LaBBa
October 1st, 2003, 16:17
Hi all !!
i talked to CyberHeg about this and he told me this :
<CyberHeg> LaBBa: it's nothing new
<CyberHeg> aspr was the first one to do it
<CyberHeg> armadillo and the others copied it from asprotect
<LaBBa> realy ?
<LaBBa> didn't know that ..
<CyberHeg> yes it has worked since like v1.1
<CyberHeg> or so
<CyberHeg> for more then a few years
<CyberHeg> it's not not too common to use
<LaBBa> i unpacked many versions and that is the first time i ever saw ASPR do that ..
<CyberHeg> mostly because there are a ton of problems when you use it
but i never saw a post about it so i post it here now..
i got this app : <url deleted>
from Billy to check this Registered ASPR use ..
well i found this info :
Real OEP : 443ec4
stolen Byte = 38 bytes
Stolen byte where found by setting a Trace till this command is shows :
REP STOS BYTE PTR ES:[EDI]
00A36354 55 PUSH EBP -> 1
00A36355 8BEC MOV EBP,ESP -> 2
00A36357 6A FF PUSH -1 -> 2
00A36359 68 30284700 PUSH 472830 -> 5
00A3635E 68 E4234400 PUSH 4423E4 -> 5
00A36363 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] -> 6
00A3636E 50 PUSH EAX -> 1
00A3636F 64:8925 00000000 MOV DWORD PTR FS:[0],ESP -> 7
00A36376 83EC 58 SUB ESP,58 -> 3
00A3637E 53 PUSH EBX -> 1
00A36384 56 PUSH ESI -> 1
00A3638A 57 PUSH EDI -> 1
00A3638B 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP ->3
sum of : 38 bytes
well i fixed the IAT real easy with ImpRec (MackT/UCF)
and when i try to run it crashed ..
hehe ..
well i traced till i found that ASPR is getting to this part of code :
how it look befor the 2 calls of aspr (after Ctrl+A):
0040DF1C . FF15 08FF4700 CALL DWORD PTR DS:[47FF08] -> call ASPR Code
0040DF22 . FF15 00FF4700 CALL DWORD PTR DS:[47FF00] -> call ASPR Code
0040DF28 . E9 27000000 JMP RepairVi.0040DF54
0040DF2D D5 DB D5
0040DF2E 24 DB 24 ; CHAR '$'
0040DF2F 2D DB 2D ; CHAR '-'
0040DF30 81 DB 81
0040DF31 F4 DB F4
0040DF32 2C DB 2C ; CHAR ','
0040DF33 54 DB 54 ; CHAR 'T'
0040DF34 3D DB 3D ; CHAR '='
0040DF35 46 DB 46 ; CHAR 'F'
0040DF36 3D DB 3D ; CHAR '='
0040DF37 . A9 743938EC TEST EAX,EC383974
0040DF3C . 9B WAIT
0040DF3D . 872A XCHG DWORD PTR DS:[EDX],EBP
0040DF3F . C2 44D6 RETN 0D644
0040DF42 . 92 XCHG EAX,EDX
0040DF43 . 08DF OR BH,BL
0040DF45 . A9 1EF9B175 TEST EAX,75B1F91E
0040DF4A . 45 INC EBP
0040DF4B . D9CA FXCH ST(2)
0040DF4D . 05 44530606 ADD EAX,6065344
0040DF52 . 5E POP ESI
0040DF53 . F1 INT1
0040DF54 > FF15 04FF4700 CALL DWORD PTR DS:[47FF04]
0040DF5A . 8D86 F43A0000 LEA EAX,DWORD PTR DS:[ESI+3AF4]
0040DF60 . 50 PUSH EAX
0040DF61 . FF15 5C834600 CALL DWORD PTR DS:[46835C]
0040DF67 . 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
0040DF6B . 8BC6 MOV EAX,ESI
0040DF6D . 5F POP EDI
0040DF6E . 5E POP ESI
0040DF6F . 5B POP EBX
0040DF70 . 64:890D 000000>MOV DWORD PTR FS:[0],ECX
0040DF77 . 83C4 10 ADD ESP,10
0040DF7A . C2 0400 RETN 4
well i just pressed F8 (Trace Over) on the two calls and i got this wierd thing ...
how it looks after the 2 calles of aspr (after pressing Ctrl+A):
0040DF1C |. FF15 08FF4700 CALL DWORD PTR DS:[47FF08]
0040DF22 |. FF15 00FF4700 CALL DWORD PTR DS:[47FF00] ->> This Was and Decrypte Code call !!
