I'm really pretty new to debugging, and ASM, but I'm slowly trying to teach myself and lurking around here. I've been trying to use OllyDbg v1.09d to remove a version of ASProtect v1.23 RC1 [Overlay] from a piece of software. However, I'd also tried using ASPR Stripper v2.07f on the file. When I would use ASPR Stripper it would tell me that "it wasn't nice to play with other peoples files". I assumed it had Anti-Debugger protection in it, so I began working with OllyDbg.
After a while of poking through with Olly, I could not make it trip on "IsDebuggerPresent," so I ran ASPR Stripper across it again. This time it worked, however, with ASProtect removed, the program now launches (It's icon and program appear on the taskbar) then quickly disappears. I'm going to use the SysInternals tools to see if it's looking for a file or reg. key or something, but I'm lost as to what to check now. Any help would be greatly appreciated.

Infin8Cyn:

There is a tremendous amount of information already contained on this Forum about asprotect and there are at least 8 existing threads which reference aspr v 1.23. Have you searched for and reviewed any of them? There are also many, many more threads about removing aspr itself.

So far, you have only run asprstripper on the program twice. The first time it gave you a message which suggests it detected you effort to use asprostripper, but you assumed it detected Softice and switched to Olly instead of attempting to figure out what it was really doing. Then you tried Olly and it didn't immediately pop on "IsDebuggerPresent" and you abandoned Olly immediately and tried asprstripper again, and this time you "think" it worked, but now the progrom launches and then shuts itself down. So really, the only thing you have done is to use a ready made tool twice and it didn't work to your satisfaction and you now ask someone to explain "why" to you.

You really need to make a more serious effort, or at least explain that you have made a more serious effort, before you ask for help. Here's a serious suggestion. Just go to the "search" button at the top of the Forums and enter "LaBBa", without the quotes. You will get at least 23 threads, mostly about aspr, including Labba's "super tut." After you have read most of these, and tried some of their techniques, come back and ask another question, which explains what you have actually tried, besides asprstripper.

Regards,

JMI,
I was merely posting the points in which something significant actually occured. I've stepped through the program with Olly multiple times and have searched and extensively downloaded every thread I could find both here and through google.

I've run through the Tuts on both 1.x, 1.23, and the 1.3x versions and the 42page Asprotected Notepad tut. I'm not good at this at all and never claimed to be. For all it matters, I'm an uber-noob. I've just been trying to work through this for several days now. And was curious if anyone else working on ASPR had run into such an issue before. I wasn't asking for for solutions just something to point me in a direction of some sort...

please .. private message me the target . i'd like to see it


Regards

Infin8Cyn:

The point is that no one could tell from your first post the information which you claim in your second post, or that you had done much at all to help yourself. If you had read the FAQ you would, perhaps, have explained yourself a little better. It is somewhat suspicious that your story has so many changes at this point.

There is nothing in your first post which stated: "I wasn't asking for solutions just something to point me in a direction of some sort..." In fact your final statement was "Any help would be greatly appreciated. "

Your first post states: "After a while of poking through with Olly, I could not make it trip on "IsDebuggerPresent, so I ran ASPR Stripper across it again." Now you say: "I stepped through the program with Olly multiple times." Which do you wish us to believe? Did you actually learn and/or observe nothing if you actually "stepped through the program with Olly multiple times"?

You say you've downloaded a bunch of tuts and I would presume you want us to believe you have read them, yet your posts says nothing about your having attempted to unpack ASPR yourself, only that you ran asprstripper a second time, and then the program showed up in the task bar and then closed itself down. You do not discuss having attempted to reconstruct the IAT or having done any of the other things which are explained in the tutorials you "downloaded," for example finding the OEP and/or stolen bytes.

So why don't you stop trying to blow smoke up our backsides because you are not very good at it. There is nothing wrong with being inexperienced, but it is not useful to try to be deceptive. Have you read and attempted to follow LaBBa's tut? If you had actually "just been trying to work through this for several days now" and had read several tuts, you would be more familiar with what to look for and/or what to do when attacking an ASPR protected target. You show NO sign of having such knowledge which is available in the threads I already directed you to review.

Do you want to start again? Or make more excuses?

Regards,

JMI,
A favorite saying of mine goes something like this: "Don't explain yourself to people. Your friends don't need it, and your enemies won't believe you anyway."
Everything I told you was true. As I told you, I only posted the events in which something important occurred. I never claimed to know everything, and wouldn't make that statement.

