Hey guys,

I've come face to face with this program, from the same company as asprotect: ***.entechtaiwan.com file PStrip, v3.29 build 342

PEiD reports -> asprotect 1.2x.

Loader reports -> 1st unpacker call at 00511184
-> OEP = 00539928

ImportREC -> enter OEP = 00139928
click IAT auto
get imports
-> 329 unresolved
show invalid
trace level 1
-> 156 unresolved
But other tries with ImportREC gave me other unresoved numbers...!! Could it be because I'm using win98se??

So far i couldn't do anything good on unpacking it.
Could you enlighten this newbie on how to successfully unpack this program?

RaiDer

Hello,

I unpacked your target without problems.
Which version of ImprRec are you using ?
I used Auto Trace features, then there were some unresolved entries. I found some of them using the Emul plugin and i replaced some manually.

Some are emulated and need to be replaced manually.
At least, i did so. :-)

Regards,

HopCode

Using ImpRec v1.13 under win98se, could this be the problem?

Do you recall, how much unresolved did you get at first?
And how many to be replaced manually?

Thanks
RaiDer

Hello,

im using win98 SE too.
My version of ImpRec is more recent than yours.
You should try Revirgin maybe. i can't share my version of ImpRec.
There were something like 5 api to manually resolve i think.
Don't forget , you also need the plugin

Later,

HopCode

I'll give it a try with Revirgin, to see what comes up.

Thanks
RaiDer

HopCode:

What do you mean by "my version of ImpREC"??? The last time I checked, ImpREC was written by MacKT, so unless HopCode == MackT, sorry, man you're outta luck. First, unless you've reversed ImpREC and add some cool functionality, it is not "YOURS". PERIOD.

And Raider, you *MUST* try Revirgin.

Signed,
-- FoxThree

Hello

Just to clarify things.

>What do you mean by "my version of ImpREC"??? The last time I >checked, ImpREC was written by MacKT, so unless HopCode == >MackT, sorry, man you're outta luck. First, unless you've
>reversed ImpREC and add some cool functionality, it is >not "YOURS". PERIOD.

haha you are quite funny :-)
i meant that the version i have is not the version available on protools for instance. many guys have it, but i think im not allowed to share it. that's all
Calm down my friend, no need to post such things
I didn't reverse imprec , just wrote a couple of plugins for it.

Cheers!

HopCode.

Finally managed to get something...
Replaced manually:
0014F160 GetModuleHandleA
0014F69C GetVersion
0014F6C4 GetProcAddress
0014F6D4 GetModuleHandleA
0014F6FC GetCurrentProcessId
0014F700 GetCurrentProcess
0014F704 FreeResource

Still to find:
0014F16C ??
0014F658 ??

I'm i in the right direction...

Thanks,
RaiDer

raider and other ppl....

It is really unbelievable that those lame-ass api calls are still giving soooo much problem. The public tools and plugins are now out-of-date. You will be defeated by your own trust in them. Get back to manual mode or maybe make a private plugin. Thats fun

Now, 'they' have been documented approx a zillion times on this MB already. Evil Eval even got so bored that he posted the list AGAIN only a few weeks ago (ok he forgot VB ThunkMain, but who cares for VB).

Find that list, print-it-out, file it in your 'Crack File' in section ASProtect.

raider, a quick review of your list does NOT include :-

GetCommandLineA
LockResource

Where are they...........

>i meant that the version i have is not the version available on >protools for instance.

Its a private tool now and always.MackT only shares with friends or groups I guess

Thanks +SplAj
Found the Evil Eval post "For newbiez-ASsPROT-unpacker help".

update to my list:
0014F16C GetCommandLineA
but
0014F658 (Seems false...?)

Does all the emulated APIS have to be present?

Thanks,
RaiDer

raider

______________________
0014F658 (Seems false...?)
______________________

false as in teeth .......?
or false as in a RET004 at the end of call == LockResource

______________________________________
Does all the emulated APIS have to be present?
______________________________________

it is best to fill the jigsaw with some api , don't leave a job unfinished

______________________________________
false as in teeth .......?
or false as in a RET004 at the end of call == LockResource
______________________________________

the 2nd one (sorry for my incorrect language)

By the way, 'ollydbg' doesn't find any reference to that address.
Isn't this odd? Could it be that it isn't ever used?

