Log in

View Full Version : ASPR CALL EAX Loop

LaBBa
March 22nd, 2003, 20:28
hi all ...
i know that this was talked before but i didn't found anything to help me...

i have tried to unpack a prog called :
System Cleaner v4.88 build 106

i found the Stolen bytes and replace them and restor the IAT
but the prog still crash...

so i traced it and found thiscopy from OllyDbg)

00404AF4 PUSH EBP
00404AF5 PUSH _SYSTEMC.00404B22
00404AFA PUSH DWORD PTR FS:[EDX]
00404AFD MOV DWORD PTR FS:[EDX],ESP
00404B00 CMP ESI,EBX
00404B02 JLE SHORT _SYSTEMC.00404B18
00404B04 MOV EAX,DWORD PTR DS:[EDI+EBX*8]
00404B07 INC EBX
00404B08 MOV DWORD PTR DS:[587640],EBX
00404B0E TEST EAX,EAX
00404B10 JE SHORT _SYSTEMC.00404B14
00404B12 CALL EAX
00404B14 CMP ESI,EBX
00404B16 JG SHORT _SYSTEMC.00404B04

i have found out the in the Packed file the registers Values are
deffrent from the unpacked file so at the 8 time the loop is made it jumps to a invalid place...

i have upacked it using PE-Editor and i cant find why the values are deffrent...

well its seems like all the values are biger the the packed values in the register by 1000h ....

weird...
btw.. ASPR stripper XP can unpack it well ... i just wonder why
the manual unpacking didn't worked as well ???

i used win98 to unpack... and OllyDbg 1.09b as a debugger...
squidge
March 23rd, 2003, 03:57
sounds like you didn't get all the stolen bytes...
LaBBa
March 23rd, 2003, 05:22
in ASPR Striper XP 1.25 it says :
"Found 0bh stolen bytes"

i found also 0bh stolen bytes...

55,8b --- 2
ec,83,c4,f0 --- 4
b8,8c,bd,57,00 --- 5
-----------------------------------
total == 11 == 0Bh
kyrios
March 25th, 2003, 15:33
Fix the dumped file :

******************** Program Entry Point ********
:0057C4AC 55 push ebp
:0057C4AD 8BEC mov ebp, esp
:0057C4AF 83C4F0 add esp, FFFFFFF0
:0057C4B2 B88CBD5700 mov eax, 0057BD8C
:0057C4B7 E8A4AFE8FF call 00407460
:0057C4BC FF15B45B5800 call dword ptr [00585BB4]

In dumped file (using stripper), it call to 0057BD20
In ASPRed mode, it call to 0057B980
Now your dumped file will work ok

make it yours :

:00541E0F 0F94C0 >>>> B00090
:0056121A 762C >>>> 7600
:0056A6AD 0F94C2 >>>> B20090
:0056A6C9 0F94C2 >>>> B20090
:0056AA2C 0F85 >>>> 90E9
:0056F532 75 >>>> EB
:0056F6B4 75 >>>> EB


kyrios
Iwarez
March 25th, 2003, 16:03
Let him do the patching himself. The question was how to fix the dump manually and not how to patch it. Also the stripper is completely unnecessary as manual dumping also works. (Believe me I tested it).
LaBBa
March 27th, 2003, 16:58
Tnx anyway i dound out what was wrong ,

i fixed the API's Wrong ! (i'm lame

but all works fine...