Hi!

I found one proggie with probably new version of Asprotect. It has a new redirection system for all kernel32.dll and comctl32.dll APIs (except of those emulated). First it does some heavy SMC (about 20 jumps) and then it executes first few instructions of redirected function in its address space...

for example:

0177:00A0068C PUSH EDI
0177:00A0068D PUSH 00000127
0177:00A00692 SUB EDX,EDX
0177:00A00694 PUSH BFFA191F
0177:00A00699 PUSH DWORD PTR FS:[EDX]
0177:00A0069C MOV FS:[EDX],ESP
0177:00A0069F JMP BFF77AF2

and then it jumps to kernel32 and skips first few instructions


KERNEL32!CreateFileA
0177:BFF77ADF PUSH EDI
0177:BFF77AE0 PUSH 00000127
0177:BFF77AE5 SUB EDX,EDX
0177:BFF77AE7 PUSH BFFA191F
0177:BFF77AEC PUSH DWORD PTR FS:[EDX]
0177:BFF77AEF MOV FS:[EDX],ESP
0177:BFF77AF2 MOV EDI,[ESP+14] <--jumps here
0177:BFF77AF6 SUB EAX,EAX
0177:BFF77AF8 LEA ECX,[EAX-01]
...

it prevents bpx and I also tried to trace it with Revirgin 1.30 and ImpRec, but both failed; I had to trace all APIs manually

The only function where ImpRec's tracer succeeded, was GlobalUnlock, where it jumped to the beginning of the function and it didn't skip any instructions in kernel32 code

proggie: xxx.imagedupeless.com

Hi Norby,

Yep... THAT is IT, the new version of AsProtect ...

This kills Imprec and Revirgin for sure, i am impressed that you get Imprec to trace one kernel API, i couldnt get any ... AsProtect is really going into VBox direction with its IAT redirection scheme... plus poly-enigine generated to calculate jump to redirected API and "rebased" each run... so each run you will get a different decryption routine address and a whole set of different decryption keys... ..

I just came out with this idea of ripping decryption routine out of AsProtect and hence code this plug-in... please help me test it so hopefully i can improve it and make it more generic... I have only tested it with this apps and on my win2k box...

Norby : I am impressed you traced everything manually .. you are lucky it is only 17h kernel imports

Anyone else seen other apps protected with new Aspr ?

thanx
crUsAdEr

Hi crUsAdEr,

thanks for the plugin, good work :-)

it works in W98 without problems (with this program)..

I downloaded some other Asprotected programs today, but all were protected with older versions...

btw: I even found one asprotected program that didnt work packed, only unpacked ...(Secret Explorer, xxx.lastbit.com)

Hi crusader,
Is this plugin supposed to work with Imprec or RV? Or both?
It can't get it to work on my box (XP)

regards,
hobgoblin

Most probably for Imprec.RV doesn't has a plugin feature...

hobgobling,

can u be more specific? like wat went wrong? plug in does not load, not recognised? or fail to trace? if so wat errors code doea it give in the log window? like 201, 202 or 220 etc...

cheers
crUsAdEr

Hi crusader,
It loads, it traces, but all it returns is error code 204.
BTW, it was a typo in my last post. I'm cracking this one on WinME, not XP.

regards,
hobgoblin

hi !

crUsAdEr you were too fast ! ;-)

since i had no idea how to rip the key from .aspr (is the api calcluated each time the same way?), since the emu seems to be modified each time a tried to follow the code, maybe this will work too ?


tried for imagedupes and win98 only , however

wow, is it a tracer? some comment would be good (wonder why few ppl put comments on their codes... i have only coded a tracer with debug API only.. so it is a good exercise to look at this code... pretty long though :/...

any reason why is this win98 only???

Hobgoblin : error 204 = Invalid pointer, which you will probably see a lot because aspr inserted lots of junk value in between First Thunk so of course the plug in will report error 204.. you must check on the valid pointer pointing to a redirected API routine... take notes that First Thunk are quite spread out, pretty far apart so make sure you get you IAt range right...

cheers
crUsAdEr

Hi crusader,
I figured it out. I'm just a little bit impatient sometimes. ...
I unpacked it successfully, and it runs smoothly...
But when I tried your plugin, I got error 205. After cutting away all the invalid thunks, I used a plugin tracer named aspr13.dll, and all imports except 4 go resolved. These I traced manually. Is it you that wrote the tracer plugin too?

regards,
hobgoblin

Hi Hobgoblin,

Nah.. the plug in tracer is written by Servil.. all credit goes to him...

Funny, cos my plugin doesnt have error code 205??? at least not the one posted above... are you using the same one as above :>??

Hi Crusader,
I might have used another one.
I'll check it out later on. It seems like I mixed yours with another one (older).

regards,
hobgoblin

hobgoblin:

Perhaps yours is the second version of +Spl/\j's from October which appeared in the thread "RV tracer seems not work on... "

Regards.

hi hobgoblin, about the unresolveds, those are my bugs, soorry about that, anyhow i'm glad to hear it worx..

Crusader !!

Your plug-in works fine with me , on Win2K , all Kernel.dll apis were resolved with your plug-in ( nothing needed to be resolved manually )

but as Hobgoblin said with Servil's several apis in Kernel.dll stayed unresolved , and don't know what is with Comctl32.dll
because I didn't try to do after.

For those who might could't find IAT , here it is

Regards Soldat