in AsProtect data section, and start jumping to some high memory area....
trace there, you will see how OS loaders actually loads a dll :>>> pretty cool...

try typing r!sc in Off topic or search for last thread started by cluesurf, you will find the site address, i am too lazy to find it now...

If you need help with the dll, i will post more details, but u can also look at my dll... most of the stuff are the saem anyway....

Good luck :>>
crUsAdEr

Here's a BIG hint. The post title in Off Topics is "Risc Site." Good clue and by cluesurf. Pun intended. Try that search button.

Regards.

I have successfully unpacked and cracked ReGet 3.0 Final build 121. ImpREC v1.42+ can't correctly fix the dumped files(The fixed exe will crash just as what you got. sorry I don't mean to blame ImpREC or MackT, actually it's a great tool), ReVirgin does well.

Are u sure the following 3 APIs are emulated?I don't think so. And you may have missed one emulated API DialogBoxParamA(emulated with FindResource + LoadResource + DialogBoxIndirectParamA).

-SetWindowLongA
-FindResourceA
-GetDlgItemTextA

there is already a release "/0524/Reget.Deluxe.v3.0.121.WinAll.Cracked-EAT"(no, it's not made by me. I'm not a member of any group). I have checked how EAT cracked it. They just cleared several obvious size checks and repacked it to the same size as the original exe.

Please also refer to the following threads:
http://www.woodmann.net/forum/showthread.php?s=&threadid=2977
http://www.woodmann.net/forum/showthread.php?s=&threadid=2855

Yep,

Nice target, it was some time ago i played with aspr. so took latest build 121.
Api's where easy and rebuild with R.V (h,m must i install w2k or xp
now r.v stops supporting w98 ??)
The most fun was reversing the prog.
Saw there was some counter which triggered the size/integrity (do i spell correct ?) check. Simply passed this and no need to re-pack now.
The quiting part had a little trouble (seems quiting on some aspr progs cause errors) but easilly solved.
And registering.......just 1 bit.

Our thanks to:
Encryption mechanism:
A....y S................v

SpeKK

Yo!

Just out of curiosity and b'cos SpeK mentioned the Encryption Mechanism in ASPR....

Has anyone successfully reversed ASPR KeyGen/Encryption mechanism. The KeyGen is 100% RSA. I'm sure of it. I did some study long back and it is again one of those 20% done projects in my shelf And it seems to be implemented pretty good too. No default parameters for 'e' etc...

The other part is enabling the software to decrypt encrypted code and dump it to patch the proggie for good. Examples of this kind incl. Elcomsoft's products. Some code section is encrypted with a key and only upon getting correct key would it decrypt. I know Crusader did some work on AZPR sutff, but I'm unable to locate this in this maze of knowledge

Pointers?

Signed,
-- FoxThree

I found his azpr discussion in the thread in crypto "tutorial: finding encryption code in a target".

Well I had no problems fixing Reget Build 121 either with Imprec nor RV. No crashing or whatsoever. I use however W2K & XP.

I prefer RV as it re-writes a better Import table, but Imprec resolves better.

The size checks (1st Eat rls) were just too obvious, as they worked in previous rls's of Reget.

More important was the random counter which was only triggered when some CRC checks were not ok. If the flag then was 0 or 1 (don't remember) Reget overwrote on some downloads the first bytes of the zip file with the famous readme.txt file.

Important lessons, never trust your old cracks, authors are not sleeping and mightr have added some new surprises.

Infact the fix from Eat have resolved above and repacking to same size is not an issue anymore.

In any case more interesting would be to patch the RSA routine and then write a Keygen for it.

I've found at least 4 loops and that place which you was talking about APIs (AsProtect searchs some APIs in kernel), but speacking frankly i didn't grasp the idea how it's done. Can you explain it a little (5)? And where is the aspr.dll copied to high memory as you wrote in you tut?