0040DF28 |. E9 01000000 JMP RepairVi.0040DF2E ->> NOT THE SAME JMP !! and more new bytes..
0040DF2D | ED DB ED
0040DF2E |> 391D 4CDA4700 CMP DWORD PTR DS:[47DA4C],EBX
0040DF34 |. 7F 05 JG SHORT RepairVi.0040DF3B
0040DF36 |. E8 05EDFFFF CALL RepairVi.0040CC40
0040DF3B |> E8 70ECFFFF CALL RepairVi.0040CBB0 ->> it uses this call !!
0040DF40 |. 85C0 TEST EAX,EAX
0040DF42 |. 77 0A JA SHORT RepairVi.0040DF4E
0040DF44 |. C786 E0380000 >MOV DWORD PTR DS:[ESI+38E0],19720203
0040DF4E |> EB 04 JMP SHORT RepairVi.0040DF54
0040DF50 | EA DB EA
0040DF51 | 54 DB 54 ; CHAR 'T'
0040DF52 | F9 DB F9
0040DF53 | 78 DB 78 ; CHAR 'x'
0040DF54 |> FF15 04FF4700 CALL DWORD PTR DS:[47FF04] ->> Another ASPR Encrypte Call!!
0040DF5A |. 8D86 F43A0000 LEA EAX,DWORD PTR DS:[ESI+3AF4]
0040DF60 |. 50 PUSH EAX
0040DF61 |. FF15 5C834600 CALL DWORD PTR DS:[46835C] ->> InitializeCriticalSection API
0040DF67 |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
0040DF6B |. 8BC6 MOV EAX,ESI
0040DF6D |. 5F POP EDI
0040DF6E |. 5E POP ESI
0040DF6F |. 5B POP EBX
0040DF70 |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX
0040DF77 |. 83C4 10 ADD ESP,10
0040DF7A \. C2 0400 RETN 4
After the 0040DF54 aspr call the code that was changed to return to be the same !!
i havn't complited the Fixing and understanding what ASPR does ... but i thought that i will show u all
this first so we could all start working on it ..
Best Regards , LaBBa .
i talked to CyberHeg about this and he told me this :
<CyberHeg> LaBBa: it's nothing new
<CyberHeg> aspr was the first one to do it
<CyberHeg> armadillo and the others copied it from asprotect
<LaBBa> realy ?
<LaBBa> didn't know that ..
<CyberHeg> yes it has worked since like v1.1
<CyberHeg> or so
<CyberHeg> for more then a few years
<CyberHeg> it's not not too common to use
<LaBBa> i unpacked many versions and that is the first time i ever saw ASPR do that ..
<CyberHeg> mostly because there are a ton of problems when you use it
but i never saw a post about it so i post it here now..
i got this app : <url deleted>
from Billy to check this Registered ASPR use ..
well i found this info :
Real OEP : 443ec4
stolen Byte = 38 bytes
Stolen byte where found by setting a Trace till this command is shows :
REP STOS BYTE PTR ES:[EDI]
00A36354 55 PUSH EBP -> 1
00A36355 8BEC MOV EBP,ESP -> 2
00A36357 6A FF PUSH -1 -> 2
00A36359 68 30284700 PUSH 472830 -> 5
00A3635E 68 E4234400 PUSH 4423E4 -> 5
00A36363 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] -> 6
00A3636E 50 PUSH EAX -> 1
00A3636F 64:8925 00000000 MOV DWORD PTR FS:[0],ESP -> 7
00A36376 83EC 58 SUB ESP,58 -> 3
00A3637E 53 PUSH EBX -> 1
00A36384 56 PUSH ESI -> 1
00A3638A 57 PUSH EDI -> 1
00A3638B 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP ->3
sum of : 38 bytes
well i fixed the IAT real easy with ImpRec (MackT/UCF)
and when i try to run it crashed ..
hehe ..
