Unpacking asprotect ================================================ Writer : LaBBa Target : Chronograph v2.5 URL : http://www.altrixsoft.com well like any other tut this tut is about Unpacking a Packer called : ASPR or like most ppl know it as : ASProtect more and more software comapny uses ASPR as there Packer so if u wish to crack u will not be able to crack it if u will not unpack it or inline Patching it... i gess if u r reading this u wish to unpack it.. =D well all u need is : 1) SoftIce 2) IceDump 3) Pe-Editor - i prefer of yoda (or like ProcDump) 4) Hview or any Hex editor 5) Imprec - Macktus/UCF the stapes of the Unpacking: 1) finding the OEP - Original Entary Point 2) dumping 3) rebuilding and fixing the IAT (Import Api Table) 4) Fixing some Features (Not all ASPR have that...) 5) Crackin the Prog 6) Greeting Part 1 : Finding the OEP ========================= well evry prog have an Entry Point .. that means where the prog starts... when the prog is packed the Entry Point is Changed so becuase of that we need to find the Original point that the prog start from... - open u'r favorite Pe-Editor and check what is the Size of Image of our file it's : 1D8000 Write it down... and keep it.. we will need it for the dumping Part.. load u'r IceDump load u'r SoftIce Symbol Loader and open the porg that we wish to unpack Choose on the menu : Module -> Load there will be a message box with a msg : "....... Load exutable .. ?" just press yes now SoftIce will Popup (usualy it pops at 401000) - now do a : bpx GetProcAddress - then press F5 and then it will break ... - Press F5 one more time and it will break again... - press F12 and now clear all : bc * - now do : bpx GetVolumeInformationA - and press F5 and wait till SoftIce will Pop.. - now that SoftIce poped press F12 and the clear all : bc * - now we will use IceDump command write this in softice : /tracex 400000 750000 this command says that it will trace the code "Step By Step" (like F8) till it will reach to the address that is bigger then 400000 and smaller then 750000 this way we can insure that we will break at the OEP - when u will press enter .. SoftIce will start tracing the prog it will take some time.. so plz do be patience - ok SoftIce Poped and what do we see ?? 0040293C PUSH EBP 0040293D MOV EBP,ESP 0040293F PUSH ESI 00402940 PUSH EDI 00402941 MOV EAX,[EBP+08] 00402944 MOV ESI,004F70BE 00402949 MOV EDI,EAX 0040294B XOR EAX,EAX 0040294D OR ECX,-01 00402950 REPNZ SCASB 00402952 NOT ECX 00402954 SUB EDI,ECX 00402956 MOV EDX,ECX 00402958 XCHG ESI,EDI 0040295A SHR ECX,02 0040295D MOV EAX,EDI 0040295F REPZ MOVSD 00402961 MOV ECX,EDX 00402963 AND ECX,03 00402966 REPZ MOVSB 00402968 POP EDI 00402969 POP ESI 0040296A POP EBP 0040296B RET 0004 this do nothing... just moving a lil and then returning to the Packer rutine... so trace this code with F10 till u will return.. now again do : /tracex 400000 750000 and this time we see this when SoftIce Pop: 00409A9C PUSH EBP 00409A9D MOV EBP,ESP 00409A9F MOV EAX,[EBP+08] 00409AA2 MOV EDX,[EBP+0C] 00409AA5 MOV [004F9500],EAX 00409AAA MOV [004F9504],EDX 00409AB0 POP EBP 00409AB1 RET 0008 what the fuck ?! we again not in the OEP... (ASPR does some loading of shit) ok then .. we will trace again with F10 till we return.. and agian do : /tracex 400000 750000 now it takes years ... SoftIce doesn't pop... relax... take a drink or 2 .. it should take about 3-4 more min (yea..) lalal alala lalal OK !!! SoftIce Poped and now we see is this : 016F:00401578 JMP 0040158A 016F:0040157A BOUND DI,[EDX] 016F:0040157D INC EBX 016F:0040157E SUB EBP,[EBX] 016F:00401580 DEC EAX 016F:00401581 DEC EDI 016F:00401582 DEC EDI 016F:00401583 DEC EBX 016F:00401584 NOP 016F:00401585 JMP 008EA622 ==> 0040158A MOV EAX,[004E908B] 016F:0040158F SHL EAX,02 016F:00401592 MOV [004E908F],EAX 016F:00401597 PUSH EDX 016F:00401598 PUSH 00 016F:0040159A CALL 004E8106 016F:0040159F MOV EDX,EAX 016F:004015A1 CALL 004C93B8 016F:004015A6 POP EDX 016F:004015A7 CALL 004C931C 016F:004015AC CALL 004C93F8 016F:004015B1 PUSH 00 016F:004015B3 CALL 004CA9E0 016F:004015B8 POP ECX 016F:004015B9 PUSH 004E9034 016F:004015BE PUSH 00 016F:004015C0 CALL 004E8106 016F:004015C5 MOV [004E9093],EAX 016F:004015CA PUSH 00 016F:004015CC JMP 004D0654 016F:004015D1 JMP 004CAA2C is 00401578 is our OEP ?? is it ??? NO!!! it's a Trick !! well in the old version of aspr this trick doesn't apear ... and yes u usualy in the OEP but ... now in the new versions u will get this trick.. so where is the OEP ?? look down u see 2 jmps one after the other ??? 