************** 1

.data:0067B088 add esi, 7C2h ; esi = 0x0067B836
.data:0067B08E push esi
.data:0067B08F mov ah, dl
.data:0067B091 pop ebx ; ebx = esi
.data:0067B092 push 1B5h
.data:0067B097 pop ecx ; ecx = 0x01B5
.data:0067B098
.data:0067B098 loop_1: ; CODE XREF: .data:0067B154j
.data:0067B098 push dword ptr [esi] ; [esi] = 0x4CB532AB
.data:0067B09A mov ax, 7F8Bh ; eax = 0x00677F8B
.data:0067B09E pop edx ; edx = [esi]
.data:0067B09F jns decrypting_routine_1
.data:0067B0A5 ja decrypting_routine_1
.data:0067B0AB jl $+6
.data:0067B0B1
.data:0067B0B1 decrypting_routine_1: ; CODE XREF: .data:0067B09Fj
.data:0067B0B1 ; .data:0067B0A5j
.data:0067B0B1 add edx, 429CCF51h
.data:0067B0B7 mov di, 50Ah
.data:0067B0BB xor edx, 0D9523B6h
.data:0067B0C1 or bl, 2Dh
.data:0067B0C4 sub edx, 0E25D8B7h
.data:0067B0CA push 60A1D5B0h
.data:0067B0CF call adjusting_next_addr_1
.data:0067B0D4 fsubr st(5), st
.data:0067B0D6 mov edx, 8661C86Bh
.data:0067B0DB inc edi
.data:0067B0DC jz short loc_0_67B07B
.data:0067B0DE adc ah, bl
.data:0067B0E0 loopne loc_0_67B07B
.data:0067B0E2 pop esi
.data:0067B0E3 aas
.data:0067B0E4 or al, 55h
.data:0067B0E6 push 5Bh
.data:0067B0E8
.data:0067B0E8 adjusting_next_addr_1: ; CODE XREF: .data:0067B0CFp
.data:0067B0E8 mov di, 0D9A4h
.data:0067B0EC pop eax
.data:0067B0ED pop edi ; edi = 0x60A1D5B0
.data:0067B0EE mov [esi], edx ; [esi] = edx
.data:0067B0F0 xor bh, 27h
.data:0067B0F3 sub esi, 4FCB997Dh
.data:0067B0F9 mov bx, cx
.data:0067B0FC add esi, 4FCB9979h
.data:0067B102 mov ax, 7B35h
.data:0067B106 dec ecx
.data:0067B107 jnz go_on_1
.data:0067B10D jp the_end_1
.data:0067B113 add ebx, 74E8910Fh
.data:0067B119
.data:0067B119 the_end_1: ; CODE XREF: .data:0067B10Dj
.data:0067B119 jmp exit_loop_1
.data:0067B119 ; ---------------------------------------------------------------------------
[skipped]
.data:0067B12F ; ---------------------------------------------------------------------------
.data:0067B12F
.data:0067B12F go_on_1: ; CODE XREF: .data:0067B107j
.data:0067B12F ; .data:0067B14Fj
.data:0067B12F call near ptr loc_0_67B140+1
.data:0067B134 xchg eax, ecx
.data:0067B135 div bh
.data:0067B137 db 64h
.data:0067B137 int 82h ; reserved for BASIC
.data:0067B13A xchg eax, ebx
.data:0067B13B ror cl, 1
.data:0067B13D into
.data:0067B13E out dx, eax
.data:0067B13F cld
.data:0067B140
.data:0067B140 loc_0_67B140: ; CODE XREF: .data:0067B12Fp
.data:0067B140 test ecx, ebp
.data:0067B142 or eax, 1000000h
.data:0067B147 cmpsb
.data:0067B148 out 94h, eax
.data:0067B14A
.data:0067B14A loc_0_67B14A: ; CODE XREF: .data:0067B1B4j
.data:0067B14A cmp eax, 39008332h
.data:0067B14F jle short near ptr go_on_1+1
.data:0067B151 sub al, 0F5h
.data:0067B153 pop edi
.data:0067B154 jmp loop_1

