View Full Version : New Aspr
Zilot
February 28th, 2003, 02:47
Hi to all,
after some time there are some new Aspr juggles. This is challenge especially for ImpRec plug-in makers because it seems that older plugins don't work, or that one the newest works wrong with outing GetProcAddress everywhere he can do anything. Of course this is result under Win2K and should be checked under Win98.
the proggie is
hxxp://www.dvd2one.com/
and for plug-in makers the help with IAT is here
Soldat
squidge
February 28th, 2003, 03:44
Already patched this prog a week or so ago when the new version was released (1.01 I believe it was).
Unpacked it using nothing but OllyDbg, dumped with LordPE, and got the IAT sorted using Revirgin
Works fine and once unpacked it's incredibly easy to patch. There's a few checks to see if the caller was ASProtect (checking the registers immediately on startup, and calling a small routine in ASProtect's code), but once you have them sorted (Basically a 5 min job - just copy the registers from the original code and examine the exception frame of the unpacked prog to find where to patch the call to ASProtect), it's quite simple.
This was under WindowsXP.
Zilot
February 28th, 2003, 03:59
Quote:
Originally posted by squidge
Works fine and once unpacked it's incredibly easy to patch. There's a few checks to see if the caller was ASProtect (checking the registers immediately on startup, and calling a small routine in ASProtect's code), but once you have them sorted (Basically a 5 min job - just copy the registers from the original code and examine the exception frame of the unpacked prog to find where to patch the call to ASProtect), it's quite simple. |
Just like this, easy but haven't seen anyone complained about redirected APIs, or I plug ins just worked on other platforms, because my cleaner works just under Win2K. And about patching, there was place with mov edx,00000001, and some ptr checking, I think on address 40bb8c is variable location . And everything were to change mov edx,00000000, and to change location in exe on 40bb8c to 0 because there was 1, and after that nag screen with waiting disappeared, and trial sign also. And seemed that everything other after that worked fine.
mov edx,00000001 were after OEP, and before call for nag screen drawing, and checking of mentioned location were in call for nag screen drawing, not far from the beginning
Soldat
squidge
February 28th, 2003, 04:29
Right, I didn't do it the same as yourself. There was a call to the whole nag-screen/registration routine which I removed completely, and then changed the test/jump afterwards to a uncond jump. Finally, there was a call into ASProtect call that basically did nothing but MOV EAX, ECX, so the call got removed and replaced with that instruction.
End result was a working program that was fully registered. I can't remember modifying and seeing any code for mov edx,00000001. Are you talking about the OEP for this instruction or the first dip into the code ? (ASProtect seems to call the packed program twice).
Zilot
February 28th, 2003, 05:50
Ok to be more clear I dumped screens and marked mov edx,00000001 and comparation with critical mem location.
I don't have DVD so don't know is everything OK.
Soldat
squidge
February 28th, 2003, 06:52
Quick question: Is this on 1.0.1 or 1.0.2 ?
neviens
February 28th, 2003, 07:45
I unpacked and jumped over _splash function without
problems too. Also there was a simple half hour limit
with messagebox.
Just wandering, how is it possible to squeeze the mpeg2
coder in 80kB !?
@soldat
Seems, you lost a push ebx @ OEP, and I don't thing,
that realigning a code with nop @ end of stolen bytes
is a best aproach.
@ squidge
Where call to asprotect is? In 1.0.2 version, I unpacked,
it is absent - program runs without calls to external code.
Neviens.
squidge
February 28th, 2003, 07:52
It seems that the ASProtect call in 1.0.1 has been removed in 1.0.2. In 1.0.1 it was present in the main message handling routine.
As for how I modified it, see attach.
Zilot
February 28th, 2003, 09:47
I played with 1.o.2
Quote:
Originally posted by neviens
Seems, you lost a push ebx @ OEP, and I don't thing,
that realigning a code with nop @ end of stolen bytes
is a best aproach. |
No I didn't lose push ebx it was there, but because code lying seems like I lost. And about nop you are right. I didn't count as well the number of stolen bytes (I found one more) and when reached the end I realized that but was lazy to do writing again, so instead 00 (what was) put 90h.
