jjujju
10-23-2009, 04:59 AM
Hello everyone! I read through numerous tutorials and guides, but I am still having trouble unpacking a file that is packed with ASProtect 2.XX
Before I move on to details, I'll explain what I am trying to unpack.
A programmer from China has hijacked a legitimate software and is selling it on-line (I'm pretty sure that he's really intelligent). I won't mention the name of the software. But basically these were his instructions:
1. Rename "program.exe" to "program.ext"
2. Copy "program.exe" and "Activator.dll" from the "Patch" directory to the program directory
3. Run the software
4. After thirty days, there will be a pop up window with the hardware ID that you need to e-mail along with the payment. An unlock key will be given to you.
So, I got a hold of the patch and followed steps 1 through 3. Then, I changed the system clock to year 2099 and sure enough, there was a pop up window saying that I needed to make a payment. Then I changed back the time to 2009, but the pop up window still showed up. So I used "Processor Monitor" to monitor registry queries and the program was accessing a registry directory called "ASProtect."
All the legal issues aside, I scanned the directory for any packer information, and Activator.dll was found to be packed with ASPACK 2.12. I used PEid and PETools and both said that the file was packed with ASPACK 2.12. I found it interesting that the registry had a directory named ASProtect and PEid/PETools both identified the file as ASPACT 2.12. I am not planning to sell this software or make profit off of it in any way. I'll be using it personally for evaluation purposes without going through Trial request from the official website. (I would like to use it for over 30 days.)
I'm having a very difficult time trying to find the OEP of this file. Could someone please advise? I'll explain what I've done.
1. Open Ollybdg with plugins OllyDump and Debug Hider. (Using lower file version of PSAPI.DLL that came with OllyDbg).
2. Open Activator.dll (Ollydbg asks to use LOADDLL.EXE, then I click on "Yes").
3. Ollydbg opens up module "ntdll".
4. I click on "F9"
5. It then stops at another line in module "ntdll" (On the status windows of OllyDbg, it says 'Single step event at ntdll.77DB0194 - use Shift+...')
6. I click on "F9" again
7. A windows pops up 'Entry Point Alert, Module 'Activato' has entry point outside the code...'
8. I click on "OK"
9. I get a warning about module 'Activato' being a compressed code, so I click on "Yes."
10. In module Activato, it stops at the entry point, which says PUSHAD.
11. I then start hiding the debugger using the plugin "IsDebugPresent - Hide"
12. I write down the register information for EAX, ECX, EDX, ..., EDI.
13. I step over by pressing "F8"
14. I right-click on EDI in the register window and select "Follow in Dump"
15. On the first Dword in the Dump Window, I right click and set a "Hardware breakpoint on Access"
16. I then click on "F9" to make it continue to run.
17. OllyDbg stops execution at [CPU - main thread, module ntdll]
18. I start stepping through to find the OEP, but it takes forever to get back to module 'Activato'
19. I'm stuck here, because I can't seem to find a valid entry point.
*20. Once an OEP is found (I found false points), I would use OllyDump to create a file.
*21. Using ImpREC, I would fix the dump using the OEP while running the software.
I've tried to set hardware breakpoints at different register access (ESI, EBP, and ESP). My thought is that when the registers that I previously wrote down show up on the Register window again, I could possibly assume that that's where the OEP would be. But I know that sometimes, the programmers add tricky stuff in there to confuse people who try to reverse-engineer their stuff.
My questions:
1. Isn't reverse engineering essentially done the same way with both ASProtect and ASPACK?
2. Is there a flaw in my thinking that I need to find out when the original register information before PUSHAD is back to registers? When RTN is performed aftwards, would that be the OEP?
3. Any other comments or suggestions that could help me?
I've spent over 12 hours trying to do this, but no luck... Please help! Thank you very much!
File:
http://www.2shared.com/file/8599133/8b34a546/Activator.html or
http://jump.fm/GMECU
*****
Update:
I found a script called Aspr2.XX_unpacker_v1.15E.osc, which I ran and it pointed me to OEP @ 20BC.
1. I dumped the file using the OEP and Ollydump plugin
2. I opened ImpREC and fixed the IAT (automatically) using OEP
3. Surprisingly, the software ran fine. But when I changed the date again, the pop up window came up again, stating that I needed to send in the hardware code. Registry was also changed - ASProtect key was created upon starting the software.
