hi guys,

how do i find the antiloader protection scheme
inside a ASPR protected file ?

i want to write a loader for a packed exe, but ASPR has anti loader protection..

i use ollydbg

how do i approach ?

grtz, JohnDoe1

there are others ways to do it.. and easier
find OEP and look for GetModuleHandleA and see where does the app write the instance to. for ex.

push 0
call GetModuleHandleA
mov [0045A3C1], eax

now that u know where it saves the instance you can write a loader.
make and infinite loop which checks if there is some value in that memory and if there is that means aspr has passed control to the original code and you can patch. You can compare like this:

cmp dword ptr [0045A3C1], 0
jnz patch

or like this:

cmp dword ptr [0045A3C1], 00400000
jz patch

of course there are many variants of this. You can stick with other apis not just GetModuleHandleA.

Hope that helps..

hmmmm

finding OEP = easy...

but then ;-)

i like your approach btw... never thought of that

mmmmm

this is what i found :-)
the first JMP to kernel32.GetModuleHandleA after the OEP

----------------------------------------------

00A01CD8 6A 00 PUSH 0
00A01CDA E8 D934FFFF CALL 009F51B8 ; JMP to kernel32.GetModuleHandleA
00A01CDF FF35 147EA000 PUSH DWORD PTR DS:[A07E14]
' olly says : DS:[00A07E14] = 0A28015
00A01CE5 58 POP EAX

00A01CE6 8B05 247EA000 MOV EAX,DWORD PTR DS:[A07E24]
' olly says : DS:[00A07E24] = 00151EE0, (ASCII ""program path\program name""

----------------------------
i know that the address 00a01cd8 is still ASPR code

this code was called by the main program at :

--------------------------------
0040FCBE > FF15 F0604100 CALL DWORD PTR DS:[4160F0]
'olly says : DS:[004160F0] = 00A01CD8 ( see above routine )

0040FCC4 . A3 38034200 MOV DWORD PTR DS:[420338],EAX
'olly says : DS:[00420338] = 00151EE0

0040FCC9 . E8 BB290000 CALL AnyDVD.00412689
0040FCCE . A3 A4C24100 MOV DWORD PTR DS:[41C2A4],EAX
'olly says : DS:[0041C2A4] = 009B0768

0040FCD3 . E8 0F290000 CALL AnyDVD.004125E7
0040FCD8 . 85C0 TEST EAX,EAX
--------------------------------

i feel i'm close, but what is my next step ?

Grtz, JohnDoe1

i tried to create a loader ( asm, with msms32 )

still the protection seems active..

because it cannot find the instance.



i'm lost..

how can i now proceed i need help

maybe someone with another asm loader file
that bypasses the aspr loader protection
(including the original aspr file, so i can try to work this out ?? )

thanx for a reply

here is my .cpp source of a loader which works on aspred progs... maybe it will help you

it is nice to see some people solved it ;-)

but i need to know the how to..

could you guide me through it ?

i really want to learn how to approach aspr..

or give me the ent.exe ( i think it is Target Name Removed)
that this loader works on ??

johndoe1:

Save discussion of the target name for Private Messages. Code has been posted in this thread!!!

Regards,

This is weird...

As i am able to make a loader for the app as the .cpp file was for ( ENT.exe )
which was protected with ASPR 1.23 RC4

i am not able to make a loader for my app

as it seems ASPR 1.23 RC4 has different builds....
the aspr version i try to approach seems to have a "load new instance feature"

because the memory i patched ( and succeeded ) didn't have a effect on the
exe file

if i patch the same address in olly ( after finding the OEP off course )

this patch works......

any help is very welcome

try bpm on the address you patch.. see what else is trying to write on it?

it shall be my bad coding ...

is there anyone who has a MASM example

on how to do what rejker said ??

because i get the handle written if the program already is visible...

i see a dialogscreen, and then i get the msgbox ( i created it for debug checking ) that says that the handle is written...



so patching won't have any effect then...



