homersux
June 22nd, 2005, 15:03
I've been reading tuts and done my homework on asprotect. I am a little confused the way seh works in olly (btw, the target is ASProtect v1.23 RC1 reported by voyerpe or ASProtect 1.2x - 1.3x [Registered] -> Alexey Solodovnikov by peid 0.93) Please send me a PM if you are interested in examing the target. I have tried various ways but so far I can't figure this thing out. I've even tried unpackers and none of them works on this seemingly easy target. One more note, this application is developped by a hacker and possibly the 1.23 rc1 sdk was used in this particular release.
009FE1F0 893B MOV DWORD PTR DS:[EBX],EDI <-- exception
009FE1F2 56 PUSH ESI
009FE1F3 F7D7 NOT EDI
009FE1F5 DF57 64 FIST WORD PTR DS:[EDI+64]
009FE1F8 51 PUSH ECX
009FE1F9 FB STI
0012FF28 0012FF80 Pointer to next SEH record
0012FF2C 009FE0C8 SE handler
0012FF30 00A8E798
009FE0C8 51 PUSH ECX
009FE0C9 81F1 0AAF16E5 XOR ECX,E516AF0A
009FE0CF 334C24 08 XOR ECX,DWORD PTR SS:[ESP+8]
009FE0D3 334C24 28 XOR ECX,DWORD PTR SS:[ESP+28]
009FE0D7 8D4C24 41 LEA ECX,DWORD PTR SS:[ESP+41]
this is one example how i track the SEH, here is the last access violation:
009FFAA5 C700 EFCA5C85 MOV DWORD PTR DS:[EAX],855CCAEF
009FFAAB 67:64:8F06 0000 POP DWORD PTR FS:[0]
009FFAB1 83C4 04 ADD ESP,4
009FFAB4 83E8 AF SUB EAX,-51
009FFAB7 83C8 4B OR EAX,4B
009FFABA 58 POP EAX
0012FF34 0012FF80 Pointer to next SEH record
0012FF38 009FFA6E SE handler
0012FF3C E850D8BF
009FFA6E 56 PUSH ESI
009FFA6F F2: PREFIX REPNE: ; Superfluous prefix
009FFA70 EB 01 JMP SHORT 009FFA73
009FFA72 F0:037424 38 LOCK ADD ESI,DWORD PTR SS:[ESP+38] ; LOCK prefix is not allowed
009FFA77 C1DE 83 RCR ESI,83 ; Shift constant out of range 1..31
009FFA7A 8B7424 10 MOV ESI,DWORD PTR SS:[ESP+10]
009FFA7E 8D76 52 LEA ESI,DWORD PTR DS:[ESI+52]
009FFA81 8346 66 06 ADD DWORD PTR DS:[ESI+66],6
009FFA85 8D7475 6F LEA ESI,DWORD PTR SS:[EBP+ESI*2+6F]
009FFA89 83EE 6F SUB ESI,6F
009FFA8C 5E POP ESI
009FFA8D 83C8 FF OR EAX,FFFFFFFF
009FFA90 40 INC EAX
009FFA91 C3 RETN
At this exception, I put a break point on 009ffa6e. Instead of shift+f9, i use shift+f7 to single step into ntdll exception unwind sub,
7C90EAF0 8B1C24 MOV EBX,DWORD PTR SS:[ESP]
7C90EAF3 51 PUSH ECX
7C90EAF4 53 PUSH EBX
7C90EAF5 E8 C78C0200 CALL ntdll.7C9377C1
7C90EAFA 0AC0 OR AL,AL
7C90EAFC 74 0C JE SHORT ntdll.7C90EB0A
7C90EAFE 5B POP EBX
7C90EAFF 59 POP ECX
7C90EB00 6A 00 PUSH 0
7C90EB02 51 PUSH ECX
7C90EB03 E8 11EBFFFF CALL ntdll.ZwContinue
at the last instruction, i use f7 to follow into ZwContinue and after some more f7, i get to
7C90EB8B > 8BD4 MOV EDX,ESP
7C90EB8D 0F34 SYSENTER
7C90EB8F 90 NOP
7C90EB90 90 NOP
7C90EB91 90 NOP
7C90EB92 90 NOP
7C90EB93 90 NOP
7C90EB94 > C3 RETN
Notice the sysenter? well at this point, when I f7 on sysenter, the protected program simply starts running and left olly in the dust. I am wondering what I did wrong here? Maybe it's the 2nd chain in the seh? But why the seh handler is not invoked? Really confused here.
