Hi,

Recently i tried to unpack this target ().
But somehow, ASPRStripper doesn't work, so i tried it manually.
What i found :
Stolen bytes : x07 bytes (558BEC83C4F453)
OEP : 5495D4
RVA : 16112C
Size: 750

Unresolved APIs
00161160 = GetModuleHandleA
0016116C = GetCommandLineA
00161658 = LockResource
0016169C = GetVersion
001616C4 = GetProcAddress
001616D4 = GetModuleHandleA
001616FC = GetCurrentProcessId
00161700 = GetCurrentProcess
00161704 = GetModuleHandleA

Fixing "no menu/right click on tray" trick.

:00519D9E B8C8F15400 mov eax, 0054F1C8
:00519DA3 FFD0 call eax <<<< NOP
:00519DA5 6A01 push 00000001

* Possible StringData Ref from Data Obj ->"ShowTipOfDay"
|
:00519DA7 B938A25100 mov ecx, 0051A238

* Possible StringData Ref from Data Obj ->"Global Options"
|
:00519DAC BA50A25100 mov edx, 0051A250


Another error caused by CALL EAX. but i don't know the effect.

:00518593 6808544000 push 00405408
:00518598 B8C8F15400 mov eax, 0054F1C8
:0051859D FFD0 call eax <<< NOP
:0051859F A108FA5500 mov eax, dword ptr [0055FA08]
:005185A4 85C0 test eax, eax
:005185A6 0F8CF0030000 jl 0051899C
:005185AC 40 inc eax

Now my dumped file run fine.

Now patching the nag screen :
:00519FE2 8B80D8010000 mov eax, dword ptr [eax+000001D8]
:00519FE8 E89BDCF8FF call 004A7C88 <<<< Step into this CALL
:00519FED 50 push eax

* Possible StringData Ref from Data Obj ->"Global Options"
|
:00519FEE BA50A25100 mov edx, 0051A250

* Possible StringData Ref from Data Obj ->"ShowTipOfDay"
|
:00519FF3 B938A25100 mov ecx, 0051A238

====================================
* Referenced by a CALL at Addresses:
|:005052FF , :0050ED00 , :00519FE8
|
:004A7C88 55 push ebp
:004A7C89 8BEC mov ebp, esp
:004A7C8B 83C4C8 add esp, FFFFFFC8
:004A7C8E 53 push ebx

--------------------SNIP---------------------------

:004A7FC0 8A5361 mov dl, byte ptr [ebx+61]
:004A7FC3 8B45F8 mov eax, dword ptr [ebp-08]
:004A7FC6 8B80D0010000 mov eax, dword ptr [eax+000001D0]
:004A7FCC E80B27F7FF call 0041A6DC
:004A7FD1 807B6100 cmp byte ptr [ebx+61], 00
:004A7FD5 750C jne 004A7FE3

In 004A7FC0, just make dl=1 will enable (not grayed) the thickbox "Show tip at startup....".
But if i do that, the shutdown process of pstrip.exe is not perfect.
because if perfect, pstrip will write these lines to the ini file before it quit.

ShowTipOfDay=1
Threshold=20
IconManagement=0
RecallColor=0
HKmodifier=0
HardwareID=

But if we patch enabling the thickbox, those lines above is not added into the ini file. Moreover,
it will delete all the [Global Options] section (of ini file).
So everytime we run the patched version, it will always scan for the VGACard.

Some1 please tell me how to fix this problem.



TIA,
kyrios

Hi!

I actually did this target (Though a newer version) some days ago. (again)
Only reason was for testing my asprotect debugger app...

Anyway. I solved the problem differently...
Since I don't have exactly the same version I'm gonna have to guess, that Call EAX goes to usual trick for testing if API's are writeable, ie if they are emulated in aspr-space... These tricks sometimes also do important calls/jmps, so it would be a bad idea, just nopping them out. Try instead to understand the code inside them, and patch THAT to suit your needs...

Second.... Sometimes the dips contain important info/clues. Stupidly put there by authors of proggies. (Actually NOT so stupid since most newbies hardly know or care about them...)
It is so in this case. The first dip contains an important clue, you need to make the most of!

Hope this helps some!