************** 2

.data:0067B189 push eax
.data:0067B18A add esi, 66062BAAh
.data:0067B190 pop edi
.data:0067B191 mov ecx, 187h ; ecx = 0x0187
.data:0067B196 or dl, 4Dh
.data:0067B199
.data:0067B199 loop_2: ; CODE XREF: .data:0067B215j
.data:0067B199 mov eax, [ebx] ; get what should be decrypted
.data:0067B19B xor eax, 7579A9CBh ; some manipulations
.data:0067B1A1 push ecx
.data:0067B1A2 push ebx
.data:0067B1A3 mov dl, ah
.data:0067B1A5 pop edi
.data:0067B1A6 pop edx
.data:0067B1A7 sub eax, 748B55A8h ; some manipulations
.data:0067B1AD call continue_2
.data:0067B1B2 jnz short near ptr loc_0_67B1BA+4
.data:0067B1B4 jnp short near ptr loc_0_67B14A+4
.data:0067B1B6 icebp
.data:0067B1B7 setalc
.data:0067B1B8 push edi
.data:0067B1B9 inc esp
.data:0067B1BA
.data:0067B1BA loc_0_67B1BA: ; CODE XREF: .data:0067B1B2j
.data:0067B1BA sub eax, 29B0F362h
.data:0067B1BF scasb
.data:0067B1C0 dec edi
.data:0067B1C1 fsubr st(5), st
.data:0067B1C3
.data:0067B1C3 continue_2: ; CODE XREF: .data:0067B1ADp
.data:0067B1C3 mov edx, 2A04D486h
.data:0067B1C8 pop edx
.data:0067B1C9 add eax, 7B5CD8C1h ; some manipulations
.data:0067B1CF push eax ; save it
.data:0067B1D0 push esi
.data:0067B1D1 jmp loc_0_67B1E6
.data:0067B1D1 ; ---------------------------------------------------------------------------
[skipped]
.data:0067B1E6 ; ---------------------------------------------------------------------------
.data:0067B1E6
.data:0067B1E6 loc_0_67B1E6: ; CODE XREF: .data:0067B1D1j
.data:0067B1E6 pop edx
.data:0067B1E7 pop dword ptr [ebx] ; restore it
.data:0067B1E9 movzx esi, di
.data:0067B1EC
.data:0067B1EC adjusting_next_addr_2:
.data:0067B1EC sub ebx, 2B8ECB40h
.data:0067B1F2 movsx edi, si
.data:0067B1F5 add ebx, 2B8ECB3Ch
.data:0067B1FB push 3D2C258h
.data:0067B200 jmp loc_0_67B211
.data:0067B200 ; ---------------------------------------------------------------------------
[skipped]
.data:0067B211 ; ---------------------------------------------------------------------------
.data:0067B211
.data:0067B211 loc_0_67B211: ; CODE XREF: .data:0067B200j
.data:0067B211 pop esi
.data:0067B212 sub ecx, 1
.data:0067B215 jnz loop_2
.data:0067B21B
.data:0067B21B the_end_2:

************** 3

.data:0067B262 go_on_3: ; CODE XREF: .data:0067B2D9j
.data:0067B262 mov ebx, [ecx] ; get what should be decrypted
.data:0067B264 jnz decrypting_routine_3
.data:0067B26A jns decrypting_routine_3
.data:0067B270 mov di, 0E3FCh
.data:0067B274
.data:0067B274 decrypting_routine_3: ; CODE XREF: .data:0067B264j
.data:0067B274 ; .data:0067B26Aj
.data:0067B274 xor ebx, 53B8B161h ; some manipulations
.data:0067B27A xor ebx, 3DB54486h ; some manipulations
.data:0067B280 push 61CA80A6h
.data:0067B285
.data:0067B285 loc_0_67B285: ; CODE XREF: .data:0067B25Bj
.data:0067B285 jnz loc_0_67B28E
.data:0067B28B movzx esi, dx
.data:0067B28E
.data:0067B28E loc_0_67B28E: ; CODE XREF: .data:0067B285j
.data:0067B28E pop edx ; edx = 0x61CA80A6
.data:0067B28F xor ebx, 6B33147h ; some manipulations
.data:0067B295 mov dx, cx
.data:0067B298 mov [ecx], ebx ; save it back
.data:0067B29A adc di, 7E73h
.data:0067B29F sub ecx, 4 ; adjusting_next_addr_3
.data:0067B2A2 mov edx, ebx
.data:0067B2A4 sub eax, 1
.data:0067B2A7 jnz loop_3
.data:0067B2AD jmp the_end_3
.data:0067B2AD ; ---------------------------------------------------------------------------
[skipped]
.data:0067B2BD ; ---------------------------------------------------------------------------
.data:0067B2BD
.data:0067B2BD the_end_3: ; CODE XREF: .data:0067B2ADj
.data:0067B2BD jmp loc_0_67B2E5
.data:0067B2BD ; ---------------------------------------------------------------------------
[skipped]
.data:0067B2D1 ; ---------------------------------------------------------------------------
.data:0067B2D1
.data:0067B2D1 loop_3: ; CODE XREF: .data:0067B2A7j
.data:0067B2D1 push 9D118A8h
.data:0067B2D6 mov esi, edi
.data:0067B2D8 pop edx
.data:0067B2D9 jmp go_on_3

************** 4

.data:0067B317 loop_4: ; CODE XREF: .data:0067B365j
.data:0067B317 mov ecx, [ebx] ; get what should be decrypted
.data:0067B319 xor ecx, 474240AFh ; some manipulations
.data:0067B31F adc si, 0ADE4h
.data:0067B324 xor ecx, 7D450CBCh ; some manipulations
.data:0067B32A mov edi, 4B1EC450h
.data:0067B32F add ecx, 75AFE445h ; some manipulations
.data:0067B335 mov edx, 10B3D57Ch
.data:0067B33A push ecx ; save it
.data:0067B33B jmp go_on_4
.data:0067B33B ; ---------------------------------------------------------------------------
[skipped]
.data:0067B34D ; ---------------------------------------------------------------------------
.data:0067B34D
.data:0067B34D go_on_4: ; CODE XREF: .data:0067B33Bj
.data:0067B34D pop dword ptr [ebx] ; restore it
.data:0067B34F and esi, 402EE44h
.data:0067B355 sub ebx, 3 ; adjusting_next_addr_4_1
.data:0067B358 movsx edx, si
.data:0067B35B dec ebx ; adjusting_next_addr_4_2
.data:0067B35C sub esi, 47946F86h
.data:0067B362 sub eax, 1
.data:0067B365 jnz loop_4

