Hi all,

Recently d/l aspr 1.33 special build. i protect notepad without advance import elimination. With no problem, i found OEP, then dump and rebuild IAT... but my dumped app crash... i traced where the problem was and found that the problem occur at address 10006549. The code are as follows:

Original Notepad

01006532 74 0A JE SHORT NOTEPAD.0100653E
01006534 3C 20 CMP AL,20
01006536 77 06 JA SHORT NOTEPAD.0100653E
01006538 46 INC ESI
01006539 8975 8C MOV DWORD PTR SS:[EBP-74],ESI
0100653C EB F0 JMP SHORT NOTEPAD.0100652E
0100653E C745 D0 000000 MOV DWORD PTR SS:[EBP-30],0
01006545 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
01006548 50 PUSH EAX ; /pStartupinfo
01006549 FF15 9C100001 CALL DWORD PTR DS:[<&KERNEL32.GetStartup>; \GetStartupInfoA

0100654F . F645 D0 01 TEST BYTE PTR SS:[EBP-30],1
01006553 . 74 0A JE SHORT NOTEPAD.0100655F
01006555 . 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
01006558 . 25 FFFF0000 AND EAX,0FFFF[/SIZE][SIZE=2]

Dumped Notepad
01006532 74 0A JE SHORT dumped.0100653E
01006534 3C 20 CMP AL,20
01006536 77 06 JA SHORT dumped.0100653E
01006538 46 INC ESI
01006539 8975 8C MOV DWORD PTR SS:[EBP-74],ESI
0100653C EB F0 JMP SHORT dumped.0100652E
0100653E C745 D0 000000 MOV DWORD PTR SS:[EBP-30],0
01006545 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
01006548 50 PUSH EAX
01006549 E8 DB E8
0100654A B6 DB B6
0100654B 9A DB 9A
0100654C 0C DB 0C
0100654D 00 DB 00
0100654E B8 DB B8
0100654F F6 DB F6
01006550 45 DB 45 ; CHAR 'E'
01006551 D0 DB D0
01006552 01 DB 01
01006553 74 DB 74 ; CHAR 't'
01006554 0A DB 0A
01006555 8B DB 8B
01006556 45 DB 45 ; CHAR 'E'
01006557 D4 DB D4
01006558 25 DB 25 ; CHAR '%'
01006559 FF DB FF
0100655A FF DB FF
0100655B 00 DB 00
0100655C 00 DB 00
0100655D EB DB EB
0100655E 05 DB 05
0100655F B8 DB B8
01006560 0A DB 0A
01006561 00 DB 00
01006562 00 DB 00
01006563 00 DB 00
01006564 50 56 6A 00 ASCII "PVj",0
01006568 6A DB 6A ; CHAR 'j'
01006569 00 DB 00


Traced code of packed Notepad
01006532 74 0A JE SHORT Npaspr.0100653E
01006534 3C 20 CMP AL,20
01006536 77 06 JA SHORT Npaspr.0100653E
01006538 46 INC ESI
01006539 8975 8C MOV DWORD PTR SS:[EBP-74],ESI
0100653C EB F0 JMP SHORT Npaspr.0100652E
0100653E C745 D0 00000000 MOV DWORD PTR SS:[EBP-30],0
01006545 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
01006548 50 PUSH EAX
01006549 E8 B69A0C00 CALL 010D0004
0100654E B8 F645D001 MOV EAX,1D045F6
01006553 74 0A JE SHORT Npaspr.0100655F
01006555 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
01006558 25 FFFF0000 AND EAX,0FFFF
0100655D EB 05 JMP SHORT Npaspr.01006564


Now what i cannot understand is whether my IAT rebuilding is wrong or anything else... Also why odbg cannot cannot analyze that part of code at 1006549. can someone help me with that... i have attached my packed notepad along with this....

This is called "Emulate standard system functions" one of the features of ASPR v2.0,
BTW, you can solve this problem if you search in this board for "ASPR 2.0 Info". I wrote a script to solve this one but it's not general just to solve my case. I test it with "ASProtect SKE 2.11 build 03.13" and it works.

KSA

Hi Dipesh, Nice to see you again.

Some posibilities to explore:

01006549 and forward area of the code is completely different: in the original code, in your dump, and in the app unpacked in memory (OK, I am stating the obvious).

Also notice the shocking regularity of the wrong code you found in your dumped notpad:

25 DB 25
FF DB FF

in general:
?? DB ??


Things to explore:

1-Perhaps you dumped before unpacking was truly finished?

2-That repetitive, weird code looks like a piece of IAT. Perhaps your IAT reconstructor (Imprec?) screwed up and wrote the IAT right in the middle of the code? Look at taht area of the code in the dump before and after you reconstruct the IAT.

3-Or Asp is stealing code around 01006549 from Notepad and repatching on the fly in memory during execution ??? Put hardware breakpoints around there and examine that area of the code right at the OEP and then later during the code execution and see if it changes. . .

Hi KSA. I searched for your posts and for ASPR 2.0 in this board and found nothing. Perhaps you posted it in a different board?
Could you please post a link to your post and your script. Tnks/

Check this out:

hxxp://www.exetools.com/forum/showthread.php?p=37354

2 Kagra aspr 2.xx tuts (without sample programs , just tuts):
hxxp://rapidshare.de/files/1854399/2_Kagra_tuts.rar.html

Hi,

Thanks hosiminh, It's in the exetools. But not my post. I will post my script when it's become final.

KSA

Hi KSA, hosiminh and naides

thanks for ur guidance. i am quite sure naides 3rd point is the main cause for that...
<<<3-Or Asp is stealing code around 01006549 from Notepad and repatching on the fly in memory during execution ??? Put hardware breakpoints around there and examine that area of the code right at the OEP and then later during the code execution and see if it changes>>>

i have put h/w breakpoint and while i am at oep the code is just like that i have posted and during execution also.. there is no change... instead it jump to another code at location 00BXXXXX... just like code splicing of arma... how can we put these piece of code altogether...

dipesh

i will check kagra's tut and exetool link... thanx all

I just managed to d/l 3 progs that are protected with same old packer... and is detected as Asprotect 1.2x [New Strain]... i have just break on memory break point on access... and all programs have this type of code at OEP...
00401000 > $ EB 10 JMP SHORT s.00401012
00401002 66 DB 66 ; CHAR 'f'
00401003 62 DB 62 ; CHAR 'b'
00401004 3A DB 3A ; CHAR ':'
00401005 43 DB 43 ; CHAR 'C'
00401006 2B DB 2B ; CHAR '+'
00401007 2B DB 2B ; CHAR '+'
00401008 48 DB 48 ; CHAR 'H'
00401009 4F DB 4F ; CHAR 'O'
0040100A 4F DB 4F ; CHAR 'O'
0040100B 4B DB 4B ; CHAR 'K'
0040100C 90 NOP
0040100D E9 DB E9
0040100E 9CA44A00 DD OFFSET ewps.___CPPdebugHook
00401012 > A1 8FA44A00 MOV EAX,DWORD PTR DS:[4AA48F]
00401017 . C1E0 02 SHL EAX,2
0040101A . A3 93A44A00 MOV DWORD PTR DS:[4AA493],EAX


i have seen many tuts showing that we will be having some sort of PUSH EBP, MOV EBP, ESP.... code but all of these progs have same code... can it be? or it is just fooling around me...
any sugg...