I don't see anywhere else it could have ASProtect package... Any ideas?
JjuJju
Before I move on to details, I'll explain what I am trying to unpack.
A programmer from China has hijacked a legitimate software and is selling it on-line (I'm pretty sure that he's really intelligent). I won't mention the name of the software. But basically these were his instructions:
1. Rename "program.exe" to "program.ext"
2. Copy "program.exe" and "Activator.dll" from the "Patch" directory to the program directory
3. Run the software
4. After thirty days, there will be a pop up window with the hardware ID that you need to e-mail along with the payment. An unlock key will be given to you.
So, I got a hold of the patch and followed steps 1 through 3. Then, I changed the system clock to year 2099 and sure enough, there was a pop up window saying that I needed to make a payment. Then I changed back the time to 2009, but the pop up window still showed up. So I used "Processor Monitor" to monitor registry queries and the program was accessing a registry directory called "ASProtect."
All the legal issues aside, I scanned the directory for any packer information, and Activator.dll was found to be packed with ASPACK 2.12. I used PEid and PETools and both said that the file was packed with ASPACK 2.12. I found it interesting that the registry had a directory named ASProtect and PEid/PETools both identified the file as ASPACT 2.12. I am not planning to sell this software or make profit off of it in any way. I'll be using it personally for evaluation purposes without going through Trial request from the official website. (I would like to use it for over 30 days.)
I'm having a very difficult time trying to find the OEP of this file. Could someone please advise? I'll explain what I've done.
1. Open Ollybdg with plugins OllyDump and Debug Hider. (Using lower file version of PSAPI.DLL that came with OllyDbg).
2. Open Activator.dll (Ollydbg asks to use LOADDLL.EXE, then I click on "Yes").
3. Ollydbg opens up module "ntdll".
4. I click on "F9"
5. It then stops at another line in module "ntdll" (On the status windows of OllyDbg, it says 'Single step event at ntdll.77DB0194 - use Shift+...')
6. I click on "F9" again
7. A windows pops up 'Entry Point Alert, Module 'Activato' has entry point outside the code...'
8. I click on "OK"
9. I get a warning about module 'Activato' being a compressed code, so I click on "Yes."
10. In module Activato, it stops at the entry point, which says PUSHAD.
11. I then start hiding the debugger using the plugin "IsDebugPresent - Hide"
12. I write down the register information for EAX, ECX, EDX, ..., EDI.
13. I step over by pressing "F8"
14. I right-click on EDI in the register window and select "Follow in Dump"
15. On the first Dword in the Dump Window, I right click and set a "Hardware breakpoint on Access"
16. I then click on "F9" to make it continue to run.
17. OllyDbg stops execution at [CPU - main thread, module ntdll]
18. I start stepping through to find the OEP, but it takes forever to get back to module 'Activato'
19. I'm stuck here, because I can't seem to find a valid entry point.
*20. Once an OEP is found (I found false points), I would use OllyDump to create a file.
*21. Using ImpREC, I would fix the dump using the OEP while running the software.
I've tried to set hardware breakpoints at different register access (ESI, EBP, and ESP). My thought is that when the registers that I previously wrote down show up on the Register window again, I could possibly assume that that's where the OEP would be. But I know that sometimes, the programmers add tricky stuff in there to confuse people who try to reverse-engineer their stuff.
My questions:
1. Isn't reverse engineering essentially done the same way with both ASProtect and ASPACK?
2. Is there a flaw in my thinking that I need to find out when the original register information before PUSHAD is back to registers? When RTN is performed aftwards, would that be the OEP?
3. Any other comments or suggestions that could help me?
I've spent over 12 hours trying to do this, but no luck... Please help! Thank you very much!
File:
http://www.2shared.com/file/8599133/8b34a546/Activator.html or
http://jump.fm/GMECU
*****
Update:
I found a script called Aspr2.XX_unpacker_v1.15E.osc, which I ran and it pointed me to OEP @ 20BC.
1. I dumped the file using the OEP and Ollydump plugin
2. I opened ImpREC and fixed the IAT (automatically) using OEP
3. Surprisingly, the software ran fine. But when I changed the date again, the pop up window came up again, stating that I needed to send in the hardware code. Registry was also changed - ASProtect key was created upon starting the software.
I don't see anywhere else it could have ASProtect package... Any ideas?
JjuJju