Log in

View Full Version : new aspr 1.31 un-dumpable?


0rp
July 14th, 2004, 18:38
readme content:

1. New EntryPoint Protection
This improved option now uses advanced technique for changing the
part of application and placing it to the envelope's code. Original
code content is changing throw emulation and polymorphic replacement.
Since this version EntryPoint protection uses a Virtual Machine, which
makes the removal or recovering of original code practically impossible.

<---- P-CODE ?



2. Emulate Standard system functions. One more good option against manual
unpacking - ASProtect just removes some common functions from protected
application and executes them in the envelope code.
You can change this oprtion via the Option Tab ("Emulate Standard
system functions" option).

3. New ASProtect polymorphic markers (for EXE files only !)
By using this marks you could protect any code inside your application.
In order to use new marks, you need to insert one mark instance at any
place of the code inside function you would like to protect.


and a simple function

before protecting:
Code:

00401F44 $ 68 981F4000 push test.00401F98
00401F49 . 64:A1 0000000>mov eax, dword ptr fs:[0]
00401F4F . 50 push eax
00401F50 . 8B4424 10 mov eax, dword ptr ss:[esp+10]
00401F54 . 896C24 10 mov dword ptr ss:[esp+10], ebp
00401F58 . 8D6C24 10 lea ebp, dword ptr ss:[esp+10]
00401F5C . 2BE0 sub esp, eax
00401F5E . 53 push ebx
00401F5F . 56 push esi
00401F60 . 57 push edi
00401F61 . 8B45 F8 mov eax, dword ptr ss:[ebp-8]
00401F64 . 8965 E8 mov dword ptr ss:[ebp-18], esp
00401F67 . 50 push eax
00401F68 . 8B45 FC mov eax, dword ptr ss:[ebp-4]
00401F6B . C745 FC FFFFF>mov dword ptr ss:[ebp-4], -1
00401F72 . 8945 F8 mov dword ptr ss:[ebp-8], eax
00401F75 . 8D45 F0 lea eax, dword ptr ss:[ebp-10]
00401F78 . 64:A3 0000000>mov dword ptr fs:[0], eax
00401F7E . C3 retn



and after protection:
Code:

00401F44 $- E9 A13D4F00 jmp 008F5CEA
CRAP
00401F7E 4D db 4D


jumptarget:
Code:

008F5CEA 68 64BC735E push 5E73BC64
008F5CEF 66:9C pushfw
008F5CF1 57 push edi
008F5CF2 8D7C4B 78 lea edi, dword ptr ds:[ebx+ecx*2+78]
008F5CF6 8D7C37 88 lea edi, dword ptr ds:[edi+esi-78]
008F5CFA 2BFE sub edi, esi
008F5CFC EB 01 jmp short 008F5CFF
008F5CFE F3: prefix rep: ; Superfluous prefix
008F5CFF 8D7C51 2B lea edi, dword ptr ds:[ecx+edx*2+2B]
008F5D03 8D7C0F D5 lea edi, dword ptr ds:[edi+ecx-2B]
008F5D07 2BF9 sub edi, ecx
008F5D09 F3: prefix rep: ; Superfluous prefix
008F5D0A EB 02 jmp short 008F5D0E
008F5D0C CD 20 int 20
008F5D0E 13FE adc edi, esi
008F5D10 8D7C0C 3B lea edi, dword ptr ss:[esp+ecx+3B]
008F5D14 2BF9 sub edi, ecx
008F5D16 8D7C37 C5 lea edi, dword ptr ds:[edi+esi-3B]
008F5D1A 2BFE sub edi, esi
008F5D1C 8D7F 06 lea edi, dword ptr ds:[edi+6]
008F5D1F 68 BED4ACD1 push D1ACD4BE




is this still dumpable?

JMI
July 14th, 2004, 19:33
Perhaps if you followed the instructions in the FAQ, found in the BIG RED LETTERS you might already have the answer to your own question. Searching with "astrotect 1.31" (without the quote marks) would find you a thread on this forum with a link to a thread on the exetools forum, where something using this version of ASPR, and its unpacking is discussed.