/Manko

Hi manko,
thx for the hint. :-)

here's the code :
:00519D9E B8C8F15400 mov eax, 0054F1C8
:00519DA3 FFD0 call eax <<<< NOP
:00519DA5 6A01 push 00000001

You said no nopping. Then i go to 0054F1C8 to see what was going on there.
I saw this :
:0054F1C8 5C pop esp
:0054F1C9 59 pop ecx
:0054F1CA 8C4103 mov [ecx+03], es
:0054F1CD 8C01 mov [ecx], es
:0054F1CF 0031 add byte ptr [ecx], dh
:0054F1D1 90 nop
:0054F1D2 0100 add dword ptr [eax], eax
:0054F1D4 E48D in al, 8D

Strange code. Ok, i bpx on :00519DA3 FFD0 CALL EAX to see what this call doing.
Surprise i saw this :

0054F1C8 5B POP EBX
0054F1C9 58 POP EAX
0054F1CA 8B40 02 MOV EAX,DWORD PTR DS:[EAX+2]
0054F1CD 8B00 MOV EAX,DWORD PTR DS:[EAX]
0054F1CF FF30 PUSH DWORD PTR DS:[EAX] <<<< push dword from "Exitprocess"
0054F1D1 8F00 POP DWORD PTR DS:[EAX]
0054F1D3 FFE3 JMP EBX

Look like the codes has changed. When used, the codes are DEC.
NOPPing 0054F1CD, crash won't happen anymore. Is it ok nopping like this? (I nopped by changin' 8C01 to 9191).
Cause i did that but my problem is not solved yet (still scan for VGAcard) everytime i run it.



TIA,
kyrios

Hi!

Cool!

It's nice to see you could find and fix this trick in a way that'll let you understand it better. This way, you'll be better at spotting other variants...

And, yes, ofcourse you may nop.

No, it's not finnished. Cause you have yet to think about the clue I mentioned. Look in the first dip...

/Manko

Hi manko,

Bad news, my keyboard is broke right now. i can't buy new one till monday. you must be wondering why now i can post something, right?
i never had internet connection at home. i'm always accessing internet at cybercafe. Well, in here, having internet conn is much more expensive than having cell phone. even for 2MB VSAT conn, we have to pay 500 USD each month! i heard in europe, for 2MB VSAT conn, we only have to pay 15 Euro each month. Wonder it is true or not

Anwyay, for 1st dip you was talking about, is it something code where i land before reach the OEP? you mean i must do something with 1st dip then later at OEP i dump it again? sorry, i really really have poor english. i just wanna make sure i got your point.


TIA,
kyrios

Hi!

Dips are those instances that aspr calls into original app, before OEP, to setup "days used", and any number of other interesting stuff.

Actually, the different dips get different info from aspr, but authors of protected proggie can also put in whatever other code they choose.

Like in this instance, they choose to do something in the first dip, that gives their "unpacked-checking" away... If you examine it closely, and get to understand it...

I hope, you will do the work required now, and beat this thing!

/Manko

Hi manko,

I'm afraid i didn't understand what i should do with the codes, i've tried to bypass the 1st dip but it doesn't work.
Would you like to tell me how? and few comments would also be appreciated.



1st dip
:0051E3C4 PUSH EBP
:0051E3C5 MOV EBP,ESP
:0051E3C7 MOV BYTE PTR [0054F1C4],00
:0051E3CE MOV EAX,[EBP+08]
:0051E3D1 MOV [0054F194],EAX
:0051E3D6 POP EBP
:0051E3D7 RET 0004

2nd dip
:0051E3DC PUSH EBP
:0051E3DD MOV EBP,ESP
:0051E3DF MOV EAX,[EBP+08]
:0051E3E2 MOV [0054F198],EAX
:0051E3E7 MOV EAX,[EBP+0C]
:0051E3EA MOV [0054F19C],EAX
:0051E3EF POP EBP
:0051E3F0 RET 0008


TIA,
kyrios

Hi, Kyrios!

I can't give you too much!

It's not a matter of skipping or not...

You have to understand what the first dip does. Also see what happens later when proggy is running... You need to do some honest RCE. (Though it's really much too simple to be called RCE...) (But it is like many things. Really simple WHEN you know them...)

/Manko

kurious,

It's also very useful to download a protection and read its help files as to how it can be used. This can give you very important clues as to what might be going on.

Try to think like a "hacker", or a "cracker", or anyone for that matter that wants to figure out something. Get as much data as you can first, and then brainstorm. Getting a protection and reading up on how to actually use it are key steps in defeating it.

-nt20

HI manko,
I really really want to understand the code. But look likes IDA doesn't allow me to see the code. Cause in most offset i just saw db bla.. bla.. bla.. where the codes i supposed to see?
meanwhile i left pstrip for awhile, i did my prevous homework about int3 fixing. Wow... big surprise (for me), now i can dump the whole tables.
Cause you know.. lot ppl still doesn't understand how to catch those tables. But in (maybe latest?) some target, it doesn't allow me any debugger active eventhough i already use icedump. (read access error. bla..bla..bla..) So i tried to use winhex. but i can't see where the table 4 lies. i can see table1, 2, and 3.


bbl,
kyrios

Hi!

Actually. You should really focus on the part where I said:

"Also see what happens later when proggy is running..."

You can't do that with IDA, can you? :P

/Manko

Yes you can, in IDA 4.5.


dELTA

HI!

Hehe... I was waiting for that.

Yup, if you are paying, registered user...
Which I took for granted, he was not...

