Log in

View Full Version : Unpacking AsPack Problem Help need


MiKoRiZa
January 4th, 2006, 08:40
I tried to reverse excelent tool But i had a lot of PROBLEMS.

First i tried to unpack it. It was packed with AsPack 2.12 and PeCompac. I succedded to unpack it, but when I run it, application exits after it shows logoscreen. I couldn't figure out why this happens. I tried trace code with ollydbg and sofrtice but when i reached code section witch calls GetCurrentTread (and something like NtZwProcessTread after this instructions i also hawe seen INT 3) olly crashes and softice exits.

After thise steps i tried another way. I run SoftIce and set bpx GetWindwTextA and after som hours of tracing i found registration key for specified name. I entred information and application was registered. But another problem now appeared. I run application but after some time it just exits. It allso exits if I try new process to api monitor. I don't konw what to do please help me anyone.

p.s.
in trial period tihis last thing (app exits after some time) didn't happen.
for detail information please mail me ( mikoriza@gmail.com)

Sorry on my on my English

LLXX
January 5th, 2006, 02:01
Does it always exit after the same duration?

Set breakpoints on the usual time-related API functions and see what happens.

MiKoRiZa
January 6th, 2006, 22:53
No, i think that exit is not caused with time-related API. I tried some time bpx but nothing happend.
In mean time i tried unpack it. there are some cals witch mess up my debugger, i can only brake using SOFTICE ( ollydbg always crash) but i have problesm with SEH (i think). I found some code sections witch are empty. that sections are probably stolen bytes but i dont know how to restore it. problem is that SoftIce always crush when i atempt to trace some calls.
Help anybody, i don't know if i am alowed to write name of aplication i am trying to reverse !?

SiGiNT
January 6th, 2006, 23:12
We'll,

I registered the pro version with a serial from an old keygen, and it says Registration OK! in the about screen and it does the same - either you fished out a blacklisted serial, and I also used one, (actually would be blacklisted algorithm), or there is simply a problem with the prog. As for being packed with PE-Compact, I've never dealt with a version as old as reported by PEiD, and RDG but it certainly doesn't look like PE-Compact - you have to remember - debuggers are written by people with reversing in their veins so I think you and I are probably the victims of a little humor - I really didn't see much advantage to using this tool - why are you impressed with it?

SiGiNT

BTW - the peripheral progs run fine - (they don't require registration) - I did notice while it was running and said it was regged I still couldn't open a log.

MiKoRiZa
January 7th, 2006, 19:03
Tnx for response.
I have one app written in .net and i need serial for it. I used Lord's Reflector to see all the functions and classes used in that app. App is actualy game and uses 3D interface and has lot of functions. I can't find the one witch generates serial from enterd key. The Auto Debug .Net is the only tool i found to help me but i have to register it to use some locked abilities.

p.s.
the keygens witch I found on net can't register my new downloaded version of Auto Debug .Net. The key I found is composited of two parts. the first part (first half of key) is generated with name entered. I dont know what is use of second one but it can be any key and ap is registrated

SiGiNT
January 7th, 2006, 19:24
Use IDA to decompile the .net program, at least for me reversing .net suff is ovious, and I've successfully nullified the reg. serial check on a couple, allowing you to enter any serial, it's a simple matter of changing brtrue.s.loc_xxxxxx to brfalse.s.loc_xxxxxx in the right place(s), at least that's what I've found - make sure you have the patch code enabled - so you can see the hex code involved easily, I find hexview a pain, and change the bytes in a hex editor. A word of caution - sometimes IDA will give you different snippets of code with identical hex addresses - as always this will take some cut and try and a good amount of intuition but I think you'll find it.

SiGiNT

MiKoRiZa
January 8th, 2006, 20:01
How i can run .net program in IDA? I loaded my app and i can se MSIL but how can I trace code or see witch function is called when i press ok on activation form ?

MiKoRiZa
January 8th, 2006, 20:06
Quote:
[Originally Posted by LLXX]Does it always exit after the same duration?

Set breakpoints on the usual time-related API functions and see what happens.



U were right it uses some sort of time function: GetFileTime;FileTimeToSystemTime;SetTimer and KillTimer.

I measured time needed app to exit. I found that run time for my app before it exits is 25 sec. I think that my app uses SetTimer and KillTimer. Problem is seting bpx in SoftIce cos explorer uses sam API and SoftIce breaks non-stop.