016F:004015CC JMP 004D0654 016F:004015D1 JMP 004CAA2C 004D0654 <= The Real OEP !!! yes .. all u need to do is trace with F10 till u get to : JMP 004D0654 and do one more F10 to make the jump and u will see : 016F:004D0654 PUSH EBP 016F:004D0655 MOV EBP,ESP 016F:004D0657 ADD ESP,-0C 016F:004D065A PUSH EBX 016F:004D065B PUSH ESI 016F:004D065C PUSH EDI 016F:004D065D MOV ESI,[EBP+08] 016F:004D0660 MOV EAX,[ESI+10] 016F:004D0663 AND EAX,01 016F:004D0666 MOV [004F444C],EAX 016F:004D066B CALL 004CD278 016F:004D0670 MOV EDX,[ESI+20] 016F:004D0673 PUSH EDX 016F:004D0674 MOV ECX,[ESI+1C] 016F:004D0677 PUSH ECX 016F:004D0678 CALL 004CD5DC 016F:004D067D ADD ESP,08 016F:004D0680 MOV EAX,[ESI+28] 016F:004D0683 PUSH EAX 016F:004D0684 CALL 004CB1F4 it's a Delphi Prog (how can i tell ?? only experienced cracker that debuged many prog can answer that..) yes it's the real OEP !! dont trace anymore when u r at : 4D0654 just stop and write it down... Part 2 : Dumping the new file ============================== when u r at 4D0654 u need to write this for dumping: /dump 400000 1D8000 c:\tmp\Dumped.exe that line means ... /dump -> to make a dump.. 400000 -> the Image Base of the file (u can see it at a PE-Editor) 1D8000 -> the Size of Image that we wroted down before the tracing... c:\tmp\Dumped.exe -> the Path of where we want to save the file and the file name now .. some times this method doesn't work.. (i dunno why) the dump is not complete so i prefer do like this.. when u r at 4D0654 u need to write this for dumping: a eip then write: jmp eip and press again enter to exit.. what we just do is make the Prog in a loop in the Start of the file.. open ProcDump or Pe-Editor ( Prefered..) and choos our proccess in the list and right click on the Proccess and Choose Dump Full ... now save the file .. and now kill the Process becuase it's in a loop... fix with Hex Editor the code back to : 55 , 8b in the OEP becuase we dumped it with a jump to the same place... now we have an Unpacked file !! Part 3 : Rebuildin the IAT ============================= what that means is .. if u will try to run the file now it will crash why is that ??? because the Api Function was in another place when the file was Packed so now when we Unpacked it ... the file still goes to the same place and doesn't find it.. and more then that.. the file we have is a decrypted file so all the Api we have R fucked up! now .. before almost a year ago that Part was almost realy hard!! was needed to be half be a prog and half manualy... but now tnx to Macktus that Build Imprec we can do it real easy... well there is another prog that also can do it .. called : Revirgin by +Tsehp but i like Imprec becuase it's Faster... usualy u would just need Imprec to put in the OEP text box our OEP and press IAT AutoSearch well run normaly Chronograph and u will see the nag screen... and open Imprec .. in the top line u will need to Choose our Process now when it finished loading the dll's put all the info in the left down text boxs the OEP : D0654 mow press : IAT AutoSearch now u will get a msgbox that will tell u that there is not good OEP :/ well go to the Option and change the : Max recursion to say.. : 10 (just make it bigger) now press again : IAT AutoSearch ok it did it ! in the message box just press "ok" press now on Get Imports and all we get is one section ??? what the Fuck ??? we supposed to get alot of sections.... oh ok .. it's a ASPR trik just press on the : Clear Improts look the length is : 224 does it seems right ?? it's too small .. we will change it to 1000 ( u can change it up too 3000 no need in more) and now press : Get Imports and look how beautiful it is .. so mutch invalid API's .... :p well lets fix them.. press on : Show invalid now right click with the mouse on one of the invalid Api's and choos : Trace Level1 (disasm) now that's muth more better.. press again on : show invalid