(Ooops! Maybe I am wrong again!)

to Kyrios:

actually, I guess you should be able to see that code, without too much trouble.

Position marker at address of dip.

Press 'c', as in 'c'ode, to make it into code...

Repeat for next dip...

So why weren't it made into code automatically?
Don't know exactly, but it might be because, aspr has it surrounded by signatures or somthing... atleast it is not executed by the dumped proggy, so that might also be it...

/Manko

Hi, Kyrios!

Actually I find out a while back, one or two days after I posted last in this thread, that I was wrong. No matter how much you looked at that first dip, you can't solve the problem YOU found.

I should have tried it myself, and maybe I would have found that it didn't really work... Hrm... (You had the part of the dip patched in your own way, which also worked.)

Anyway, I got to work on it and soon tracked it down to something to do with the nag...

I won't say moore now...

(But NOW I have it patched and running perfectly!)

/Manko

manko, you are such a lier!
the 1st dip you were talking about will only fix :
1. Can't detect proper CPU clock & RAM clock
2. Advanced Timing Option
3. etc

if i fix it, those problems are gone away.
written from 1st dip :

:0051E3C4 PUSH EBP
:0051E3C5 MOV EBP,ESP
:0051E3C7 MOV BYTE PTR [0054F1C4],00
:0051E3CE MOV EAX,[EBP+08]
:0051E3D1 MOV [0054F194],EAX
:0051E3D6 POP EBP
:0051E3D7 RET 0004

Make sure [0054F1C4] always return 00 while program running no matter what.

And for my problem, i already solved.
It's all about [0054F1A0]. The offset is wrong. The correct one should be just pointing to a RET.
A way how to find [0054F1A0] is just look at the 2nd dip.

2nd dip
:0051E3DC PUSH EBP
:0051E3DD MOV EBP,ESP
:0051E3DF MOV EAX,[EBP+08]
:0051E3E2 MOV [0054F198],EAX
:0051E3E7 MOV EAX,[EBP+0C]
:0051E3EA MOV [0054F19C],EAX <<< Add 4 bytes = [0054F1A0]
:0051E3EF POP EBP
:0051E3F0 RET 0008

I must say thx you Manko. Without your "false" clue, i couldn't fix this target. But if you just told me the correct one, hey... where's the fun? Thx again


later,
kyrios

Hi, Kyrios!

Hehe... Sometimes I just get confused, and often I'm either too lazy or too rash...

Besides, some confusion could also be blamed on us doing different versions... That is, my confusion...

Glad you got something out of it!
That was always what I hoped for.

btw, how did you find and fix the problem with "global"-somethingorother? I fiddled around with things, being too lazy to document anything, getting lost... When I said to myself, "hey this is Delphi and someone left the info on the procs of that nag in the exe." I played with this a bit but got bored and did something else...

I dumped the proggy when nag was shown and again when it was destroyed... *snigger*

I would probably have found it anyway if I weren't so undisciplined... hrm...

But actually, I quite liked the method I used... It was amazingly effective with this target.
Can't wait to try it again some other time...

/Manko

The way i found it :
From 1st dip [0054F1C4], a few bytes after it you will see the "no right click trick" (if you already fix it, you'll meet 9191). And a few line up, you will see [A] and [B] from 2nd dip.
ripped from 2nd dip :
:0051E3DC PUSH EBP
:0051E3DD MOV EBP,ESP
:0051E3DF MOV EAX,[EBP+08]
:0051E3E2 MOV [A],EAX
:0051E3E7 MOV EAX,[EBP+0C]
:0051E3EA MOV [B],EAX
:0051E3EF POP EBP
:0051E3F0 RET 0008

I'm wondering myself could it be the central of the trick lies here?
If you take a look closer, [A-4] and [B+4] look likes offset to me.
So i put bpmb on [A-4], [A], [B], and [B+4]. Then when i close the target, surprise... it breaks on [B+4]. Well, this must be the trick i said to myself. The offset could be wrong. Cause i found (many) the same trick on other ASPRed target which won't load on beginning start (like CALL dword ptr [eax+50]).
my next experiment is patching the nag to fool the program that i'm registered user. and well , the target reacted different. When i close it, i break on different offset but still on [B+4].

The code is similar like this :
cmp bla.. bla..
jnz yyyyyyyy
mov [B+4], 00xxxxxxxxx

Could it be this 00xxxxxx is the correct offset for [B+4]? So i change it. and you know what? it works....
This 00xxxxxx is only a RET. You could even seek any RET you found and point [B+4] to it.

I also found the way i patching the nag(i describe it be4) is still showing the nag eventhough the "show startup......" is not grayed anymore. The correct one is go to the parent CALL, then a few line up you could insert your code to any space you found, inject your code, and then jump back. That's what i did but i'm pretty sure there are plenty ways to trip to rome.



later,
kyrios