grtz,Johndoe1

i dont see any VirtualProtectEx api calls in that .cpp loader code.
if you are using winxp u should call it to unprotect the place u want to patch in memory if am not mistaken

different builds ..... yes

different reaction against loaderz .... no

all aspro defeated by loaderz .

how did you defeat the protection ?

can you give me some examples ? on how you approached?
what you did to defeat aspro ?

uzed pelg 0.3 Predator's .

that don't defeat aspr loader generation

how did you bypass it using pelg ???

description please

u r right

coz it defeat :

aramadillo
upx
aspack
anticrack
pe-protector
code-crypt
wwpack32
neolite
petite
ACProtect
PELock
tElock
SVK Protector
EXE Stealth

too

?????

i don't get you

aspro uzed 2 protect softwarez aginst crackerz . right ?

pleg uzed 2 protect crackerz aginst aspro . that,s it .

dump the proggy + check code + pleg = aspro vanish .

thats not whqat i want to do

i like to be able to write a loader and leave the original exe untouchd

if i would dump it, i could also patch it on disk

the idea of a loader is to leave the original untouched.. isn't it ?

i support u , make smart loaderz aginst smart packerz .



i agree but let pleg take care of that just load targetz RVA .



nop , the idea of loaderz is to leave the original think,s untouched

by offline sniperz online patcherz which called loaderz .

mmmm I know it is possible to write loaders so the original file can stay untouched.

i have one here... it does defeat the anti loader protection, and leaves the original untouched..

i'd like to get smarter and write such loaders, as dumping isn't that difficult
once you know the stolen bytes part...

u r smart enough 2 write smart loaderz

4 sure u r smarter than me coz i don,t

even know what stolen bytez meanz,

but i know 1 thing 4 sure that unpack

just 2 crack iz a waste of time , but

unpacking 2 know how packerz work

so u could write new loader generator

that iz more smart more advance wont

be a waste of time , the magic of pleg

iz the ability of defeating all packerz

by a tiny softy kiss.thanx 2 Predator .

For christ sakes drop the 1337 sp33k seven...

Hello:

I have converted NONE1899's cpp loader code example to asm. I am having the same problem as JohnDoe1; if I patch the program (ASPR 1.23 RC4) with Olly, my changes work fine, no nag box. My loader however does not error out but the program acts as if no patches were applied? If it was a CRC error problem I would expect an error message or program closure. I have tried different values in the sleep function. Why does the patch not effect the program? WriteProcess returns success. Is ASPR changing the bytes back to original? wtf? ASloader by GlObAl & [NtSC] seems to handle changing the bytes, but I would like to make my own loader.

SS

.elseif eax==WM_COMMAND
.if wParam == 1001
invoke CreateProcess, addr FileName, NULL, NULL, NULL,FALSE,NORMAL_PRIORITY_CLASS,NULL, NULL, addr sd, addr pi
lop1:
;read 2 bytes at patch_address1
invoke ReadProcessMemory,pi.hProcess, patch_address1, addr dataread, 2, NULL
;check to see if the 2 bytes are our program code yet
mov al,dataread
cmp al,074h
jne lop1
mov al,dataread+1
cmp al,030h
jne lop1

;sleep till asprotect do memchk
invoke Sleep,150 ;10 or less gives protection error 15
;write a byte (075h) at patch_address1
invoke WriteProcessMemory, pi.hProcess, patch_address1, addr patch1, 1, NULL

.if eax != TRUE ;Shazbot!
invoke MessageBox,0,addr ErrorMsg,addr AppName,MB_OK
.endif

lop2:
invoke ReadProcessMemory,pi.hProcess, patch_address2, addr dataread, 2, NULL
mov al,dataread
cmp al,075h
jne lop2
mov al,dataread+1
cmp al,012h
jne lop2

invoke WriteProcessMemory, pi.hProcess, patch_address2, addr patch2, 1, NULL

.if eax != TRUE
invoke MessageBox,0,addr ErrorMsg,addr AppName,MB_OK
.endif

;all done
invoke MessageBox,0,addr DoneMsg,addr AppName,MB_OK

do you mean that you got the loader working for the app none1899 made a cpp loader for ?

because i did that as well, no problem for me and it also works fine..

seems this program has no loader protection....

but the other part.... i fail to write loaders for programs with loader protection...

how do we have to approach this ??

grtz, Johndoe1

John:

I tried the loader code on a different app packed with ASPR 1.23 RC4. Not sure how to proceed.