Thanks,
RaiDer

well guys there's more into it...
there are several protections anti-dump.
i think only a guru will be able to put it to work,
and most likely it will be a tutorial.
After all this prog is from the same guys as asprotect.

RaiDer

it's not a tutorial worth, because nothing interesting is
here. Standart Asprotect unpacking , check of asprotect
presence in program code @0053F1DD and nagscreen.
I can suggest you bpx ntdll!KiUserExceptionDispatcher
breakpoint with following F10, F10, dd ebx+c , for finding
wrapper presence check code in situations like this.
Still not a guru,
Neviens.

Hi

raider:

I didn't see any anti dump at all.
Everything went fine

>it's not a tutorial worth, because nothing interesting is

I agree. Every tutorials around are covering the same aspects of asprotect, and its every damn time the same.b

>here. Standart Asprotect unpacking , check of asprotect
>presence in program code @0053F1DD and nagscreen.

What nagscreen is that?
i unpacked it and didn't look more since it worked just fine.
It maybe has some checks to see whether its registered or not, but i could care less
I just wanted to see if this target had something interesting in it, and it did not, im afraid;

Where are you stuck raider?
Can you tell us what you call by "anti dump"?
Maybe you badly fixed the file and it crashes like hell, but its not a check ;-)


Regards,

HopCode

______________________________________
Where are you stuck raider?
Can you tell us what you call by "anti dump"?
Maybe you badly fixed the file and it crashes like hell,
but its not a check ;-)
______________________________________

Well here's what i've done:
54F160 GetModuleHandleA-----[fixed on Revirgin]
54F16C GetCommandlineA------[fixed on Revirgin]
14F658 LockResourse----------[Patch JMP code with RETN 4 + NOP's]
54F69C GetVersion-------------[fixed on Revirgin]
54F6C4 GetProcAddress--------[fixed on Revirgin]
54F6D4 GetModuleHandleA-----[fixed on Revirgin]
54F6FC GetCurrentProcessId---[Patch JMP code with RETN + NOP's]
54F700 GetCurrentProcess-----[Patch JMP code with RETN + NOP's ]
54F704 FreeResource----------[Patch JMP code with RETN 4 + NOP's]

The result:
The dump crashes randomly before start (but often at 40349C)

Thanks,
RaiDer

I'm just a newbie, and this was my third aspr unpacking...
...but I believe you shouldn't patch it like that...
It won't return anything... So of course it will crash, sooner or later... !?

I usually "save resolved" (in revirgin) to a textfile and then edit in the .dll-names and the name of the calls then "load resolved" and do a resolv again... The names are the only important thing, as someone more experienced ones said here...

There IS ofcourse a check for aspr in this prog.

seg001:0053F1D4 5B pop ebx
seg001:0053F1D5 58 pop eax
seg001:0053F1D6 8B 40 02 mov eax, [eax+2]
seg001:0053F1D9 8B 00 mov eax, [eax]
seg001:0053F1DB FF 30 push dword ptr [eax] -> Here will be pushed a dword from "Exitprocess"
seg001:0053F1DD 8F 00 pop dword ptr [eax] -> Here it will write it back and crash if aspr is not redirecting.
seg001:0053F1DF FF E3 jmp ebx

If you can't see this code, it's because these bytes are "inc"d when not used.

If you didn't see the nag and din't do anything about this code, you've probably been sloppy and not checked if pstrip was ok.
You'll probably find you can't get the rightclickmenu from the traybaricon of pstrip...

But patching the nag, ie tooltips with 4secondcountdown, is not hard...

/Manko

Hey guys:

What crash are you talking about? This one is a older version of ASsPR with the standard dump+rebuild+paste sequence. No crash on rebuilt app certainly. Of course Nag is there (5 second countdown of Tip of day) but that can be patched like Manko said ... but definitely no crash!!! And I can indeed get the right click trackpopupmenu.. with Options, App Profiles ... blah, blah...

Raider:

If you're interested, I could ul the IT.bin and the rebuilt binary in some place. PM me...