Quote:
Originally posted by squidge
It seems that the ASProtect call in 1.0.1 has been removed in 1.0.2. In 1.0.1 it was present in the main message handling routine. |
Probably, but I'm wondering is it up to random thinking of Asprotect, will he become so clever in the future to deduce what is the best way to protect the target, or was the idea of prog maker to cross competition.
Soldat
squidge
February 28th, 2003, 12:35
Quote:
Originally posted by neviens
Just wandering, how is it possible to squeeze the mpeg2
coder in 80kB !?
|
Because there is none. There's a demuxer and remuxer, but there's no decompression / recompression. It just misses things out of the already compressed mpeg2 stream in such a way as you will not notice it.
nikolatesla20
February 28th, 2003, 13:09
Hm that's funny, and they advertise it as being able to "recompress" the stream down. Or at least it seems that's what most people think it does.
Anyway, thanx for the help, I got it now too, and I do have a dvd burner
-nt20
squidge
February 28th, 2003, 13:33
To be honest I can't see how you could possibly recompress MPEG2 in as short of time as 15 minutes (which is what it takes on my machine). So all I can say is that it removes part of the video instead.
I think we need to do a full reverse engineer on it, and see exactly how it does work.
nikolatesla20
February 28th, 2003, 14:57
Well, according to this guide, you aren't really ripping the whole disc anyway - they are only selecting the main movie. And they say up to 90 minutes. Maybe it's just a bunch of hype?
hxxp://www.afterdawn.com/articles/archive/dvd-9_to_dvd-r_with_dvd2one.cfm
-nt20
squidge
February 28th, 2003, 16:37
Could be.
However, they now have competition. Whilst searching the net, I found a program called DVD95COPY that claims to take an entire DVD, including menus and extras, and convert that into a 4.7gb disk just like DVD2ONE, but says it will do it "in about 1 hour". Whilst this is greater than dvd2one's 15 minutes, it does do the entire disk and is written in Microsoft Visual C++ (source: peid0.8) rather than "pure asm" (source:dvd2one cdfreaks forum).
However, whilst trying to analyse this and see how it worked differently to dvd2one (to see if the algorithm was similar or not) I came across a problem - It's packed with ASProtect and I can't find the stolen bytes
Can find OEP, dump it and fix the import table, but I can't find those essential bytes... sigh.
Anyone help ?
Manko
February 28th, 2003, 20:05
This was fun!
I like quick fixes...
Did you notice that repz stosb?
What does it do?
...and also higher, is a jump to the very area it affects...
alexey is maybe thinking we've had it too easy... ?
This is just a quick fix to stop us from using c3909090909090909090909090909090909090909090909090909090 and to "hide" the stolen bytes...
/Manko
squidge
March 1st, 2003, 05:29
aha, Thanks Manko.
S3ri@l CoDe9x
March 2nd, 2003, 17:11
Anybody know some it forms to find OEP?¡ I try with ASpr 1.3x
Thank you :P
Manko
March 3rd, 2003, 07:31
Hi, S3ri@l CoDe9x!
Are you asking me how to find OEP on this one?
If not, give me link to proggy and I can take a look.
What I wrote in my reply earlier will only make sense for someone who has found OEP but wonders where the stolen bytes dissappeared. ;P
/Manko
maxximumm
March 3rd, 2003, 08:16
Hi Manko,
There is a new version of aspro.
This proggy
h**p://www.dvd95copy.com/
is one example.
I've have found OEP but...where is the stolen byte???
I hope you would write a tut on how to find them.
Thank's a lot
Maximum
squidge
March 3rd, 2003, 08:27
Quote:
Originally posted by maxximumm
Hi Manko,
There is a new version of aspro.
This proggy
h**p://www.dvd95copy.com/
is one example.
I've have found OEP but...where is the stolen byte???