Yes. When you help a child on their homework do you just give them the solution? No, you point them in a direction and help them in finding a solution.

Once again, I reference the fact that I only posted where an event of some consequence occured. Do you believe that in several days of tinkering I merely poked through it once and ran ASPR Stripper twice?

Sure, I didn't unpack ASPR myself (Hence I didn't need to reconstruct the IAT or replace stolen bytes.)However, I took the first step which was trying to find (and bypass) the anti-debugger scheme, then ran a program which did all those steps (OEP, Repair the IAT, and then re-inserting the stolen bytes.) I am now trying to debug the output of that program. Forgive me for not unpacking it by hand, but I don't quite understand why that necessitates me being reamed for not having done so.

And just for the record, the tuts I've found (and yes, read) are fine except for one aspect. For the most part they (the Tuts) almost always have the same target and are just changes to account for what's different between ASPR 1.2x and ASPR 1.3x and so on and so forth. (LaBBa's "Final Tut" is an exception to this rule thank god.)
SO, I've already explained it all, you know what I'm curious about, so... if you don't want to believe me, feel free that's your right. Otherwise, my question still stands, is this an issue anyone else has run into?

cRK, Consider yourself PM'd.

Infin8Cyn:

You obviously still don't get it, so I'll try one more time and if you change your story again and elevate obfuscation over truth again, your thread will simply disappear. It doesn't really matter what your favorite sayings are or what your habits of explanation are. We have certain procedures and requirements here which are set forth in the FAQ about how one is expected to ask a question and what information it is expected to contain.

This isn't about expecting you to know every thing or chastising you for not knowing everything. It is about getting you to include in your post the relevant information about what you have done to try to help yourself, to get you to show some of that work, and have you describe where you are stuck. What you have done is present a continually moving target about "what you have done" and have "shown" none of your work.

You protest that "When you help a child on their homework do you just give them the solution? No, you point them in a direction and help them in finding a solution." Actually, what one should do is ask them what they have tried themselves and perhaps make suggestions of where they might look to find the answers themselves. The object is to make them THINK about the problem and, at least with most homework assignments, understand that the method of finding the answer is generally "in the book" the school gave them.

Back to credibility. You ask now: "Do you believe that in several days of tinkering I merely poked through it once and ran ASPR Stripper twice?" I suggest that you re-read your first post and ask yourself how one would come to a different conclusion.

You complain: "Sure, I didn't unpack ASPR myself (Hence I didn't need to reconstruct the IAT or replace stolen bytes.) However, I took the first step which was trying to find (and bypass) the anti-debugger scheme, then ran a program which did all those steps (OEP, Repair the IAT, and then re-inserting the stolen bytes.) I am now trying to debug the output of that program. Forgive me for not unpacking it by hand, but I don't quite understand why that necessitates me being reamed for not having done so." You weren't reamed for not doing those steps. You were informed that the tuts which were suggested would teach you how to do those things yourself.

Now you claim you have been "debugging the output" of the results of your second application of asprstripper and yet you seem to have no idea why it is crashing. Or at least you haven't bothered to attempt to explain where in the code this is happening. Whether or not this is true, it is, again, a completely different story than what you stated in either your first or second post.

Finally, you make the completely ridiculous statement that: "And just for the record, the tuts I've found (and yes, read) are fine except for one aspect. For the most part they (the Tuts) almost always have the same target and are just changes to account for what's different between ASPR 1.2x and ASPR 1.3x and so on and so forth. (LaBBa's "Final Tut" is an exception to this rule thank god.)." This statement, again, contradicts your previous statement that " I've run through the Tuts on both 1.x, 1.23, and the 1.3x versions and the 42page Asprotected Notepad tut."

Of course, not all the threads here, and certainly not all the tuts on the net are about the same target and you apparently have missed the point of those threads entirely, which is to study and attempt to learn how aspr, itself, works to hide the manner in which it is attempting to prevent your finding out how it protects itself.

You have apparently not grasped that your problem with asprstripper is that it apparently did not correctly rebuild the IAT or may have left an incorrect jump which now goes nowhere. This is not uncommon, even if one manually unpacks the file. If you had made any effort to attempt to dump the program and rebuild it yourself, or to follow the IAT or execution of the program with Olly, you probably could, and should have made that discovery. If the program is crashing, you should be able to detect WHERE that is happening with Olly. If you can't you need to spend more time actually learning how to use a debugger. Patience if one of the hardest things to learn.