SS

ehm.. we need to bypass the loader protection..
either the memory is protected, or the aspr detects thast memeory is changed, and it reloads itself again.....

John:

I dont think ASPR is protecting memory because WriteProcessMemory does not error out. It may be reloading original code if ASPR detects ProcessMemory has changed. I tried to unpack ASload by GlObAl & [NtSC] to see what it does but it is packed with something that is beyond my skill level to unpack. Perhaps some of the more experienced +reversers can help us with this. How do we fake out ASPR anti-loader code? You ASPR loader creators, how do you do it? Please help. John, message me if you get any leads.

SS

Oops,Delta reminded me of this Thread.

Well,Asload for Example is based on RIng3 Thread Modification.
CreateThread,Read/Write ProcessMemory,VirtualProtect etc.

Generally Global investigated a few neat Offsets (Bytes) to Hook.
Thus we catch some save Points and disable unwanted Stuff.

Iam sure if you look closer to some Asprotect Threads you will find some Offsets (Bytes) you can use for ScanStrings.

Hello [NtSC]:

I did a search of the archives for "Asprotect Offset bytes" and "Scanstrings" and didn't find anything useful. I realize you may not want to give away your loader code, but could you perhaps explain in a bit more detail the steps to take. For example, do I use the debug api to single step the program until a certain eip? What scanstring's do you search for? Should I be paying more attention to CreateThread,Read/Write ProcessMemory,VirtualProtect etc in the target app (going to try this). A little pushad in the right direction would be helpful.

Tks,
SS

Should I be paying more attention to CreateThread,Read/Write ProcessMemory,VirtualProtect etc in the target app (going to try this).
^^^Thats the right Way to go.. Atleast its the Way Asload does it.

Thus,there is no Register Check over Debug Apis or whatever.. That could be a bit slow at all. It is enough to insert some "EBFEīs" and check EIP for that.

Since Asload was some Cooperation Thingy between Global and me, i cant say anything about the Offsets (ScanStrings) without Globalīs Permission.

Days back i was bored and Global got me for the Coding Part of Asload,thus
the major research on Asprotect was done by him.

I will try to contact him and look if he is in the mood to offer some more Infos,but i cant promise Stuff now. I hope you understand that

please global and ntsc, tutor us

we really like to know how to approacht ASPR
and future versions of aspr..

what exactly does asload do ??

creates loaders for aspr proggies ?
i'd like to take a look at it.

johndoe... i don't have any problem with aspr loader watsoever... and there isnt much anti loader in aspr anyway...

I fail to see u display any efforts? can u show us some codes of your loader... some effort to find out where your loader fail?

I dont think Gl0bal wish to reveal those bytes, simply cos it is too easy for Alexey to change them and make it harder for hook those bytes... u dont need them for your loader anyway...

ehm...

well i tried to approach on diff levels...

1st thing is sleep, and then change bytes...

2nd thing is wait for the handle to be written by the main program.
and then try to patch the bytes.. ( still the nags occur.. )

i'm programming in asm

readprocessmemory
compare memory with bytes to be read

if match .. then patch...

something like this..

invoke ReadProcessMemory,procinfo.hProcess,location1,addr readbuffer,1,0
cmp eax,0
je _Read process_memory
invoke lstrcmp,addr readbuffer,addr checkbytes1
cmp eax,0
jnz _wrong_version (or loop to wait..)
invoke WriteProcessMemory,procinfo.hProcess,location2,addr patchbytes1,2,0
cmp eax,0
jnz _WP_ERROR



i also tried to unprotect memory like this

invoke VirtualProtectEx, procinfo.hProcess, location2, 2, PAGE_EXECUTE_READWRITE, addr lOldProtect
cmp eax,0
jnz _UPM_ERROR

also no effect....

