Log in

View Full Version : Some questions about ASProt dll


Lemon13
September 22nd, 2002, 10:34
Hi all, thanx in advance for reading my troubles...
I'm tryng to reverse a firewall, Outpost Pro (deleted): anyone has experienced it yet? Well I'm new at unpacking adn so on, but I'm reading some texts about.
The problem is that the program is protected by ASProtect, which encrypts the dll that loads the ui. At the moment of loading this library (opst_ui.dll) from the module engine.dll there's the validatio check plus the time limit dialog.
I dumped it, but the thing I can't work out by myself is the OEP. There's a lot of self-modifing code (I think is half of aSPRotect and half of the dll itself, but I don't know...). Tracing it does not work: it crashes at some kernel code.
If anyone has some time, I will be very happy to have a 'tutor' for this program.
Thank you!!!

Lemon13
September 22nd, 2002, 10:52
it's build 18xx, if this could help.

DakienDX
September 22nd, 2002, 11:02
Hello Lemon13 !

How did you "dump" it without knowing the OEP?
You can only dump at the OEP or else your dump will probably not work since some data is already initialized.

Why don't you use the search function? ASProtect is the most discussed protector here and anything about it can be found just by searching.

So you want to "reverse" the program and you are searching for a "tutor".
I'm sure this could be interpreted different, but I will leave it as it is now.

Lemon13
September 22nd, 2002, 18:18
Sorry if my questions could be a little stupid: I admit, I'm quite new to unpacking problems but I could _not_ find out by myself the OEP. However, you say that without knowing the OEP you can't dump because you will have initialized data: but I can't find out the exact point where it jumps inside the real code of the user interface.
Believe me, I trace inside every call and after many days of "work" I understood it jumps inside the real code from a kernel routine: don't ask me how it does this, because when tracing with softice there's a crash due to invalid instruction inside the kernel call. My little request was to find out someone who had already cracked Outpost, if he could give me help.
Tell me if the thread is too stupid, I will learn more and then come back.

nofurs
September 22nd, 2002, 18:23
Hi,
Think that DakienX has mention search the forum.There are lots of threads about this.

> My little request was to find out someone who had already cracked Outpost, if he could give me help.

You have come to the wrong forum.You should post some code and show that you have "done".

Paul333
September 23rd, 2002, 21:20
I think i know where Lemon's coming from, i suspect he's a bit like me ..ive cracked a lot of "normal" programs and the majority of them was by trial and error...thats normal apps BUT when it comes to unpacking apps packed with a protector like ASPROTECT im totally stumped....im lost LOTS of peeps say in there tutorials ok find the oep then go on to telling you what it is they dont explain how to find it they just assume you should know but its hard for us newbies even with tutorials....heres an example im trying to unpack Sniffem which is packed with asprotect 2.1 new strain ..i know i need to find the OEP so i used PIED v1.81 chose find entry point from its menu and it gives me 40b0co..i then use that number in REVIRGIN 1.3 and click resolve...i see lots of function names and guess its working helping me find the imports..but theres 1 missing so i click RESOLVE again but still 1 missing ...im stuck at this point because theres 1 still missing i have to find it manually but i havnt a clue how to go about it ..so please bear with us newbies ..sometimes it helps us if someone can talk us thru our probs bit by bit so we get a greater understandibg how to go about unpacking these apps ..it be great if one of you could sit down and write a really indepth guide on how to unpack a these apps bit by bit leaving nothing out .it be appreciated

paul333

evaluator
September 24th, 2002, 08:55
hey!

For make proper unpacking everyone must use tool called DEBUGER.
REVIRGIN, imprec, "PIED"(PEID!?) & others are additional helper tools for make your life easy!
(for example you are not forced to build ImportTable manually)

So when you miss some api name in RV you will use DEBUGER & look at problem with you eyes.
So you will find OEP manually & will be 100% sure it is right.

SO START LEARN USING DEBUGER!

PS.
for RV leave value 401000 in OEP field.

Lemon13
September 26th, 2002, 08:19
hi all,
a lot of thanx to ... who suggested me to learn to use debugger. I added to it the brain and finally I arrived to OEP. I searched the pattern POPAD; JMP EAX and it was always located in a range of data and code. But this only after the loading of the dll. But the real problem was that this adress (of POPAD;JMP EAX) changes everytime the program is run. But it follows a pattern, and after some work I found it's located ~20 bytes before one of the two ascii strings 'MFC42.DLL' (second occurence) or 'gger' (first) (which stands for debu_gger_ detected etc), and in the byte where POPAD;JMP EAX will be decrypted there's a 0x69. After some time I found out the OEP, which is E7506D. Is this the standard asprotrect routine?
I used superbpm too!
Now I'm going to search for more info about IAT and RVA before posting anymore, no more stupid questions. thanks to all and sorry for my first post!

DakienDX
September 26th, 2002, 09:56
Hello Lemon13 !

Well, well, this is a much better attitude now.

The problem why the jump to OEP is always at a different location is already known. ASProtect uses GetSystemTime to randomize this part of the protection.

If GetSystemTime "returns" the same value two times, the jump to OEP is also at the same address both times, so you can break on it.

BruceLee
September 26th, 2002, 21:08
thx for tip abot GetSystemTime. I found OEP It's no problem anymore, hehehe, until next version

Bruce Lee

Lemon13
September 27th, 2002, 18:40
hi all,
I fell better now that you wrote me that I have not spend my time in useless work!
In those days i've got few time to spend on my target, but I have a question: I made the dump (after entering a infinite loop on the OEP) with LordPe and I used the [partial] option, is it right?
and another question: the dll itself has is own IAT? is it right or it uses in some way the executable IAT? this because tutorials are 99.9% about .exe files and not on dll and now I'm a little confused on the way to re-build a valid import table.
However I will work it out...
thank you!!! bye

DakienDX
September 27th, 2002, 22:11
Hello Lemon13 !

If you use the right values for a partial dump it'll work fine, but you should try a full dump first, so you don't need to care about the values you're using.

DLLs have an IAT too, just like EXEs. You can unpack a DLL nearly the same way as an EXE, but you'll have to take care about the relocations and the image base, because this is important in DLLs, not like in EXE files where you can usually ignore it.