Log in

View Full Version : new aspr 1.31 un-dumpable?

0rp
July 14th, 2004, 18:38
readme content:

1. New EntryPoint Protection
This improved option now uses advanced technique for changing the
part of application and placing it to the envelope's code. Original
code content is changing throw emulation and polymorphic replacement.
Since this version EntryPoint protection uses a Virtual Machine, which
makes the removal or recovering of original code practically impossible.

<---- P-CODE ?



2. Emulate Standard system functions. One more good option against manual
unpacking - ASProtect just removes some common functions from protected
application and executes them in the envelope code.
You can change this oprtion via the Option Tab ("Emulate Standard
system functions" option).

3. New ASProtect polymorphic markers (for EXE files only !)
By using this marks you could protect any code inside your application.
In order to use new marks, you need to insert one mark instance at any
place of the code inside function you would like to protect.


and a simple function

before protecting:
Code:


00401F44   $  68 981F4000   push    test.00401F98

00401F49   .  64:A1 0000000>mov     eax, dword ptr fs:[0]

00401F4F   .  50            push    eax

00401F50   .  8B4424 10     mov     eax, dword ptr ss:[esp+10]

00401F54   .  896C24 10     mov     dword ptr ss:[esp+10], ebp

00401F58   .  8D6C24 10     lea     ebp, dword ptr ss:[esp+10]

00401F5C   .  2BE0          sub     esp, eax

00401F5E   .  53            push    ebx

00401F5F   .  56            push    esi

00401F60   .  57            push    edi

00401F61   .  8B45 F8       mov     eax, dword ptr ss:[ebp-8]

00401F64   .  8965 E8       mov     dword ptr ss:[ebp-18], esp

00401F67   .  50            push    eax

00401F68   .  8B45 FC       mov     eax, dword ptr ss:[ebp-4]

00401F6B   .  C745 FC FFFFF>mov     dword ptr ss:[ebp-4], -1

00401F72   .  8945 F8       mov     dword ptr ss:[ebp-8], eax

00401F75   .  8D45 F0       lea     eax, dword ptr ss:[ebp-10]

00401F78   .  64:A3 0000000>mov     dword ptr fs:[0], eax

00401F7E   .  C3            retn



and after protection:
Code:
 

00401F44   $- E9 A13D4F00   jmp     008F5CEA

CRAP

00401F7E      4D            db      4D


jumptarget:
Code:
 

008F5CEA    68 64BC735E     push    5E73BC64

008F5CEF    66:9C           pushfw

008F5CF1    57              push    edi

008F5CF2    8D7C4B 78       lea     edi, dword ptr ds:[ebx+ecx*2+78]

008F5CF6    8D7C37 88       lea     edi, dword ptr ds:[edi+esi-78]

008F5CFA    2BFE            sub     edi, esi

008F5CFC    EB 01           jmp     short 008F5CFF

008F5CFE    F3:             prefix rep:                  ; Superfluous prefix

008F5CFF    8D7C51 2B       lea     edi, dword ptr ds:[ecx+edx*2+2B]

008F5D03    8D7C0F D5       lea     edi, dword ptr ds:[edi+ecx-2B]

008F5D07    2BF9            sub     edi, ecx

008F5D09    F3:             prefix rep:                  ; Superfluous prefix

008F5D0A    EB 02           jmp     short 008F5D0E

008F5D0C    CD 20           int     20

008F5D0E    13FE            adc     edi, esi

008F5D10    8D7C0C 3B       lea     edi, dword ptr ss:[esp+ecx+3B]

008F5D14    2BF9            sub     edi, ecx

008F5D16    8D7C37 C5       lea     edi, dword ptr ds:[edi+esi-3B]

008F5D1A    2BFE            sub     edi, esi

008F5D1C    8D7F 06         lea     edi, dword ptr ds:[edi+6]

008F5D1F    68 BED4ACD1     push    D1ACD4BE




is this still dumpable?
JMI
July 14th, 2004, 19:33
Perhaps if you followed the instructions in the FAQ, found in the BIG RED LETTERS you might already have the answer to your own question. Searching with "astrotect 1.31" (without the quote marks) would find you a thread on this forum with a link to a thread on the exetools forum, where something using this version of ASPR, and its unpacking is discussed.

