Log in

View Full Version : Exceptions after unpack of Winace 2.11


semsen
November 24th, 2002, 02:21
I am reasonably new at the cracking stuff, and have only just started learning about unpacking, procdumping...etc

Recently, I have tried to crack Winace 2.11. It is protected by a (apparently modified to make the procdump unpackers fall over) version of ASPack.

Using SoftIce, I managed to trace to the point when code was uncompressed, and found the entrypoint as well. I dumped (using procdump) the memory contents just before it jumped out of the unpacker code, modified the entry point (and the jmp eip), and then proceded to actually cracking the 30-day limit (which was a piece of cake).

All this is brilliant, i'm happy, as the prog works fine (unpacked prog with no limit), or so i thought!

Strangely, after a few times of running the program, the executable stops working fine, throwing every time an (unrecoverable) exception when loading.

I have been completely unsuccesful at figuring out why this is. Spending hours tracing through code, it looks like it is trying to jump to a memory location that isnt winace's, but i'm really not sure!

I know i am just a newbie compared to all the people out there, and i must be doing something wrong, but don't know what that is. Has anyone experienced this type of problem? Can anyone help?

And, yes, i DO know there are millions of s/n's out there that will register the prog without trouble, but i'm actually doing this for fun!

Woodmann
November 24th, 2002, 02:56
Howdy,

Quote:
And, yes, i DO know there are millions of s/n's out there that will register the prog without trouble, but i'm actually doing this for fun!


Serials are not the reason why this place is here. We are here for the very reasons why you have chosen not to go and find a serial

You desire to know how a protection works and that is exactly what you will find here.

As far as your problem, I have never heard of an .exe that works a few times then stops. It could be trying to jump to a memory space looking for info. There seem to be many version of this modified aspack.

You should search the forums for more information, then post again some more stuff that you have learned from your target.

Read everything you can find, winace is not the easiest thing to start out with.

Peace, Woodmann

r4g3
November 25th, 2002, 10:33
maybe u`ve first ran a packed exe thru symbolloader/siloader.
Uhm i dunno how/why it is so, but in this case u have the program context 'saved' (any bytes patched appear unchanged on a second run) The problem could be that u did smth wrong when unpacking & after reboot when no packer shit code was left in ram the app crashed.....

i can get the (in)famous rtfm aswer to this, but why is it so because siloader set some pages to not be discarded after app exit ? (this is the only thing i could think of

Aimless
November 25th, 2002, 13:04
Hi,

You have encountered a program in the category:

"If-hacker-broken-show-nothing-wrong-for-2-days-then-act-funny"

In short, the validation routine has got double checks. You will have to find those out. A good idea is to:

1. Download Ollydbg

2. Install Windows (again). Break the protection scheme using the normal ice/procdump/etc tools. When you are sure it runs properly (or so you think), trace the application through Ollydbg

3. After a few days, when the error comes up, trace the same through Ollydbg again.

4. COmpare the original with the first. Note that Ollydbg ALSO traces ALL modified registers You can now find out where the validation routine is getting validated itself.

Have Phun.

semsen
November 26th, 2002, 01:21
Well, thanks for the replies.

I can tell you its a great and refreshing pleasure to have found a place where there are other people like me who are not just shouting out asking for serials and cracks but actually have an interest in protection schemes.

As a little exercise, i actually managed to crack the software by adding extra patching code in the loader, keeping the executable packed. But i only felt a minor satisfaction from this, as this didn't explain what went wrong when trying to unpack to original version.

So, back to the topic, yes, indeed, i think its softice loader that leaves stuff behind, as i re-unpacked winace without using the loader, and rebooting afterwards just to be sure, and sure enough, my dump aint working! Big exception error, page fault.

So, bad news: i aint figured it out yet,
good news 1: its probably me not doing the dumping process right, or overlooking some crucial aspect of unpacking.
good news 2: It might not be a make-cracker-happy-for-a-couple-of-days-then-screw-up program after all...

Although i DO realise its up to me to do the bookwork and practicing, further help and tips would be much appreciated.

Sorry if i'm irritating the f*** out of you for posting long messages and acting like an annoying newbie, but, hopefully, i will calm down soon...!

norby
November 27th, 2002, 16:12
hi!,

you should probably rebuild the import table;

the same thing you wrote (first time runnning fine, after reboot crashing) happened to me twice in past days with 2 aspacked programs...

use ImpRec, click on Iat Auto Search, then Fix Dump and it should work OK (for me it did with aspack, but didnt try Winace yet)..

Norby