Latest aspr tricks

Looking for an asprotected app to see what was new with it after some time. I found a fresh one from AHAsoft. Knowing they were a dedicated customer of aspr, I downloaded it immediately.

Well, as +SplAj posted a few days ago (GetSystemTime-randomizer thread), aspr has a "hopping POPAD" this time, LOL. This reminded me the frequency hopping trick used on military radios to restrain channel tapping. Then I checked what was new with the ReqQueryValueExA trick. This time, it writes the date used/# of times used values (binary) under HKCU\Software\Asprotect\Data. Deleting them does not fool aspr. If it can't see them there it checks hundreds of (may be a thousand) CLSID values. Lol, this is absolutely better than killing Regmon alone. The two inline patchers fail on this version of aspr either. Good work, Alexey's raising his standards.

Anyway, I thought this may draw some attention. And, yes, it works fine.

wbe

Yes wbe

Alexey has changed the rulez for regmon/filemon monitoring. ASPR now has a much better 'registration/trial validation' scheme.

HKCU\Software\Asprotect\Data

appears to be a red herrring.

The scheme needs closer attention ...... for those that don't unpack in 30 days

Spl/\j

I like the new talking avatar Spl/\j, but isn't that a lot of hair for an OBC?



ONBC

Hi Kayaker

did you 'negative' my new wig..... is it blonde or black

BTW did you d/l latest ASPR freeebie from Aaron ....... if you unpack it you can see new option to add 'Delphi form protection' to aspr projects....maybe thats what 'puzzled' has found out ????

and it's a bit late in the morning for U ... go to bed

Spl/\j

Hiya +SplAj:

How're ya? The Delphi Form Protection is a tool rumored to be released along with the 1.2 beta itself. It is supposed to remove a lot of stuff from Delphi form resources making it difficult to reverse with DeDe. I believe, LBolt (who was struggling with Quick-to-Do or something like that) also found it in the wild ...

Nice work on the rebased OEiP stuff, +SplAj guru. The HKCU\Software\ASProtect\Data stuff was somewhat old I guess. I found it much earlier in some ASProtected apps like AATools, I think. But didn't attach much significance to that ... 'coz still deleting one key gives back your 30 days... lol

Rumor also has it that future ASPro* version might change its reg. key format from a base64 encoded one to fixed set of hex digits. YMMV

Signed,
-- FoxThree

They say that most people arrive at their decisions while taking a number #2 on the toilet....

ALexey must be doing a lot of thinking nowadays lol

-nt20

What is the new aspr packed with the one from Aaron?

an 'unknown' aspack......

a) manually unpack it...

or

b) just change the 2 bytes at aspack code start to match some that aspackdie expected and it unpacks ok, but without filling in oeip + it detail in peheader. That is easy to find if you do a)


Spl/\j

The ASProtect.exe is plain simple ASPack 2.12, just OEP is shifted 1 byte backwards to fool detectors and unpackers maybe.

New ASPR even seems same as the 1.2x Betas, just that varied OEP jump thingy.

Ok I ahve no idea what you mean by shifted 1 byte and I dont know how to manually unpack (newbie) but I aint even gonna ask I seen how you responded to the others that asked similar

Athlon, Uhm, buddy, me replied? I just posted 4 messages here, dont even remember them and I surely dont remember anyone asking me to help them unpack anything here

Anyways about the ASProtect executable itself,

004D3001 > 90 NOP
004D3002 60 PUSHAD
004D3003 E8 03000000 CALL ASPROTEC.004D300B
004D3008 -E9 EB045D45 JMP 45AA34F8
004D300D 55 PUSH EBP
004D300E C3 RETN
004D300F E8 01000000 CALL ASPROTEC.004D3015
004D3014 EB 5D JMP SHORT ASPROTEC.004D3073
004D3016 BB ECFFFFFF MOV EBX,-14
004D301B 03DD ADD EBX,EBP

This is the disassembly from the current EntryPoint. By shifted 1 byte I meant, that if you look at previous ASPack versions you'll see that the EntryPoint byte is generally 60h -> PUSHAD and the byte before the EntryPoint is 90h -> NOP

So basically all Alexey has done is probably to trick the detection engines, pushed the EntryPoint 1 byte back.

Maybe some internal things have changed. My CASPR couldn't unpack it even if I *corrected* this EntryPoint thingy.

