Hi everybody,

Ya, just downloaded a small program that will reveal Network and dial-up password in Win platform from rixler(dot)com. it's shareware, packed, can detect breakpoints and check checksum of program. When i put bpx on some point it will show messagebox saying PROTECTION ERROR: 1.
I have tried my best to find the OEiP of that program but cannot. and i think it is protected and coded by NOT LAZY programmer... .
Need small hint for manual unpacking of that program.


dipeshrestha
Still Newbie

It's just an asprotected program. Search the board for asprotect and you'll find more on finding the OEP.

Hi!

Seems they are using an older version of Aspr...
Wonder if they got a discount?

/Manko

I didn't want to start a new thread just for a similar question, but i have been looking at an ftp client from hxxp://www.smartftp.com. Now it looks likes it's packed but i cant identify what with with the usual tools such as PEiD and pe-scan.

It also has a .sig file (not sure what generates this and cant find any info on it) and when ever the prog is modified or even view in PE section editor next time i try and run it it just quits saying 'self signature check failed'

I've managed to bpx on GetLocalTime and find where it pop's up it's nag, but without being able to get past this signature check then i'm not sure what i can actually achieve.

Version i am working with is 1.0 build 974.39 from the forums/anouncements/daily build section.

GetLocalTime is called at 40B1C9 and the call to the nag is at 40B1C2. (Nag is only display sometimes, randomly between 8am and 5pm monday to friday)

I would just like some idea on what protection scheme is being used and ideas on how to start unpacking and find OEP.

Thanks

--
bedrock

Manko !

Have you tried to get rid of <evaluation copy> ?
Seems they put money on that, Alx stayed without salary in this case. Maybe they used cracked version of Aspr

Ok, i thought i would take a look at the password target also, i found OEP and unpacked, but i still haven't got past <evaluation copy> yet.

Hi, Soldat!

Nahh... I'm too lazy... when I get the urge I'll look at Chameleon clock again... still haven't cracked that old thing...

/Manko

to bedrock



Ok quick tutorial about unpacking

OEP----------> 4D39AE

IATstart-----> 14BFF8 (IAT Rva) About that

IATLength -> put 1000 hex and then cut invalide thunks

there is after that check on 4A86F3, put jmp instead jz

after that everything works

to Manko



You lazy bum !!!!

bedrock :

Congratulations. You have adopted the correct attitude for becoming a reverse engineer. Learning how, not being given the answer is the only way to go.

[Edit: seems bedrock deleted his post while I was writing mine. He had said he wanted to learn how to find the OEP, not have someone give it to him. That is the proper attitude for learning.]

Assuming you are using Softice, I extract an excerpt from asterix, posted over at the exetools Board which may help with that search. The thread is here: http://www.exetools.com/forum/showthread.php?s=&threadid=2108

The discussion is about inline patching a dll, but, generally, unpacking is unpacking. Here are his comments:
[Quote]
You can not find OEP?
Try to make something such as it.

-It is necessary to remember value ESP on EP in DLL.
-Then to put "bpx GetProcAddress"
or "bpx (GetProcAddress+3)"(on especially spiteful protectors)
and press "F5".
-When will stop do it "bc *"

-Then to put "bpr esp-4 esp+4"(if you in win98) or
bpm esp-4
bpm esp-3
bpm esp-2
bpm esp-1 (if you in win2k/XP).
[End Quote]

Check out that thread.

Regards.

Thanks for the encoragement JMI,

I was re-reading my post and being only a newbie i didn't want to appear arrogant after Soldat had given me the solution to my problem. Thats why i deleted my post, but after your kind encoragement i will continue with my efforts.

--
bedrock

bedrock:

You were completely correct. No one is truely helped by being given the answer, at least not if they are not taught how to find it themselves. It is the teaching of how to find the answer which leads to the skills which help one become better at anything having to do with learning. The "correct answer" to the specific issue is only useful as a way to check whether one has learned how to solve the problem, on one's own. You will then know if you are getting to that same place or conclusion by applying the proper method.

Stick with learning how. It's very much more important. It's something Soldat learned before he could give you the specific locations.

Regards.

Hi again,

I have been studying some tuts about asprotect apps, they actually are quite application oriented i.e. they simply says goto address XXXXXX then look for certail pattern especially

CALL 00******
POP EDI
POP ESI
POP EBX
POP ECX
POP ECX
POP EBP
RET 0004

This doesnt mean they will be equally true for all application. I want to know how i can learn about unpacking asprotected apps so that i can do it with any other apps.

dipeshrestha
Still Newbie

@Bedrock:
The smartFTP program is indeed funny protected. The loader doesn't look like any other I've seen. However, the protection it uses is lame. After you break on OEP (which you can find by breaking on getversion and looking a few bytes up) you can dump it with lordpe to get a dump. If you change the OEP then in the header the program should run. After that fixing the signature messagebox should be easy. (Ps. You might wanna patch the isdebuggerpresent call the protector uses.)

@Anyone:
Does anyone know which protector this is?

@ Iwarez,

I have found that the protector used is Exe32Pak V1.40 (the lastest eval version awailable from hxxp://www.steelbytes.com website is 1.38 which is a couple of years old.

If you take a look at the target with a PE editor and look just at the end of the .rsrc section you will find the string saying protected with exe32pak (c) 2003 or something similar.

I have disabled signature check fine and i found OEP using post mentioned by JMI, and placing breakpoints around esp (thanks for the link).

My unpacked exe is working fine now, but i have continued further and i am trying to create an inline patch, as the unpacked file is over 2.5MB, but it seems to me that the place in code where it jumps to OEP is part of what is decrypted by the protector, so i cant hijack that jump and jump into my own code.

What's in a filesize

If you really care about the filesize then use upx or something alike to compress it back.

Actually i tried that already, but UPX failed with a 'not compressable exception', but like you say the file size doesn't really matter

Most of the time the executable gets so screwed up by the protectors, and after that, by us, the unprotectors, that a great honest exe packer like UPX can't make anything of it. You wonder how the heck Windows is able to run the file

I have found when recompressing asprotected files (a couple of years ago) that the section names can cause both UPX and telock to refuse to repack an app.

Kilby...

IF UPX FAILED for pack then...

then there is another packers around! OK?
Try AsPuck, it is freeware for reversers