hi all

well this prog i found wasn't at first seems to be like ASPR
but then i know that it was ASPR...

Examine32 v4.00
http://www.examine32.com/


the OEP seems to be AT : 401000

ok then i dumped it and now tried to rebuild it with ImpREC i puted OEP=1000 and then get imports and goted only 1 invalid
section!
ok we know that trick .. the size is wrong so i changed it to 3000
and clear all and re - get imports =) seems ok now..

but... when i try to do trace level 1 it FAILS !!!!
so i try to use revirgin and got the same !!!

what the hell is going on ???

hope to get an answer soon tnx...

I am not trying to sound mean, but the next step is to use your BRAIN !!!

Are you familiar with the PE file format? You can't depend on a tool to do all the work for you. These are very advanced tools. You need to still know what they are really doing to use them effectively. No tool can replace clear thinking !

Most likely you simply ran into one of **Protect's tricks, such as getting GetVersion on its own and storing it in a memory variable. The program later gets it from this memory variable instead of calling ANY api. This will fool any tracer.

One way around problems is to use Windows 2000, and use the Revirgin emulator plug-ins. The **Protect plug in does a good job of detecting (thru the use of opcodes) these "common" anti trace features.

Finding an OEP is never really all that difficult, although it can be confusing for newbs (it was for me for a while). Most programs use a similar structure. You can use this to your advantage.

Here is a trick I like to use:

1. Run the app. Dump it from memory. yes, you cannot use it yet but go ahead and get a decrypted unpacked dump.

2. Rebuild the import table as best you can. YOu may not know all the imports but try to get some of them.

3. Dead list it with WinDasm, look for common routines to see if they may be the OEP. For example, A call to getversion just below the stack frame setup (push ebp, mov ebp,esp), or if the app if MFC look for a __set_app_type call. This is done after the OEP. If the program appears to be written in Delphi you can simply use DeDe on it while the program is running to find the OEP. If it's VB, you can simply dump the running program and open it up in WinDasm and look for the only string reference "VB5!". Where you see this string reference being PUSHED is the OEP.

PLUS dumping like this and deadlisting will show you the jump table, a DIRECT LINK to the import table. All the jumps jump to an address in the IAT. So you can write down one of these "jmp dword ptr [xxxxxxxx]" addresses (the xxxxxxxx part) and this is where your IAT will be. NOw go into SI and look at It !!!! See where it starts. Go back out and fire up revirgin. DONT EVEN BOTHER setting the OEP in revirigin, it does not need it. Just set the IAT start and throw in a number for the end. Press "resolve" If you don't seem to get enough functions, just make the IAT end larger until you start to get blank resolves. YOu have the whole table now and can work from there.

Windows 2000 is the best OS I've found to use Revirgin. ALso DO A SEARCH SEARCH SEARCH this protection has been done to death so do a search and READ ! You will find there have been several posts even lately. READ THEM !!!

-nt20

The program is protected with Aspack and not with Aspr

dump the file oep is 1000

load examine with symbol loader

bpr 442000 442000+948 rw

0187:0045017D C1F902 SAR ECX,02
0187:00450180 F3A5 REPZ MOVSD <- you pop here
0187:00450182 8BC8 MOV ECX,EAX
0187:00450184 83E103 AND ECX,03
0187:00450187 F3A4 REPZ MOVSB
0187:00450189 5E POP ESI
0187:0045018A 6800800000 PUSH 00008000
0187:0045018F 6A00 PUSH 00
0187:00450191 FFB552010000 PUSH DWORD PTR [EBP+00000152]
0187:00450197 FF9551050000 CALL [EBP+00000551]
0187:0045019D 83C608 ADD ESI,08
0187:004501A0 833E00 CMP DWORD PTR [ESI],00
0187:004501A3 0F851EFFFFFF JNZ 004500C7
0187:004501A9 6800800000 PUSH 00008000
0187:004501AE 6A00 PUSH 00
0187:004501B0 FFB556010000 PUSH DWORD PTR [EBP+00000156]
0187:004501B6 FF9551050000 CALL [EBP+00000551]
0187:004501BC 8B9D31050000 MOV EBX,[EBP+00000531]
0187:004501C2 0BDB OR EBX,EBX
0187:004501C4 7408 JZ 004501CE
0187:004501C6 8B03 MOV EAX,[EBX]
0187:004501C8 878535050000 XCHG EAX,[EBP+00000535]
0187:004501CE 8B9522040000 MOV EDX,[EBP+00000422]
0187:004501D4 8B852D050000 MOV EAX,[EBP+0000052D]
0187:004501DA 2BD0 SUB EDX,EAX
0187:004501DC 7479 JZ 00450257
0187:004501DE 8BC2 MOV EAX,EDX
0187:004501E0 C1E810 SHR EAX,10
0187:004501E3 33DB XOR EBX,EBX
0187:004501E5 8BB539050000 MOV ESI,[EBP+00000539]
0187:004501EB 03B522040000 ADD ESI,[EBP+00000422]
0187:004501F1 833E00 CMP DWORD PTR [ESI],00

