Log in

View Full Version : Asprotect..


Hopcode
October 24th, 2002, 01:51
Hello!

Im working on a target. its called "Aston" and its a shell for windows. So you can have a better desk
Anyway, i am messaging you guys, because i would like to know how to determinate, which version of asprotect my target id using.
Does Asprotect contains some values in it to determinate the versions? such as the stuffs you can find on a securom or safedisc executable ?
I have been searching and found nothing, but i could have missed it.
While working on this target, im experiencing one problem.
There are several exe files, and 3 of them are protected by Asprotect. I managed to unpack 2 of them, and the third one is almost working, but still crashes. Dunno why. im doing the same than on the 2 other targets!

Could someone have a look and tell me how old is it ?
i think its 1.2 with api emulation, but im not sure.

h**p://www.astonshell.com/dl.php?aston.zip

Maybe it crashes because of checks or missing Asp addresses.
The exe im having problem with is "A-master.exe".
The two other ones have been unpacked without any problem!

is :

push api
mov eax, some_addi
call eax

a trick of asprotect ? or did i fuck something up ?
(except API emulation i mean..)
I unpacked a good amount of asprotect targets already, and never found this yet, you guys prolly did, but i don't spend my time on asprotect there are so many versions out there!

Please, don't flame and don't tell me to search the forum because i had a look already. Im looking forward constructives answers, and no "you are newbie in unpacking" craps.

For now, i wish you guys a good day.

Best Regards,

HopCode

Woodmann
October 24th, 2002, 02:41
Let me get this right,

You managed to unpack 2 asprotected targets but you cant unpack the third one.????

Quote:
Please, don't flame and don't tell me to search the forum because i had a look already. Im looking forward constructives answers, and no "you are newbie in unpacking" craps.


How can you unpack your target without knowing what it is protected with? Did you guess? Did they unpack themselves?

Have you ever used a file analyzer? do you know how to read
a pe header? they make tools to do that also.

Look, dont come in here and talk that crap about you already searched.

SEARCH AGAIN........

You obviously did a shit job the first time.


No Sig. I'm pissed off

+SplAj
October 24th, 2002, 07:25
Hopcode

Maybe I know what your problem with ASPR is. It is quite a nice trick

I won't spell it in B&W......

However, to help I suggest you unpack and rebuild 'LongFileTail' as a project. You should get to a messagebox with 'Check #4 error'........

When you show me the snippet of code that makes this error i'll explain the trick.... if it's not too obvious by then


later

Hopcode
October 24th, 2002, 12:01
>You managed to unpack 2 asprotected targets but you cant >unpack the third one.????

Exactly, the last one use some other tricks. prolly some checks to see if asprotect is still there. i UNPACKED it, but its not working fully..

>How can you unpack your target without knowing what it is >protected with? Did you guess? Did they unpack themselves?

jesus christ.. i KNOW its asprotect, i was wondering WHICH version it was. there are dozen **different** versions of 1.2 because Alexey didn't make a version change, but its internal changed.

>Have you ever used a file analyzer? do you know how to read
>a pe header? they make tools to do that also.

Listen well, instead of bashing me like a complete RETARD, what about understanding the POINT of my post.

I already unpacked securom, safedisc 2, asprotect and other protectors, yet one of the 3 files use something i never came accross. i wondered if i could have some HELP and not some LAME bashing ok ?

>You obviously did a shit job the first time.
you obviously are retarded :-)


>No Sig. I'm pissed off
So am i :-)

Administrator of this nice place is as smart as a 12 years old kid.

HopCode

zombieys
October 24th, 2002, 12:36
en...
unpack aston is hard work

i can help you
but i only did aston 1.62 not 1.70

see here
a-master
01A7:00422080 POP EBX
01A7:00422081 POP EAX
01A7:00422082 MOV EAX,[EAX+02]
01A7:00422085 MOV EAX,[EAX]
01A7:00422087 JMP EBX
01A7:00422089 POP DWORD [EAX] //see it ,it will do wrong
01A7:00422080 POP EBX
01A7:00422081 POP EAX
01A7:00422082 MOV EAX,[EAX+02]
01A7:00422085 MOV EAX,[EAX]
01A7:00422087 JMP EBX
01A7:00422089 POP DWORD [EAX]
01A7:0042208B JMP EBX
01A7:0042208D ADD [EAX+EDX*4],EAX
01A7:00422090 DB FF
01A7:00422091 DB FF


01A7:00422014 POP EBX
01A7:00422015 POP EAX
01A7:00422016 MOV EAX,[EAX+02]
01A7:00422019 MOV EAX,[EAX]
01A7:0042201B JMP EBX
01A7:0042201D POP DWORD [EAX] //see here it will do wrong too
01A7:0042201F JMP EBX
01A7:00422021 BOUND ECX,[EBX+408DFFC0]
01A7:00422027 ADD [EBX],AL
01A7:00422029 ADD [EAX],AL
01A7:0042202B ADD [EDX+EBX*4],CL

disassembler a-master and search "call eax"
you will find more

good luck...