I hope you would write a tut on how to find them.
Thank's a lot
Maximum |
Look further up in this thread, and then look at dvd95copy...
Manko says "Did you notice that repz stosb?", and that's a massively big hint to find the stolen bytes.
maxximumm
March 3rd, 2003, 08:54
Hi squidge,
I have read the post and i take a look at repz stosb but I don't understand how to use it
Thank's a lot
Maximum
Zilot
March 3rd, 2003, 09:01
Hm, I thought I found new ASpr but seems in the mean time there is one newer.
This one has old redirection API trick, but OEP is more difficult to be found, especially stolen bytes.
That what Manko said is the trap. There is a part of the code like next
013C3B70 ADD EAX,B34F5E0B
013C3B75 POP ESP
013C3B76 JMP 013C3B8E (JUMP)
013C3B78 PUSHAD
013C3B79 PUSHFD
013C3B7A CLD
013C3B7B MOV EDI,00000000
013C3B80 MOV ECX,00000000
013C3B85 REPZ STOSB (overwrites stolen bytes)
013C3B87 POPFD
013C3B88 POPAD
013C3B89 JMP 013C3B8E(this will be changed to jmp 41c82E)
==> 013C3B8E ADD EAX,EBX
013C3B90 MOV EBX,00000026
013C3B95 OR EBX,EBX
013C3B97 JNZ 013C3B9B
013C3B99 PUSH EAX
013C3B9A RET
now after it comes the next part
013C3BE1 PUSH EBP (this should be OEP and start of stolen
013C3BE2 MOV EBP,ESP bytes)
013C3BE4 PUSH FF
013C3BE6 PUSH 0043C6A8
013C3BEB PUSH 00421514
013C3BF0 MOV EAX,FS:[00000000]
013C3BF6 PUSH EAX
013C3BF7 MOV FS:[00000000],ESP
013C3BFE SUB ESP,58
013C3C01 PUSH EBX
013C3C02 PUSH ESI
013C3C03 PUSH EDI
013C3C04 MOV [EBP-18],ESP
013C3C07 PUSH 013C3B78
013C3C0C RET this is return to previous part of the code
where he overwrites this part
and finally next (that is the part of first but was dumped in different pass so address are different)
013C474B MOV EDI,013C475E
013C4750 MOV ECX,00000153
013C4755 REPZ STOSB (refill the part with stolen bytes with junk)
013C4757 POPFD 013C4758 POPAD 013C4759 JMP 0041C82E
How to find this part, as usually, search for set of instructions
REPZ STOSB, POPFD , POPAD , 61 (part of jmp)
Soldat
Manko
March 3rd, 2003, 09:37
Hi, Soldat! (Buddy!)
You are too generous!
They should learn how to find these things by themselves...
I guess maybe they need to learn what they should ask for also.
It is very lazy of them to ask for what signature they should now use to find oep, when they could instead ask, "how do I go about finding the place that jumps to oep, in order to learn myself how the new version jumps to OEP" or "How do I find OEP when I don't have a signature to search for" or "I have found "the place" but where is the stolen bytes" or something...
Now all of you interested, rephrase your questions!
/Manko
Manko
March 3rd, 2003, 09:44
Hi, maxximumm!
You need to look at an opcode reference document and learn what repz stosb does. Also if you read the whole text again I have even answered what it does...
/Manko
Quote:
Originally posted by maxximumm
Hi squidge,
I have read the post and i take a look at repz stosb but I don't understand how to use it
Thank's a lot
Maximum |
maxximumm
March 3rd, 2003, 09:49
Hi Soldat,
the problem is not the entry point but a concept question.
If i break at OEP in
0041c82E
and i look at address where i found the repz stosb the stolen bytes are just replaced with junks.
So my problem is to break at repz stosb before it is execute!!!???!!!
Thank's a lot for your help.