at 450182 d 442000 this is your it an down there's the complete iat so here dump 442000 948

IT Rva 42000 size f0
IAT Rva 420f0 size 948

fix the dump

to bypass the crc check:

bpx readfile
f5 x 11
f11
bd *
bpx 424aa7

0187:00424AA7 84DB TEST BL,BL
0187:00424AA9 750C JNZ 00424AB7 nop here
0187:00424AAB 807DFF00 CMP BYTE PTR [EBP-01],00
0187:00424AAF 7506 JNZ 00424AB7 nop here
0187:00424AB1 807DFE00 CMP BYTE PTR [EBP-02],00
0187:00424AB5 7440 JZ 00424AF7 jmp here
0187:00424AB7 BE288F4300 MOV ESI,00438F28
0187:00424ABC 8D7DE0 LEA EDI,[EBP-20]
0187:00424ABF B905000000 MOV ECX,00000005
0187:00424AC4 F3A5 REPZ MOVSD
0187:00424AC6 66A5 MOVSW
0187:00424AC8 8D85DCDEFFFF LEA EAX,[EBP+FFFFDEDC]
0187:00424ACE 50 PUSH EAX
0187:00424ACF 8D55E0 LEA EDX,[EBP-20]
0187:00424AD2 52 PUSH EDX
0187:00424AD3 8D8DD8DDFFFF LEA ECX,[EBP+FFFFDDD8]
0187:00424AD9 51 PUSH ECX
0187:00424ADA E8CB040100 CALL USER32!wsprintfA
0187:00424ADF 83C40C ADD ESP,0C
0187:00424AE2 6A30 PUSH 30
0187:00424AE4 683E8F4300 PUSH 00438F3E
0187:00424AE9 8D85D8DDFFFF LEA EAX,[EBP+FFFFDDD8]
0187:00424AEF 50 PUSH EAX
0187:00424AF0 6A00 PUSH 00
0187:00424AF2 E8C3030100 CALL USER32!MessageBoxA
0187:00424AF7 33D2 XOR EDX,EDX
0187:00424AF9 8AD3 MOV DL,BL
0187:00424AFB 33C9 XOR ECX,ECX
0187:00424AFD 8A4DFF MOV CL,[EBP-01]
0187:00424B00 03D1 ADD EDX,ECX
0187:00424B02 33C0 XOR EAX,EAX
0187:00424B04 8A45FE MOV AL,[EBP-02]
0187:00424B07 03D0 ADD EDX,EAX
0187:00424B09 85D2 TEST EDX,EDX
0187:00424B0B 0F95C0 SETNZ AL xor eax,eax here
0187:00424B0E 83E001 AND EAX,01
0187:00424B11 5F POP EDI
0187:00424B12 5E POP ESI
0187:00424B13 5B POP EBX
0187:00424B14 8BE5 MOV ESP,EBP
0187:00424B16 5D POP EBP



so

00424AA9 750C -> 9090
00424AAF 7506 -> 9090
00424AB5 7440 -> EB40
00424B0B 0F95C0 -> 33C090

Now the program runs normally

Bye

Howdy,

I know people are trying to be helpful but...............

Stop doing the work for them. They will learn nothing.

Peace, Woodmann

Sorry Woodmann next time i will be less helpful