Hopcode
October 24th, 2002, 13:04
Hello

Thanks, i will have a look at it ;-)
See you soon

HopCode

Hopcode
October 24th, 2002, 13:05
Quote:
Originally posted by zombieys
en...
unpack aston is hard work

i can help you
but i only did aston 1.62 not 1.70

see here
a-master
01A7:00422080 POP EBX
01A7:00422081 POP EAX
01A7:00422082 MOV EAX,[EAX+02]
01A7:00422085 MOV EAX,[EAX]
01A7:00422087 JMP EBX
01A7:00422089 POP DWORD [EAX] //see it ,it will do wrong
01A7:00422080 POP EBX
01A7:00422081 POP EAX
01A7:00422082 MOV EAX,[EAX+02]
01A7:00422085 MOV EAX,[EAX]
01A7:00422087 JMP EBX
01A7:00422089 POP DWORD [EAX]
01A7:0042208B JMP EBX
01A7:0042208D ADD [EAX+EDX*4],EAX
01A7:00422090 DB FF
01A7:00422091 DB FF


01A7:00422014 POP EBX
01A7:00422015 POP EAX
01A7:00422016 MOV EAX,[EAX+02]
01A7:00422019 MOV EAX,[EAX]
01A7:0042201B JMP EBX
01A7:0042201D POP DWORD [EAX] //see here it will do wrong too
01A7:0042201F JMP EBX
01A7:00422021 BOUND ECX,[EBX+408DFFC0]
01A7:00422027 ADD [EBX],AL
01A7:00422029 ADD [EAX],AL
01A7:0042202B ADD [EDX+EBX*4],CL

disassembler a-master and search "call eax"
you will find more

good luck...


Thx for this .
I already figured what was crashing, but i wasn't sure if it was really a trick, or something i miss did!

I will dig in more, and try what splaj+ told me

Thx !

Regards,

HopCode

BruceLee
October 24th, 2002, 18:54
It's interesting target

Please attach your IAT resolving!
Hmmm, I thing my resolving APIs are wrong!

evaluator
October 24th, 2002, 19:18
>>Administrator of this nice place is as smart as a 12 years old kid.

If so, BEST CHOISE for you must be:
GO AWAY.

Woodmann
October 24th, 2002, 22:09
Quote:
Please, don't flame and don't tell me to search the forum because i had a look already. Im looking forward constructives answers, and no "you are newbie in unpacking" craps.


See this ^^^^^^^^^^^^^^^^^^^^^^^^^^^

If you want to come in here and be so bold then you get what
you deserve.
Dont post things like this, it is arrogant. It says to me that you are too big to do any research, just gimme my answer.


You have cracked Asprotect, Congratulations.

And your point was..... Tell me the trick ????

Please dont irritate the 12 year old, I might have a tantrum.

Hopcode
October 24th, 2002, 22:17
>See this ^^^^^^^^^^^^^^^^^^^^^^^^^^^
so what?
When i read this board, i see too damn often guys bashing others telling them to search when they already did... its kind of irritating already..

>If you want to come in here and be so bold then you get what
>you deserve.
>Dont post things like this, it is arrogant. It says to me that you >are too big to do any research, just gimme my answer.

It was not arrogant at all.
Most of the arrogants guys on this forum are the moderators.. but oh well.. I was just telling that i did the search and that i didn't wanted to have a bash reply like it OFTEN happens to others..

>You have cracked Asprotect, Congratulations.
that's not the points. i wanted to share something with you guys, i think that's why this board is all about.

>And your point was..... Tell me the trick ????
not really. my point was :

1- does Asprotect contain something to identify which build was used to protect a target, such as the things that you can find on securom or Safedisc 2..

2- Im experiencing some problems on a target. i managed to unpack 2 files out of 3. the third one is different, it seems to use a nice trick, prolly some checks to see whether the asprotect shell is there or not. have you ever seen this ? did i do something wrong ? could we talk about it ?

Now do you see a "gimme the trick, i don't wanna work myself at all?"

>Please dont irritate the 12 year old, I might have a tantrum.

Next time, don't bash like an idiot without understanding what's going on then.. splaj+ was nice and answered me politely, so did i..