well i traced till i found that ASPR is getting to this part of code :
how it look befor the 2 calls of aspr (after Ctrl+A):
0040DF1C . FF15 08FF4700 CALL DWORD PTR DS:[47FF08] -> call ASPR Code
0040DF22 . FF15 00FF4700 CALL DWORD PTR DS:[47FF00] -> call ASPR Code
0040DF28 . E9 27000000 JMP RepairVi.0040DF54
0040DF2D D5 DB D5
0040DF2E 24 DB 24 ; CHAR '$'
0040DF2F 2D DB 2D ; CHAR '-'
0040DF30 81 DB 81
0040DF31 F4 DB F4
0040DF32 2C DB 2C ; CHAR ','
0040DF33 54 DB 54 ; CHAR 'T'
0040DF34 3D DB 3D ; CHAR '='
0040DF35 46 DB 46 ; CHAR 'F'
0040DF36 3D DB 3D ; CHAR '='
0040DF37 . A9 743938EC TEST EAX,EC383974
0040DF3C . 9B WAIT
0040DF3D . 872A XCHG DWORD PTR DS:[EDX],EBP
0040DF3F . C2 44D6 RETN 0D644
0040DF42 . 92 XCHG EAX,EDX
0040DF43 . 08DF OR BH,BL
0040DF45 . A9 1EF9B175 TEST EAX,75B1F91E
0040DF4A . 45 INC EBP
0040DF4B . D9CA FXCH ST(2)
0040DF4D . 05 44530606 ADD EAX,6065344
0040DF52 . 5E POP ESI
0040DF53 . F1 INT1
0040DF54 > FF15 04FF4700 CALL DWORD PTR DS:[47FF04]
0040DF5A . 8D86 F43A0000 LEA EAX,DWORD PTR DS:[ESI+3AF4]
0040DF60 . 50 PUSH EAX
0040DF61 . FF15 5C834600 CALL DWORD PTR DS:[46835C]
0040DF67 . 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
0040DF6B . 8BC6 MOV EAX,ESI
0040DF6D . 5F POP EDI
0040DF6E . 5E POP ESI
0040DF6F . 5B POP EBX
0040DF70 . 64:890D 000000>MOV DWORD PTR FS:[0],ECX
0040DF77 . 83C4 10 ADD ESP,10
0040DF7A . C2 0400 RETN 4
well i just pressed F8 (Trace Over) on the two calls and i got this wierd thing ...
how it looks after the 2 calles of aspr (after pressing Ctrl+A):
0040DF1C |. FF15 08FF4700 CALL DWORD PTR DS:[47FF08]
0040DF22 |. FF15 00FF4700 CALL DWORD PTR DS:[47FF00] ->> This Was and Decrypte Code call !!
0040DF28 |. E9 01000000 JMP RepairVi.0040DF2E ->> NOT THE SAME JMP !! and more new bytes..
0040DF2D | ED DB ED
0040DF2E |> 391D 4CDA4700 CMP DWORD PTR DS:[47DA4C],EBX
0040DF34 |. 7F 05 JG SHORT RepairVi.0040DF3B
0040DF36 |. E8 05EDFFFF CALL RepairVi.0040CC40
0040DF3B |> E8 70ECFFFF CALL RepairVi.0040CBB0 ->> it uses this call !!
0040DF40 |. 85C0 TEST EAX,EAX
0040DF42 |. 77 0A JA SHORT RepairVi.0040DF4E
0040DF44 |. C786 E0380000 >MOV DWORD PTR DS:[ESI+38E0],19720203
0040DF4E |> EB 04 JMP SHORT RepairVi.0040DF54
0040DF50 | EA DB EA
0040DF51 | 54 DB 54 ; CHAR 'T'
0040DF52 | F9 DB F9
0040DF53 | 78 DB 78 ; CHAR 'x'
0040DF54 |> FF15 04FF4700 CALL DWORD PTR DS:[47FF04] ->> Another ASPR Encrypte Call!!
0040DF5A |. 8D86 F43A0000 LEA EAX,DWORD PTR DS:[ESI+3AF4]
0040DF60 |. 50 PUSH EAX
0040DF61 |. FF15 5C834600 CALL DWORD PTR DS:[46835C] ->> InitializeCriticalSection API
0040DF67 |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
0040DF6B |. 8BC6 MOV EAX,ESI
0040DF6D |. 5F POP EDI
0040DF6E |. 5E POP ESI
0040DF6F |. 5B POP EBX
0040DF70 |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX
0040DF77 |. 83C4 10 ADD ESP,10
0040DF7A \. C2 0400 RETN 4
After the 0040DF54 aspr call the code that was changed to return to be the same !!
i havn't complited the Fixing and understanding what ASPR does ... but i thought that i will show u all
this first so we could all start working on it ..
Best Regards , LaBBa .