That's why we have a Search button and why one should follow the rules to use it BEFORE asking a question.

Regards,

Solomon
July 14th, 2004, 21:18
Is there anything new? So-called "Virtual Machine" were used by some commercial protectors before.

hobgoblin
July 15th, 2004, 04:15
I agree on what JMI says about searching. But the question raised is interesting. I'm familiar with the solution outlined by britedream, and the thread about this on exetools. But the question is: have anyone (else) managed to sucessfully unpack this version? I haven't seen anybody posting a solution to this yet....

regards,
hobgoblin

crUsAdEr
July 15th, 2004, 08:18
lol... well aspr nanomite is still in its infantile stage... not as convoluted as arma yet... an unpacker is slightly trickier to code since the poly engine used is pretty decent so i guess that is why sydx hasnt rls an unpacker yet!

Shoob
July 15th, 2004, 15:51
You mean ASProtect v.1.31 build 06.14 ? thats was no problem for me ... let me know if a newer version is avaiable.

JMI
July 15th, 2004, 16:45
There are a few places where they claim to have a copy of Asprotect v2.0 Build 06.23 Alpha. And I have seen discussion of that version listed in Russian and Vietnamese. Searching is usually how such things are found.

Regards,

dELTA
July 15th, 2004, 17:00
Quote:
You mean ASProtect v.1.31 build 06.14 ? thats was no problem for me ... let me know if a newer version is avaiable.

The virtual machine feature is only optional, so your target might not have had it activated, even though it used that Asprotect version. Actually, the VM feature in this new Asprotect version is quite buggy, so it is even likely that it wasn't activated in that target.

And yes, I can confirm the existence of Asprotect 2.0 alpha.

0rp
July 15th, 2004, 17:23
try to dump this

notepad, aspr 1.31.5.18

hobgoblin
July 16th, 2004, 04:07
Hi JMI,
Maybe I'm misunderstanding you when you wrote:"There are a few places where they claim to have a copy of Asprotect v2.0 Build 06.23 Alpha".
If you mean that they have successfully unpacked v2.0, that's quite possible. It's packed with Aspack, and is easily unpacked in 3 minutes.
I'm wondering why nobody seems to have posted a solution to how to unpack a program protected with v1.31 (or v2.0)( as for instance the latest version of WhereIsIt). And of course another way of doing it than britedream described for us. If there is another way.

regards,
hobgoblin

JMI
July 16th, 2004, 07:26
The reference to "where" is a place you visit that claims to have a copy of that version for download. One place which claims to have a tut on version 2 is cracklatinos.

Regards,

hobgoblin
July 16th, 2004, 08:36
Hi JMI,
Yeah, I figured that out. I actually downloaded v2.0 from there a while ago. I was merely talking about a tut on how to unpack v2.0 protected programs.

regards,
hobgoblin

JMI
July 16th, 2004, 12:36
There is, indeed, one on the cracklatinos site. hint = 249.

Regards,

hobgoblin
July 16th, 2004, 13:02
Hi again,
Thanks for the info, JMI, appreciate it.
But I can't find it. I have traced through all the pages at the site, but can't find anything related to 249.
Are you refering to another site than "crackslatinos.hispadominio.net" ?

regards,

JMI
July 16th, 2004, 13:12
Yes I am referring to that site. Maybe you should recall that Ricardo's tuts were numbered when he was discussing ARMA and, then, perhaps look in the "/miembros/teorias" section for the number I suggested. I could just post the full path, but that would be cheating, wouldnt it????

Regards,

hobgoblin
July 16th, 2004, 13:34
Hi JMI,
Due to some sudden blindness I didn't see it the first time.
When I revisited the site I found it without problems. Thank you for helping out, JMI. Appreciate your helpfulnes.

hobgoblin

JMI
July 16th, 2004, 13:43
I'm sorry, could you please post that in braille. MY eyesight is also failing.
It is easier to spot when one knows what one is looking for.

Happy reading. I used the SYSTRAN plug-in translator, which did not do as good a job as it usually does on Russian on this one. Don't know why, but alot of it remained more "cryptic" than the usual machine translation. Guess I need to do further 'training" of the dictionary.

Regards,