But unpacking it remains just as easy as unpakcing previous ASPacks ( 2.12 is closest to this ASPack )

Simply put a BPX at 004D33B0 and run it. When your debugger breaks you should ( will ) see something like this

004D33B0 61 POPAD
004D33B1 75 08 JNZ SHORT ASPROTEC.004D33BB
004D33B3 B8 01000000 MOV EAX,1
004D33B8 C2 0C00 RETN 0C
004D33BB 68 D0DF4800 PUSH ASPROTEC.0048DFD0
004D33C0 C3 RETN

The OEP is thus 0048DFD0 so you can dump it and rebuild your imports using ImpREC or REVirgin or whatever you use

If all this is too bad a reply for you, you can use a simple little ASPack script for ProcDump I did sometime back, it should unpack some ASPacked files you have.

[ASPack 2.12]
L1=OBJR
L2=LOOK 61,75,08
L3=BP
L4=WALK
L5=WALK
L6=EIP
L7=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

Read a document on how to add scripts to ProcDump if you don't know it already and enjoy. It works on the exact same principle I discussed above

This script works on most ASPacks since 2.000 or even a bit before I think. It wont work on the ASPack 2.11x series as they use poly.

Anyways, Enjoy and I *hope* this helps you

Greeting to FoxThree [ I await a mail ] and to +SplaJ

Thanks ALOT Man this will be the first thing I unpacked and I'm sure it will be fun and learning and what I ment wasnt directed towards you. I just seen people ask about similar things and people here tore them a new head. I thank you as generous as you are I will tell you how it goes

naaa, we just rip new ass holes.....it gets to the point quicker

Maybe I'm doing something wrong snaker but it wont break at all

BTW I'm on 2k

Athlon

Just change the 90 90 60 at aspack section to 90 60 90 and run aspackdie1.3x

change entrypoint to 8DFD0 and ImportTabel to 9E000 with LordPE and your done.

Now run 'dede' on it and find ZILCH cos Alexey removed TPF0 from forms and also the RCdata 'packageinfo' voided.


His tricks are very effective as Kayaker discussed with puzzled.

Spl/\j

Thanks +SplAj it worked was hoping to learn a lil about unpacking but thanks anyway

Athlon....

well in this thread we were discussing wtf Alexey added in aspr1.23beta and RC1 for us.

Well now we know a few...

1) OEiP Hopper ..... (I like that description)
2) New Trial check scheme
3) Delphi exe 'dede' fuxor (kisses to 'puzzled' for jerking our chain)
4) ?????

BUT, Athlon

If you want to unpack starting Win2K without beloved Icedump/W98 weaning... then thats a little tough

have you patched out NTice.sys etc ? have you NTicedump to protect BPM ? Have you studied Win32 PE header structure ?
hmmmm.......

Send me large box of chocolates to unpack and i'll teach you to manually exe unpack

Spl/\j

I started cracking on 2k cuz since there aint gonna be no more of the 9x line figured I might as well get used to it that way and yea I patched ntice.sys I'm studing the PE-Format Now. As for the choclates whats your addy Thanks Hope I'm not a bother


P.S Alexy didnt add no destructive code did he? My computer is acting really really weird since I unpacked that ?

heeeeeeeeeee
it was alexey after all
oh my oh my

Hi, hows it going, yeah I did run into a really strange situation with Quick-to-Do pro. I'm not sure it was the form protection tool provided with ASprotect, though, not sure. I'll have to check it against the "fixes" posted in this thread to see if it all adds up. The main problem was the procedure code for the about box, it was just garbage. But that was no big deal. The big problem was the task scheduler wouldn't accept more than 12 tasks.

bpx on createwindow before trying to put in a 13th, ret a few times and there was a comparison code a little bit above. Worth a look at this prog if you ever get bored There are encrypted strings too, none of the "good" stuff was found with DeDe or Win32Dasm. If fact those didn't help at all with this prog

Also fox3, you might want to take a look at some of Sapphire's games with regard to OEPfinder. I found that OEPfinder stops responding when trying to run on a program that changes the screen res at startup (goes to 640x480), specifically BattleJeep game was a problem. I'm not sure if anyone else has duplicated the problem but I figured I'd mention it cause it might have something to do with the Screen resolution change. Anyway /tracex found it, but Oepfinder is a little more convenient

Other than that, OEPFinder has worked great, saved much time over /tracex.

Take care

Looking for new aspr? Dont forget codecharge studio(www.codecharge.com can register with fake email for the download).

Uses Asprotect 1.23a (no reg key at HKCU) and only the dlls are encrypted (ccproject.dll has the check near 1b:100115da after unpacking) . Looks like they thought that the decryption of the main exe was slow...

I would say DeDe, the latest bld, with implemented dumper disassembles .aspr-ed apps quite well, regardless if forms/packageinfo ripped or not...