************** 5

.data:0067B533 finding_APIs: ; CODE XREF: .data:0067B547j
.data:0067B533 mov esi, [ebx]
.data:0067B535 mov [ebp+1ECh], esi
.data:0067B53B call search
.data:0067B540 stosd
.data:0067B541 add ebx, 4
.data:0067B544 cmp dword ptr [ebx], 0
.data:0067B547 jnz short finding_APIs
.data:0067B549 popa
.data:0067B54A retn
.data:0067B54B ; ---------------------------------------------------------------------------
.data:0067B54B
.data:0067B54B search: ; CODE XREF: .data:0067B53Bp
.data:0067B54B pusha
.data:0067B54C mov ebx, [ebp+17Dh]
.data:0067B552 mov ecx, [ebx+20h]
.data:0067B555 add ecx, edx
.data:0067B557
.data:0067B557 loc_0_67B557: ; CODE XREF: .data:0067B56Cj
.data:0067B557 mov esi, [ecx]
.data:0067B559 add esi, edx
.data:0067B55B call loc_0_67B58F
.data:0067B560 mov edi, 49CD75CEh
.data:0067B565 cmp eax, edi
.data:0067B567 jz short loc_0_67B56E
.data:0067B569 add ecx, 4
.data:0067B56C jmp short loc_0_67B557

Hi there,

You got to do better with IDA :>... i mean if you wanna post some code here, gotto remove all the junk codes so that at least it looks clearer than this...

I think you are still at the beginning of AsPr heh :>... these looks like a few loops of decrypting the code in the last section of AsProtected program still, basically, it looks like this

mov eax, counter
call $5
pop edx
add edx, size
Decrypt_loop
mov ecx, [edx]
xor ecx, some_crap
add ecx, more_crap
sub ecx, arghh_crap
mov [edx], ecx
sub edx, 4
dec eax; decrease counter
jnz Decrypt_loop

The rest are just garbage code inserted in between to confuse you... this loop will be repeated about 4/5 times.

I cant remember where exactly it search for API address in kernel32.dll.. but basically, it start from beginning of file, check for "MZ" signature, the get offset of PE header, then get offset of Export Table, parse the Export ASCII list of kernel 32 till the Import wanted is found... not at home rite now to help you check out the stuff....

You have got to tell IDA not to show too much rubbish, if it's garbage, dont disassemble it... so it looks clearer...

Good luck
crUsAdEr

Hi, Crusader!

One more ques: how did you find or calculated the size of dll?

Thx

Hi,

You can check VirtualAlloc size :>>... or just use winhex to see.. sice work as well... just scroll down till you see the ???.. that should be the end of the dll...

Keep up the good work :>.. if you still need, i can post the dll loading code here...

Regards,
crUsAdEr

Hello, Crusader!

Heh, i did it before i'd read you post and i did it by searching ???. In any why, thanks for help. I've dumped that dll, but one question more: why did you decide that it's DLL? As DLL is a mass of function, EXPORTED function, it should contain smth in export table while this dumped file doesn't have epxorts. What's the hell? Or what is this dll for then?

I've got a prob with unpacking ReGetDx. No, actually i've done everything all right, but when i run it, it goed to infinite loop and no nag screen or whatever is seen. I've already read some threads on this board, but i found nothing appropriate. What can it be?

PS: don't mock at me, i just try to understand and that's it and thanks for help once more

Good luck, R!50770

Hi :>

Nice job dumping the dll.. well after i dump it and rebuild the PE header with imports, IDA says LIBRARY START or something like that at OEP... so i reckon it is a dll :>>.. but it's not that important i guess....

Yeah, trace the dll once and for all, you'll have a full understanding on how AsProtect works... pretty same as other packers and you will learn how to bypass IAT mangling etc... very nice to reversed cos the code is fairly clean... and tidy, only obfuscation compare to some otehr packers which has lots of compiler generated junk codes...

Have fun
crUsAdEr

P.S : i dont laugh at ppl :>, only smile and grinz as you see (at least i hope i dont :>... and it's nothing to make mistake and get laughed off, you learn from your mistake .. so no worry, being a newbie is nothing to be ashame about... stop learning is somethign to be... okie enuff philosophical crap.. back to integration