SiGiNT
January 8th, 2006, 20:22
MiKoRiZa,

I forget sometimes that people aren't always comfortable using a dead listing, I did all my work using dead listings up until about a year and a half ago, and got quite used to it - usually (in 4 out of 5 .net apps I've dealt with), the routines are clearly labeled and much like in the good old days it boils down to a single decision, or maybe 2 - having said that last night after posting my recommendation, I ran into a .net app. that obviously was written by somebody who really knew what the hell he was doing, the big give away is the main executable is very small, (usually they're huge!), this puppy assembles and compiles components on the fly, making it almost impossible to apply my usual techniques - now for a second recommendation - you can download the .net SDK directly from M$ for free including a debugger - just search around some, its a big download but like I said it's free.

SiGiNT

LLXX
January 9th, 2006, 02:13
Quote:
[Originally Posted by MiKoRiZa]How i can run .net program in IDA? I loaded my app and i can se MSIL but how can I trace code or see witch function is called when i press ok on activation form ?
Which version of IDA are you using? The older ones don't have a built-in debugger.

MiKoRiZa
January 9th, 2006, 15:50
To LLXX
I have IDA 4.5.177. I dont konw if it is proffessinoal.

SiGiNT
January 9th, 2006, 17:03
LLXX,

I don't think any version of IDA allows the debugger to run when working with .net stuff.

SiGiNT

LLXX
January 9th, 2006, 22:24
Quote:
[Originally Posted by MiKoRiZa]U were right it uses some sort of time function: GetFileTime;FileTimeToSystemTime;SetTimer and KillTimer.

I measured time needed app to exit. I found that run time for my app before it exits is 25 sec. I think that my app uses SetTimer and KillTimer. Problem is seting bpx in SoftIce cos explorer uses sam API and SoftIce breaks non-stop.
Here's a method you can use to break only in the program's context:

Find a reference to the API. It will normally be a call [xxxxxxxx] or jmp [xxxxxxxx]. That xxxxxxxx is the importslot - set a read breakpoint on that, and everytime it calls the API via that importslot, it will break.

There may be multiple importslots for the same API in some larger programs, so use e.g. LordPE to check for any duplicates.

Kayaker
January 10th, 2006, 00:15
Quote:
[Originally Posted by MiKoRiZa]Problem is seting bpx in SoftIce cos explorer uses sam API and SoftIce breaks non-stop.

You could also try setting a conditional breakpoint in SoftIce on the process or thread Id, i.e.
bpx SetTimer if PID==xxx

MiKoRiZa
February 3rd, 2006, 13:05
Quote:
[Originally Posted by Kayaker]You could also try setting a conditional breakpoint in SoftIce on the process or thread Id, i.e.
bpx SetTimer if PID==xxx


I tried all but nothing. Softice didn't break at bpx SetTimer if PID== xxxx. I found some old versions of program on the net with crack. All of the this olld versions have sam exit problem after some time. I think that there is no help for me . TNX anyway

LLXX
February 4th, 2006, 02:46
Quote:
I measured time needed app to exit. I found that run time for my app before it exits is 25 sec. I think that my app uses SetTimer and KillTimer. Problem is seting bpx in SoftIce cos explorer uses sam API and SoftIce breaks non-stop.

25s = 2500ms which is 9C4 in Hex.

Look for the constant 9c4 in your disassembly.

SiGiNT
February 8th, 2006, 15:12
Well I got curious and found a quick way to fish a serial from any of the products - and they all exhibit the same behavior - I think to get to the bottom of this I'll have to manually unpack it - using AspackDie the prog starts to run but exits before the main screen - probably IAT problem.

SiGiNT

Oh and 25 secs = 25000 milliseconds 61A8h

LLXX
February 8th, 2006, 16:06
Quote:
[Originally Posted by sigint33]Oh and 25 secs = 25000 milliseconds 61A8h
'Tis so... my metric knowledge is rather flaky at times

SiGiNT
February 8th, 2006, 17:27
But sadly that doesn't show up in the disassembly - the problem with setting BP's on time related API's is this prog has a built in timer that it uses for some function or another, the last access before exiting is to HHCTRL.OCX, my other theory blew up in my face - I thought maybe it just won't run on WinXP SP2 - nope, not on WIN2K either.

SiGiNT