Signed,
-- FoxThree

PS: Raider, Your rebuilt IT seems to be correct and always use RV as public version of ImpREC can't evade some ASsPR redirection tricks

Rebuilt binary: 2009420 bytes on Win98 SE

Strange, maybe is different if not w2k? nah...

It most definitely crashes for me...
Cause of the code I showed, and reason as commented.
It's not because of aspr just the check...
When I patch the code I mentioned it works right.

Would really like to see what we might be doing wrong if anything...

/Manko

I had unpkd PSTRIP 3.26 Build 328 on w98se, so can confirm for manko:
yes, there is such redirection_present_checking scheme.

Hi,

I forgot about that nag.
Im in vacations.. so i cannot check.
its the tip of the day nag IIRC..
As Foxtree said (and as i said earlier), there is no crash once unpacked. Just a nag screen to be patched. I can access the menu without problem either.

Regards,

HopCode

Hey Eval:

The version I unpacked is latest dled from Entech site. Ver 3.29 Build 342. Win98 SE. No crash on Win98 SE.

But what Manko said is right: The code snippet looks like this:

5B pop ebx (ebx = 50xxxx)
58 pop eax (eax = 4053ac)
8B 40 02 mov eax, [eax+2] (Now, eax = 54F72C)


Now look at rebuilt IT table to see @ 54F72C =>
378 0014F72C BFF8D4F8 00F8 KERNEL32.dll ExitProcess

8B 00 mov eax, [eax] (Addr of ExitProcess API BFF8D4F8)

FF 30 push dword ptr [eax] (First 4 bytes of ExitProcess)
8F 00 pop dword ptr [eax] (Here it writes back to KERNEL32.dll ExitProcess 4 bytes successfully!!!! NO CRASH. CAN U EXPLAIN?)

FF E3 jmp ebx (Normal execution)

To test it I put 4 zeros in the place after push and pop restored the original bytes back. Like I said W98

Signed,
-- FoxThree

Is this simply a question of what version we're talking about?
I worked with PowerStrip 3.29 build 432 on w2ksp3.
What about you?

/Manko

Din't see your post there foxthree.

Could it be that w98 allows writing in kernel-space?

/Manko

As i said, im not home.
I worked on the version available for download when raider posted on the board. so i guess its the same version he mentions
im using win98 SE.

HopCode

Manko:

Okey. You were right. Even under Win98 exception occur. The reason why I didn't get it was 'coz of IceDump. For some funny reason, Icedump change page prot. on Kernel32.dll. So, if you load icedump and load pstrip, voila Kernel32!ExitProcess writable. Else only readable so exception.

Hob: Try without Icedump and you'll see what Manko says no right click

Evil Eval is right again

Signed,
-- FoxThree

Please check your pm Foxthree

RaiDer

When unpacked PSTRIP, I also found this TERRIBLE mistake in ICEDUMP, but not wrote,
because in world are many BAD boys, who can write BAD programs and damage REVERSERS HDD-MBR,
just checking if system-DLL's are writeble...

Now you can imagine, how all REVERSERS was (or ARE) under risk because of ICEDUMP's-team Mistake.

Now now, eval... you are going overboard... The license agreement surely stated that you use it at your own risk... icedump is a great tool on win98... like everyone else says... Dont blame the tool writers or the tools... If you think they are not good, dont use them, code your own!!!

Show the writers some respect, everyone make mistake... no program is bug free...

Where I blame?

I jusT WARN!

If you want an example of malicious programming check out RegDrill. It is written in p-code. If not patched correctly it will delete your vmm32.vxd.

Here's another curiosity:

If you run the DUMPED, without the patch suggested by manko, there's no right-click on tray bar icon (ok, we've already cover this).
But, debug this DUMPED on OllyDbg.
right-click is operational.

But hei, now there's a new protection:
right-click->display profiles->configure->advanced timing options (dimmed)

Will this baby have an end...
Well like i've said at the beginning, the fact this prog is released by the same guys as asprotect isn't a coincidence!!

This post is old as hell, but just wanted to know where i can get my hands on that list. thx'

//DariuZ

Hi!

If you read the whole thread instead of replying, you'd sortof have the whole list. (Maybe one api missing, but with minor amount of intelligent searching you'd find that one too...)

/Manko