009FE1F0 893B MOV DWORD PTR DS:[EBX],EDI <-- exception
009FE1F2 56 PUSH ESI
009FE1F3 F7D7 NOT EDI
009FE1F5 DF57 64 FIST WORD PTR DS:[EDI+64]
009FE1F8 51 PUSH ECX
009FE1F9 FB STI
0012FF28 0012FF80 Pointer to next SEH record
0012FF2C 009FE0C8 SE handler
0012FF30 00A8E798
009FE0C8 51 PUSH ECX
009FE0C9 81F1 0AAF16E5 XOR ECX,E516AF0A
009FE0CF 334C24 08 XOR ECX,DWORD PTR SS:[ESP+8]
009FE0D3 334C24 28 XOR ECX,DWORD PTR SS:[ESP+28]
009FE0D7 8D4C24 41 LEA ECX,DWORD PTR SS:[ESP+41]
this is one example how i track the SEH, here is the last access violation:
009FFAA5 C700 EFCA5C85 MOV DWORD PTR DS:[EAX],855CCAEF
009FFAAB 67:64:8F06 0000 POP DWORD PTR FS:[0]
009FFAB1 83C4 04 ADD ESP,4
009FFAB4 83E8 AF SUB EAX,-51
009FFAB7 83C8 4B OR EAX,4B
009FFABA 58 POP EAX
0012FF34 0012FF80 Pointer to next SEH record
0012FF38 009FFA6E SE handler
0012FF3C E850D8BF
009FFA6E 56 PUSH ESI
009FFA6F F2: PREFIX REPNE: ; Superfluous prefix
009FFA70 EB 01 JMP SHORT 009FFA73
009FFA72 F0:037424 38 LOCK ADD ESI,DWORD PTR SS:[ESP+38] ; LOCK prefix is not allowed
009FFA77 C1DE 83 RCR ESI,83 ; Shift constant out of range 1..31
009FFA7A 8B7424 10 MOV ESI,DWORD PTR SS:[ESP+10]
009FFA7E 8D76 52 LEA ESI,DWORD PTR DS:[ESI+52]
009FFA81 8346 66 06 ADD DWORD PTR DS:[ESI+66],6
009FFA85 8D7475 6F LEA ESI,DWORD PTR SS:[EBP+ESI*2+6F]
009FFA89 83EE 6F SUB ESI,6F
009FFA8C 5E POP ESI
009FFA8D 83C8 FF OR EAX,FFFFFFFF
009FFA90 40 INC EAX
009FFA91 C3 RETN
At this exception, I put a break point on 009ffa6e. Instead of shift+f9, i use shift+f7 to single step into ntdll exception unwind sub,
7C90EAF0 8B1C24 MOV EBX,DWORD PTR SS:[ESP]
7C90EAF3 51 PUSH ECX
7C90EAF4 53 PUSH EBX
7C90EAF5 E8 C78C0200 CALL ntdll.7C9377C1
7C90EAFA 0AC0 OR AL,AL
7C90EAFC 74 0C JE SHORT ntdll.7C90EB0A
7C90EAFE 5B POP EBX
7C90EAFF 59 POP ECX
7C90EB00 6A 00 PUSH 0
7C90EB02 51 PUSH ECX
7C90EB03 E8 11EBFFFF CALL ntdll.ZwContinue
at the last instruction, i use f7 to follow into ZwContinue and after some more f7, i get to
7C90EB8B > 8BD4 MOV EDX,ESP
7C90EB8D 0F34 SYSENTER
7C90EB8F 90 NOP
7C90EB90 90 NOP
7C90EB91 90 NOP
7C90EB92 90 NOP
7C90EB93 90 NOP
7C90EB94 > C3 RETN
Notice the sysenter? well at this point, when I f7 on sysenter, the protected program simply starts running and left olly in the dust. I am wondering what I did wrong here? Maybe it's the 2nd chain in the seh? But why the seh handler is not invoked? Really confused here.