Maximum
Manko, thank's a lot for your reply
squidge
March 3rd, 2003, 09:52
Is there any "documentation" on the first versions of ASProtect (ie, ASProtect 1.0) that I can look at? I understand how current versions of ASProtect work, and how to unpack them, but are now more interested in the history of it. Anyone still have ASProtect 1.0 or a program protected with it ?
Manko
March 3rd, 2003, 10:07
Hi, again Maxximumm!
I think maybe you have given us too few informations...
If I say "use a breakpoint" it will be correct with the info you have given, and I will have insulted you at the same time... !
But I guess you are frustrated that "the place" is moving around with every execution.
You need to stop it from doing so. +splaj and others have shown how. Search the board, and if you can't find it anyway, you can PM me for the answere...
/Manko
Quote:
Originally posted by maxximumm
Hi Soldat,
the problem is not the entry point but a concept question.
If i break at OEP in
0041c82E
and i look at address where i found the repz stosb the stolen bytes are just replaced with junks.
So my problem is to break at repz stosb before it is execute!!!???!!!
Thank's a lot for your help.
Maximum
Manko, thank's a lot for your reply |
Hopcode
March 4th, 2003, 10:29
hello,
i didn't play much with Asprotect for some times now,
but i have a question.
What is the "stolen byte" feature? (definition)
Is this just the bytes at entry point ? asprotect rip them and put them in his address space or something? then he erases them.
is this correct?
I don't have the time to check, but i wanted to be sure this is the definition of the feature.
its not a how to crack it request, it doesn't seem hard when you know what you do and asm (maxxx ;p )
just wondered about this name.
regards,
hopcode
nikolatesla20
March 4th, 2003, 14:14
Yes, that is what it is
-nt20
crUsAdEr
March 4th, 2003, 15:29
Manko you are such a teaser
...
Havent touched aspr for ages but inspired but this long thread to download this prog... OEP is ripped, executed and wiped before handing over but my old trsuted method of breaking on stack still works :/...
Hope this might ease someone's pain in finding OEP ripped code
Break'nEnter with LordPE
replace original byte in sice
F8 about 5 times till you see first pushad
F8 over it
bpm esp-4 w if (*eip&FFFF)==EC8B
F5
wah lah.. that is it... sice should breaks at usual
push ebp
mov ebp, esp
.....
Forgot, superBPM must be running of course...
Enjoy and have fun! i am back to php coding...
crUsAdEr
squidge
March 4th, 2003, 15:37
Nice trick crUsAdEr
Not only will that give you the OEP, but because OEP is called by JMP, you should land in aspack'd code just before the OEP, so can find the stolen bytes too (although will require a restart, but hey, no methods perfect).
As for Manko, he may be a teaser, but his hint allowed me to find the stolen bytes quite easily, which is exactly what we need. If we are all spoon fed code, none of us would know what to do for the next version of aspr...
crUsAdEr
March 4th, 2003, 15:58
lol, squidge...
i was just joking abt Manko :>... i understand ur view of course
...
not quite sure wat u mean by
Quote:
| Not only will that give you the OEP, but because OEP is called by JMP, you should land in aspack'd code just before the OEP, so can find the stolen bytes too (although will require a restart, but hey, no methods perfect). |
i think the bpm will break at first instruction of the target program, doesnt matter these instructyion are rippied or not...
cheers,
crUsAdEr
Manko
March 4th, 2003, 16:11
Hi, crUsAdEr!
I couldn't agree with you more... ;P
Your great trick hit me like a brick to the forehead and now I wonder why I didn't think of it myself... It's so obvious! But then all great inventions are like that... Ehrg... Maybe not all...
Anyway. Thanks for poping by and showing me again why I admire you...
/Manko
crUsAdEr
March 4th, 2003, 16:19
gosh... this reminds me of the old day... when a post about aspr receive almost instant response...
...