That's why we have a Search button and why one should follow the rules to use it BEFORE asking a question.

Regards,
Solomon
July 14th, 2004, 21:18
Is there anything new? So-called "Virtual Machine" were used by some commercial protectors before.
hobgoblin
July 15th, 2004, 04:15
I agree on what JMI says about searching. But the question raised is interesting. I'm familiar with the solution outlined by britedream, and the thread about this on exetools. But the question is: have anyone (else) managed to sucessfully unpack this version? I haven't seen anybody posting a solution to this yet....

regards,
hobgoblin
crUsAdEr
July 15th, 2004, 08:18
lol... well aspr nanomite is still in its infantile stage... not as convoluted as arma yet... an unpacker is slightly trickier to code since the poly engine used is pretty decent so i guess that is why sydx hasnt rls an unpacker yet!
Shoob
July 15th, 2004, 15:51
You mean ASProtect v.1.31 build 06.14 ? thats was no problem for me ... let me know if a newer version is avaiable.
JMI
July 15th, 2004, 16:45
There are a few places where they claim to have a copy of Asprotect v2.0 Build 06.23 Alpha. And I have seen discussion of that version listed in Russian and Vietnamese. Searching is usually how such things are found.

Regards,
dELTA
July 15th, 2004, 17:00
Quote:
You mean ASProtect v.1.31 build 06.14 ? thats was no problem for me ... let me know if a newer version is avaiable.

The virtual machine feature is only optional, so your target might not have had it activated, even though it used that Asprotect version. Actually, the VM feature in this new Asprotect version is quite buggy, so it is even likely that it wasn't activated in that target.

And yes, I can confirm the existence of Asprotect 2.0 alpha.
0rp
July 15th, 2004, 17:23
try to dump this

notepad, aspr 1.31.5.18
hobgoblin
July 16th, 2004, 04:07
Hi JMI,
Maybe I'm misunderstanding you when you wrote:"There are a few places where they claim to have a copy of Asprotect v2.0 Build 06.23 Alpha".
If you mean that they have successfully unpacked v2.0, that's quite possible. It's packed with Aspack, and is easily unpacked in 3 minutes.
I'm wondering why nobody seems to have posted a solution to how to unpack a program protected with v1.31 (or v2.0)( as for instance the latest version of WhereIsIt). And of course another way of doing it than britedream described for us. If there is another way.

regards,
hobgoblin
JMI
July 16th, 2004, 07:26
The reference to "where" is a place you visit that claims to have a copy of that version for download. One place which claims to have a tut on version 2 is cracklatinos.

Regards,
hobgoblin
July 16th, 2004, 08:36
Hi JMI,
Yeah, I figured that out. I actually downloaded v2.0 from there a while ago. I was merely talking about a tut on how to unpack v2.0 protected programs.

regards,
hobgoblin
JMI
July 16th, 2004, 12:36
There is, indeed, one on the cracklatinos site. hint = 249.

Regards,
hobgoblin
July 16th, 2004, 13:02
Hi again,
Thanks for the info, JMI, appreciate it.
But I can't find it. I have traced through all the pages at the site, but can't find anything related to 249.
Are you refering to another site than "crackslatinos.hispadominio.net" ?

regards,
JMI
July 16th, 2004, 13:12
Yes I am referring to that site. Maybe you should recall that Ricardo's tuts were numbered when he was discussing ARMA and, then, perhaps look in the "/miembros/teorias" section for the number I suggested. I could just post the full path, but that would be cheating, wouldnt it????

Regards,
hobgoblin
July 16th, 2004, 13:34
Hi JMI,
Due to some sudden blindness I didn't see it the first time.
When I revisited the site I found it without problems. Thank you for helping out, JMI. Appreciate your helpfulnes.

hobgoblin
JMI
July 16th, 2004, 13:43
I'm sorry, could you please post that in braille. MY eyesight is also failing.
It is easier to spot when one knows what one is looking for.

Happy reading. I used the SYSTRAN plug-in translator, which did not do as good a job as it usually does on Russian on this one. Don't know why, but alot of it remained more "cryptic" than the usual machine translation. Guess I need to do further 'training" of the dictionary.

Regards,