that bugs me

i need to know how to approacht ASPR... bypassing the protection scheme...

please help....

grtz, Johndoe1

I assume you are using the Debug API?
Are you hooking the API IsDebuggerPresent?
Are you patching the Debug context?

ehm don't know exactly what you mean..

i don't hook that's for sure..

i'm waiting for a handle to be written in memory
then i start patching the memory..


but... i need to learn different approaches...

could we take an aspr'ed program
and try to do this in the forum ??

grtz, JohnDoe1

its often a good idea to suspend the process (via suspendthread) when using readprocessmemory/writeprocessmemory, doing your stuff, and then resuming
and why sleep and then change the bytes, launch the process supended, do your initial patches, then resume....

If you dont suspend the Thread before Read/Write ProcessMemory you will probably not get the Results you want. Its a must i guess :P
Well,GetThreadContext works out fine too.
But basically,its all doable over Ring3 at all.

Thanks for the hints and tips. I am going to recode my loader and try to incorperate the suggestions you all have offered. Will keep you posted.

John: let me know if you make any headway please. I have attached the ASloader program for you to look at.

SS

Ok Johndoe... you know aspr has lots of seh right? my loaders normally load aspr process as a debuggee... each time seh occurs, it will hand control to our loader... then you can check whether your byte is there already or not, if so patch it or else go on let aspr do its job...

the sleep and wait approach doesnt work really well... i tried it once long time ago i think... using debugging APIs provide a stable solution... u dont have hold your breath and hope that u catch the byte in time to patch

the best loader maker i ever seen for aspr. or any packer is FuckFmn v0.3 .. the problem is that dosen't work on some w2k machines , and dosen't work for winXP

but this bastard is able to patch any aspr. without using any trick (Win9x Full Working) ...it mades 6 kb loaders for any exe

Source Pack Including Loader maker : hxxp://www.smola.pac.pl/main/smola01.zip

Loader Maker v0.1 + Sample Scripts:

hxxp://www.smola.pac.pl/main/fuckfmn01.rar

Author says : a new technology loader working under ring0 for w9x/w2k.

maybe with some minor modifications can be modified to be winall working

i'll wish some day this can be done

Url: hxxp://www.smola.pac.pl/win32asm.htm

Main Site: hxxp://www.smola.pac.pl

tried the asloader, et voila

but your approach... on SEH
can you explain a bit more on how you do that ??

an asm example of some kind.. would be nice

mmmm I am defiantely getting of the idea of looping in memory
i like your idea on seh ( that's how i manually do it in Olly )

but no i have to learn on how to intercept the SEH part

any help ??

grtz, JohnDoe1

SS, i will....

well that that code doesn't work under some win2k and not under XP

is because of the vxd i guess

damn that asloader is gooooooood

hey is asloader also good for the trial protection inside ASPR ?

i still have to defeat that one

for now i'm stuck to asloader...
but i need to know how to defeat the trial protection inside
ASPR

any help ??

anyone know how to defeat the trial protection within ASPR ???

I'm quite sure they won't know it any more just because you post the exact same question in two consecutive posts anyway.

And yes, there is quite much info about the Asprotect trial protection if you search this board, as usual.

me was double posting due to an err on my interent explorer i guess
i didn't see my last post...

i can't find any good info on aspr trial protection...

i know it can be defeated, because there is a routine in stripper that does it..
but.. can't find info here

can you help me out on how to find it, i searched for the string yuo suggested ( already did that earlier, with other words.. )

maybe i'm just dumb ??

>i can't find any good info on aspr trial protection...

trial protection what is it?

inside an asprotected file ( with time trial enabled )

the protection ( aspr part )
looks if the trial is expired or not..

if expired the aspr routine breaks in and running the program is prohibited

i need to know how this time trial protection works...

anyone knows how it works ??