Manko, please take that back... I am nothing to be admired... just a learner trying to give back something i gained form this board... hang around and help those who come later Manko
...
cheers,
crUsAdEr
squidge
March 4th, 2003, 16:43
Quote:
Originally posted by crUsAdEr
not quite sure wat u mean by
i think the bpm will break at first instruction of the target program, doesnt matter these instructyion are rippied or not...
cheers,
crUsAdEr |
Ooops, my mistake. I interpreted your method wrongly - I assumed ESP breakpoint would be reached when the asprotect code popped it's final data off the stack to restore it to normal, as the OEP is called by a JMP so would not affect the stack itself?
Trust me to jump in without testing it out first.
Soldat: Wouldn't 60 9C FC be a better signature to search for? (pushad, pushfd, cld). It only seems to occur once in the memory on this particular target, and gives you the address just before the stolen byte mangling routine. Perfect place to stick a breakpoint
Zilot
March 6th, 2003, 07:02
Crusader
Can you explane why he puts registers
pushad at the beginning, when he never after that use that, I mean never read that memory context. Even after program end
Quote:
| Wouldn't 60 9C FC be a better signature to search for? (pushad, pushfd, cld). It only seems to occur once in the memory on this particular target, and gives you the address just before the stolen byte mangling routine. Perfect place to stick a breakpoint |
It was just a quick method even without checking if there is another occurence.
Manko little devil, can not all be so obvious.
Soldat
LaptoniC
March 12th, 2003, 14:04
Hi,
I am trying to understand new asprotect.In order to learn new tricks I tried to unpack dvd2one102.exe I guess that OEP is 408680(wrong?).I have fixed the iat program runs,but it says expired.I patched some locations but it didnt worked.I havent fixed any stolen bytes.Is there any in this program ?.I see below codes in the 408680
Code:
seg000:00408680 start proc near
seg000:00408680 push ebx
seg000:00408681 push ecx
seg000:00408682 push edx
seg000:00408683 push 0 ; lpModuleName
seg000:00408685 call cs:GetModuleHandleA
seg000:0040868C push offset aIcon ; lpIconName
seg000:00408691 push eax ; hInstance
seg000:00408692 mov ebx, eax
seg000:00408694 call cs:LoadIconA
seg000:0040869B mov edx, eax
seg000:0040869D mov eax, ebx
seg000:0040869F call sub_402070
seg000:004086A4 mov edx, 0
seg000:004086A9 mov eax, ebx
seg000:004086AB mov ds:dword_515D50, edx ;registered ??
seg000:004086B1 call sub_408520
seg000:004086B6 call sub_4021A8
seg000:004086BB pop edx
seg000:004086BC pop ecx
seg000:004086BD pop ebx
seg000:004086BE retn
seg000:004086BE start endp
nikolatesla20
March 12th, 2003, 17:44
Your oep is wrong...
ALso, there are no stolen bytes in this version that I could find, anyway.
Go to the other "aspr hacking (not in ring 0)" thread and I have the source code for a OEP finder / dumper. It works great.
-nt20
squidge
March 12th, 2003, 18:17
Small hint for doing dvd2one - look for calls/jumps, not "IsRegistered" flags - saves a hell of a lot of tracing through message loops and the like... Naturally, I'm not going to say which call/jump, but you can find it if you search the board
LaptoniC
March 12th, 2003, 19:36
In this thread I saw two OEP one is 4048BC and other is 4048df.When I dump I get now 4048df as OEP iat is same as in this thread but it doesnt run.I can see it on the task list but it doesnt work.So which one is correct OEP ?.I also tried to patch 00404915 call sub_408520
and below jump but it didnt worked either.
nikolatesla20
March 12th, 2003, 20:02
4048df is what Im using, but who knows still could be wrong. Program seems to run fine, although I haven't really used it yet.
-nt20
LaptoniC
March 12th, 2003, 20:21
Ok Ok now I got it OEP is 000048BC.There are indeed stolen bytes here.
Soldat:You are missing one push ebx in your patch to fix stolen bytes.
Thanks for your help.
squidge
March 13th, 2003, 03:08
There are stolen bytes in some versions of dvd2one, but instead of finding them, I just modified the code to setup the registers and it works fine
This was using OEP 4048df
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.