ASProtect 2.0x problem [Archive] - RCE Messageboard's Regroupment

View Full Version : ASProtect 2.0x problem

nick_name

December 31st, 2005, 05:43

(*)peid says : ASProtect 2.0x Registered -> Alexey Solodovnikov
(*)i found the OEP at :

47DA1C PUSH 60
47DA1E PUSH The_Lost.004B2880
47DA23 CALL The_Lost.0047FE30
47DA28 MOV EDI,94
47DA2D MOV EAX,EDI
47DA2F CALL The_Lost.0047CC30
47DA34 MOV DWORD PTR SS:[EBP-18],ESP
47DA37 MOV ESI,ESP
47DA39 MOV DWORD PTR DS:[ESI],EDI
47DA3B PUSH ESI
47DA3C CALL DWORD PTR DS:[4A5098] | kernel32.GetVersionExA

(*)now i dump the file
(*)try to fix with ImpRec
(*)1 invalid import at : rva:000A0EC ptr:00F6D68
(*)after a short tracing, it's found as GetProcAddress

(*)now after FixDump the app wont run !!
(*)the dumped_.exe would try to jmp somewhere at 1140000

which is outside the memory of the exe ...
now could anyone suggest me wht to do next ??

THANK YOU

shERis

January 9th, 2006, 15:46

Hi nick_name!
You found a new version of a s p r !
peid says somwthing wrong.
This version now leaves most API calls original, but some of them are redirected to an allocated memory block of a s p r and handled there. GetProcAddress is handled in an unusual way.
But the most worst thing is, that the new version removes some peaces of large code of the app (from the beginning=OEP or somewhere in it) and executes it in a very strange modified way. It is very, very hard to follow.
A s p r o t e c t cannot be unpacked now.

TresPasser

January 10th, 2006, 11:42

Hi nick_name,
There are three cases which might cause what you described:
1. (easiest) The jump to the high memory location is another api emulation function which you did not fix (asprotect steals some code from apis and places them in high memory functions)
2. The jump is part of the stolen code of the program - you will probably have to dump (or redirect) the entire section and add to your dump.
3. (worst) The jump goes to the jump emulation system - in some asprotect versions, the protector converts some of the jumps in the original program to calls to its jump emulation system. This code executes the correct jump on the fly, and therefore, your dump cannot run before fixing this problem.

Hope this helps a little,
TresPasser

SKiLLa

January 20th, 2006, 13:36

PS: It's probably not a real new version of ASPr, but likely just a 'fully armored' ASPr packed .exe. Just as with Arma, there are multiple protection options (depending on the version/build of ASPr, there are some private/custom versions), but most programmers don't use these extra options (which requires some extra effort integrating it into the original app).