Are you aware that there are plug-ins for Olly that hide it from aspr and bypass the IsDebuggerPresent detection? Or that there are plug-ins which find the last exception, and do you even know what that means? Do you know anything about SEH and do you really want to learn?

Have you read R@dier's tut titled "Manual Unpacking ASProtect 1.23 RC4 - 1.3.08.24" which is a detailed discussion, with pictures, of using Olly to remove aspr? It discusses finding and removing a remaining entry which goes nowhere and had to be removed to get the program to actually start.

The problem with "following" tuts is that, if you only follow, you are not really learning how to THINK about what the protector is doing to the program and to hide what it is doing. Examining many tuts should teach you how to THINK about what the protector does and, if you learn those lessons, you can attempt to apply them to the next iteration/version of either the target or the protector.

So the answer to your self-important question is that it is something people have run into before, whether or not they used asprstripper. Now how does that help you actually solve the problem?

Regards,

JMI,
After sittin' on this for a day, here's my thoughts. I think a simple "Did you unpack it yourself? No? Then how do you know it was done right at all? We can't really help you if you just used an application to unpack it for you. Who knows if it unpacked correctly." but, you came off as a hardass.
Everything I said was true. But I see what you're trying to point out. But, expect a "yay, I succeeded." post in the newb lounge in the future. Patience may be tough, but I'm also stubborn.


Yes, and I've been using it in OllyDbg.

No and Yes, respectively.


No, you just pointed me to it, reason being: It's on Exetools.com. Registration is disabled, hence I can't login and learn from the information there... How would I go about getting into Exetools? or at least obtaining the info you referenced...

Infin8Cyn:

And why should anyone spend time trying to help someone who confesses he is too immature and/or stubborn to follow the rules and/or who simply can not recognize when he is actually being helped? You seem intent on attempting to prove just how macho you think you are and you only demonstrate how truely lacking in judgment you remain. We have no need to abide your attitude or preferences and you seem unwilling to conform to ours. This is not a school for anger management and you have done absolutely nothing to deserve any assistance here.

Regards,

I think you took that wrong, I meant when I succeeded in unpacking it on my own. I'm stubborn in success, not in proving you wrong. God knows I'm not an ASM master or some Debugger god... My previous post was a "I see your point, I'll work on that, thanks." type post. Not a "I'm too stubborn to listen to you, here's the bird, Good Bye."

Infin8Cyn:

The technique you continue to use is called "damning by faint praise" and I have not been either impressed or annoyed by such techniques for more years than you have probably been alive. There was, of course, no contrition in your post #8, nor any indication of appreciation or commitment to work on your approach. Your preference remains to misrepresent what you have already stated and then insert what you hope is a demonstration of your "stick-it to um" attitude. Quite pathetic really.

You continue to protest that "everything I said was true" when no one said you lied. I only pointed out, correctly, how your own account of what you did continued to change with every telling, as did this one. For example, you finally identified that you were using the "IsDebbugerPresent" plug-in for Olly and yet you seemed not to understand why you "could not make it trip on "IsDebuggerPresent." Had you mentioned that fact in the beginning, you might have been directed to study what that plug-in actually does. For example, this thread on the Olly Forum:
http://ollydbg.win32asmcommunity.net/?action=vthread&topic=523&forum=1&page=-1

If you have succeeded in unpacking your target you may rightly feel pride, but that may not be the end of your efforts. Often the authors of software have other tricks awaiting those who remove the "first" layer of protection.

You have also indicated that you intend to post a self-aggrandizing ""yay, I succeeded post in the newb lounge in the future." Can you not simply appreciate your own accomplishment? Is your ego so fragile, that you need the rest of us to bow in your direction for you to truly enjoy the fruits of your efforts?

Regards,

i was checking it and found out that maybe your problems remains not really about ASPR ... is because this soft from that company always has some tricks/Crc checks. after unpacking aspr. out of it this silent crc check will be activated . as you might note the crash that happends are using the API RaiseException for this ... Rebuild IAT using Imprec .. for the Limited version OEP is: 0051A86C (0011A86C)

now your work remains on finding out how this crc check works .. i give you a tip .. also it could be skipping some good code that needs it to load .. and not Stolen bytes are present

I noticed what you said about stolen bytes. However, I haven't had much time time to work on it at the moment. Damn work taking up too much of my life. Thanks for the tip..