and right click on one of the Api's an this time choos : Plugin Tracer (ASProtect 1.2x Emul) now that is alot better.. Press again : Show invalid and we have is just one invalid left ... it is usualy LockResource function =) so double click on the function and choose : LockResource now press: show invalid THERE IS NONE !!! ok now press : Fix Dump choose our Dumped.exe file Thats it!! it's All Done we have unpacked ASPR !!!! Part 4 : Fixing some Features (not all ASPR have that...) ============================================================ now usualy that is the Part u should start Cracking the prog no more fixing... but no... this time the Programer of the Prog (not of the Packer) done some Packer Checks in the code so if u will want to run the Prog without the Packer the Prog will crash... NOT ALL PROGRAMERS DO SO !! good for us .. but in this case HE DID!! well if u will load the Unpacked file with symbol loader u will see like this : 016F:004D0654 PUSH EBP 016F:004D0655 MOV EBP,ESP 016F:004D0657 ADD ESP,-0C 016F:004D065A PUSH EBX 016F:004D065B PUSH ESI 016F:004D065C PUSH EDI 016F:004D065D MOV ESI,[EBP+08] 016F:004D0660 MOV EAX,[ESI+10] <- here the prog will crash ! as u can see ESI get a value from [EBP+08] and then Pass it to EAX if u check the value is : 0 that's weird!!! so we will need to cmpare it with the real file and see what happens there... now u must be thinking : oh my god again all the tracing and waiting.. well no .. if u got the OEP u don't need to do that again. just load Sybol Loader and load the prog when SoftIce Pop do : bpr 4D0653 4D0654 RW bpr -> break point on a range of address 4D0654 -> OEP - 1 4D0654 -> OEP RW -> when the the Process want to Read or Write from there... then Press F5 till u will get to the OEP .. when u will get to the OEP clear all : bc * now we can see that if we trace with F10 we at : 016F:004D065D MOV ESI,[EBP+08] that ESI = 4E9034 lets see what happend with EAX : EAX get a value from ESI and becuase of the wrong value the prog crashes... let see what the Real file do with the value : 016F:004D0663 AND EAX,01 016F:004D0666 MOV [004F444C],EAX well if u will to a AND 01 to EAX it's just to know if eax is 0 or 1 so it realy doesn't uses that value ... but if u will look down u will see this : 016F:004D0670 MOV EDX,[ESI+20] -> uses ESI value 016F:004D0673 PUSH EDX 016F:004D0674 MOV ECX,[ESI+1C] -> uses ESI value 016F:004D0677 PUSH ECX 016F:004D0678 CALL 004CD5DC 016F:004D067D ADD ESP,08 016F:004D0680 MOV EAX,[ESI+28] -> uses ESI value 016F:004D0683 PUSH EAX 016F:004D0684 CALL 004CB1F4 016F:004D0689 POP ECX 016F:004D068A MOV EDX,[ESI+44] -> uses ESI value 016F:004D068D PUSH EDX ..... ..... so as we can see the value that ESI have is the important ... well we will chang the Unpacked file so ESI will be ESI=4E9034 open our Dumped file with Hview and Press Enter till u will be in ASM mode then Press F5 and write : D065D (we r going to 4D065D) and press enter. now Press F3 to edit this : 016F:004D065D MOV ESI,[EBP+08] 016F:004D0660 MOV EAX,[ESI+10] to this : mov esi , 4e9034 nop the new Prog will look like that : MOV ESI,4e9034 NOP AND EAX,01 MOV [004F444C],EAX now Press F9 to Save and that's all .. now run the Prog and Yes!!! it's alive!!! it's alive!!! it's alive!!! it's alive!!! yes the Prog do run... well there is one more fix to be done .. if u will Press on Get in the Chronograph u will get 2 Message boxs: 1) that there isn't a TCP/IP connection -> becuase we r not online.. 2) an error that tells us that the GetSynchroniz was not call from the right place well that Part is easy just nop the second messagebox and thats all.. ** - (Tip - the messagebox is at : 46E27A ) Part 5 : Cracking the Prog ============================= well i'm not going to help u with that Part .. this is an Unpacking tut not a Cracking Tut... and the Cracking Part is realy easy so plz ... do it u'r self... Part 6 : Greeting ======================= i would like to thank all of my friends on: iNFECTED and to my friends at Unpacking Gods and Cracking4NewBies special tnx to : Macktus - ^DAEMON^ - SAC - The fraviaMB - Parabyte - NchantA - Eternal Bliss - R2-C2 and to all of the ones that help me lern the ways of ASPR and Unpacking...