>inside an asprotected file ( with time trial enabled )

>the protection ( aspr part )
>looks if the trial is expired or not..

>if expired the aspr routine breaks in and running the program is prohibited

>i need to know how this time trial protection works...

You have come to the wrong place.Here they only analysis the program how asprotect works.

You won't get fully cracking anwsers here(ask for crack will be banned!)

The only way is you have to debug the program yourself...

dear Esther Bastard :

i don't want you guys to crack ...

i'm just asking if anyone ever defeated the aspr time trial protection scheme..

i am wondering what it does.

this because i monitored registry
and removing the entry in the aspr registry entries still doesn't make the program believe it has 100% of time trial left..

i could dump the victim, and then just crack it.

but i am curious how this protection scheme works

so making a loader and leaving the original exe untouched..

but your answer truly doesn't help much !!

it might help if u actually read n follow delta's advice...
all this questions have been discussed before... so it is up to you to find out :/

before i posted, i tried to find it on the forum...
but that hasn't helped me, thats why i tried to post it

i als asked delta how to look or use the forums search engine
to find entries on this matter

no answer yet..

if you have a answer please post it or pm me
( i'd like to know how to search this item on this forum )
is there a advanced search method ?

Hmm, let me put it this way... there is no instant answer, hence no instant search... searching does take a bit of patience, to sort out the info and see the relevant info...

You should not expect an instant answer exactly for your questions, but there are other info similar to it and you might need to investigate the problem yourself based on those info to answer your own queries...

I type "registry asprotect" into the search field on top, got this
http://www.woodmann.net/forum/showthread.php?t=4000&highlight=registry+asprotect
seem fairly useful for your purpose i think, but i might be wrong...

So what the heck are you using for search terms? Try the following without the quote marks in the search window: " aspr expired" and then try "asprotect expired." Also try "aspr time" and "asprotect time." Among the thread you will find is a long one titled: "Azpr's new check time algo," which would be a good place to start.

Searching on the net would find many tutorials related to that subject, but you apparently didn't bother really looking for anything. There are even programs available which reset the time limit for many versions of Asprotect which you could find with a little effort and which you could study to learn now it is done.

Two of your most important 'tools" are your eyes and your brain and you do not seem to be using either with any effort or much skill at all. You simply want someone else to GIVE you the answers, rather than spending time searching for the answers.

If the problem is that you do not know HOW to search then you should visit the Fravia's Searchlores site linked on the bottom of these Forums.

This is not the childrens school yard where someone will take you by the hand and teach you the ABC's. Here you are supposed to MAKE an effort and SHOW that effort and THEN ask for help. It's time you got with the program.

Regards,

thank you !!!

well i am sorta used on getting results on search engines

with "+" or "AND"

but i wasn't getting the right results that's why iasked for help

but thinking i am lazy and didn't try enough.. dont heav a brain
etc, well
yah that's your opinion..

thanks for that comment

Perhaps you should spend more time actually reading the responses you get instead of defending yourself while at the same time demonstrating what has already been said about your efforts. No one said you did not have a brain and I did not suggest you were lazy. What I did say was "you do not seem to be using either (your brain or eyes) with any effort or much skill at all."

Your reply was: "well i am sorta used on getting results on search engines with '+' or 'AND'." Really? How come if I impute "aspr expired" or "aspr AND expired" it get the same 8 threads apparently seven of which you did not find?

How come if I imput "aspr time trial" or "aspr AND time trial" I get the same thread ""Azpr's new check time algo," which I got with the other search terms I used and YOU TRIED and DIDN'T? What it means is that you either DID NOT TRY and/or you are lying about it now to cover your sorry efforts at searching. Not very impressive.

Regards,

He's just lazy to search the forum.What can I say! he is a lazy bastard

hey, esther!
try to search more qualified words before taping easier ones.

however, for me seems, member "johndoe1" is just trying to crack some target without any interest in reversing.
so will be good, if we will break him.

jmi or whoever is a moderator or admin here

please deactivate my account...

i know when i'm unwanted

have a nice one d00ds