Hopcode
October 24th, 2002, 22:21
Quote:
Originally posted by BruceLee
It's interesting target

Please attach your IAT resolving!
Hmmm, I thing my resolving APIs are wrong!


hello,

sure no problem.
Maybe its not even good? although i could unpack 2 of the 3 files..
I used Imprec for this.

Regards,

HopCode

Woodmann
October 24th, 2002, 23:40
Splaj is doing you a great favor.


I have a response to your original questions,

Maybe
Maybe
No
Yes
No

Now tell me how that helps you? You asked the questions and I answered them.

Now, if no one here knew the answer to the "riddle" you ask,
what would you do?

Send it via pm, enough of this in here.

Woodmann

BruceLee
October 25th, 2002, 11:49
Aston
=====

A-master.exe
------------

ASProtect v1.2?

Startup Eip = 00401000
First dip: call 0040D968
Second dip: call 0040AF74
OEP = 00420F60

:::::::::: DUMPING ::::::::::

1. dip
------
PUSH EBP
MOV EBP,ESP
MOV EAX,[004226F4]
MOV EDX,[EBP+08]
MOV [EAX],EDX ; before is execute typed: r edx 0
POP EBP
RET 0004

2.dip
-----
PUSH EBP
MOV EBP,ESP
MOV EAX,[EBP+08]
MOV [0042223C],EAX
POP EBP
RET 0004

OEP
---
PUSH EBP
MOV EBP,ESP
ADD ESP,-0C
MOV EAX,00420E78
CALL 00401110
CALL 0040AF84
CALL 0040100C
MOV EAX,EAX
ADD [EAX],AL
ADD [EAX],AL

:::::::::: GETTING IAT ::::::::::

My IAT is same as yours.

:::::::::: FIXING DUMPED FILE ::::::::::

1. error
--------
0042071B PUSH KERNEL32!GetLocalTime
00420720 MOV EAX,00422280
00420725 CALL EAX ; *** error ***
00420727 XOR EAX,EAX

replace call eax with jmp 420727.
offset 20725: FFD0 replace with EB00

2. error
--------
0041A53E CALL KERNEL32!GetProcAddress
0041A543 CALL EAX ; *** error ***
0041A545 MOV [EBP-08],EAX

for me eax = 0 (call 0 ???). In Original in eax return 1E(30 days).
I replace call eax with inc al,1e.
offset 1a543: FFD0 replace with 041E

No more errors! Now it works fine and forever!

Bruce Lee

Hopcode
October 25th, 2002, 12:46
Hello Bruce Lee !

Thx for those informations, but i patched those already ,and the problem for me is :

it doesn't crash anymore since 2 days now, the application runs normal BUT its not good! i patched it like you already. (sort of)
When you run the protected target you see many "tabs" such as
Aston, Taskbar, Toolbars etc..

On my exe, i only have Aston Tab! that's why i posted in first!
I could get ride of the errors, but the file was somewhat fucked!
Maybe i did something wrong if it works fine for you..
i have the same OEP, you have the same IAT than me. Weird.
Lemme have another look at it. I will let you know.

you sure that you have all the "tabs" ?

Regards,

HopCode

BruceLee
October 25th, 2002, 12:53
Hello Hopcode!

Yes, I'm 100% sure! Just do what I wrote!

Bruce Lee

Hopcode
October 25th, 2002, 14:12
Ok, i tested and effectively, it does *work*.
In fact, depending of how you patch the first crash, you either get a complete user interface , or a limited one. I just had to change the way i patched it, weird. Altho i remember having it run with normal interface and then crashes later on.
Next time i will know that the way you patch it can sometimes trick you..

Anyhow, if you play with options in A-master , you will find it crashes somestimes. it looks like there are some other checks.
There are a couple of Call eax left in the program. Maybe those are checks too!

Im not looking for a crack anyway, i just wanted to understand why i had that weird interface. Thx for the info my friend.
Now i can delete this target
You might want to spot every checks tho

Thx again!

Regards,

HopCode

BruceLee
October 25th, 2002, 14:44
Hey Hopcode How did you dump Aston.exe?

Can you help me? I can't dump it to work!

Bruce Lee

Hopcode
October 25th, 2002, 15:22
Quote:
Originally posted by BruceLee
Hey Hopcode How did you dump Aston.exe?

Can you help me? I can't dump it to work!

Bruce Lee


hey,

what's the problem with this one ?
there were no problems at all!

I used /tracex to find OEP, there are 2 dips then you are at OEP. OEP is looking exactly like on a-master.exe
Then i used /pedump img_base OEP_rva c:\aston\file.exe

then i used Imp Rec to rebuild IAT. and that's all. it then works like a charm. same with Thwizard.exe.
Have you some problems to rebuild the IAT?

Have Fun,

HopCode