PDA

View Full Version : Awave Studio 7.3 - AsProtect unpacking


Instructor
June 13th, 2001, 13:16
Hi, I want to manual unpack 'Awave Studio v7.3' (www.fmjsoft.com)
I found the OEP at 4B3A3C (B3A3C) and made a dump with icedump,
then I fixed the dump with PE-Editor and added a new section.

My problem is to find the jump table, I found this:

4B06D0 jmp d [4BF4E4]
4B06D6 jmp d [4BF4E8]
4B06DC jmp d [4BF4EC]

goto 4BF4E4 and scroll up and found this place for the IAT Start:
4BF000. I'm not sure, if this the right IAT Start and I not found
the IAT End, can anyone help me?

thx instructor

SpeKKeL
June 13th, 2001, 15:11
Yep,

Think you're right >> beginning at bf000 ;length of IAT 51c,Try to resolve the
unresolved ........

SpeKKeL

Instructor
June 13th, 2001, 23:49
Hi Spekkel,
thanx for the first, but how you get the IAT lenght
of 51C? In 'Predators' tutorial he wrote about nine '00'. In 'Awave' are many areas with '00'.

cu inst

Kayaker
June 14th, 2001, 13:07
Hi Instructor,

What I usually do to find the IAT start with Asprotect is check the address in EDI *immediately* on breaking into the Import decryption routine during unpacking (a GetProcAddress call, F12 a few times to find the loop). The first Import that goes through the routine isn't always exactly at the start of the IAT, but usually it is.

To find the IAT endpoint, once you've broken out of the Import routine loop, *immediately* check the value in EDX, I've found that this always contains the last IAT address that was processed.

With most Asprotect versions, I've found this checking of EDI/EDX addresses to work in almost all cases to delineate the IAT. (Can't check right now, but I *think* I've got the registers edi and edx right)

Other than that, you can usually make a good guess where the IAT endpoint is anyway. Each dll, or group of Imports in a dll that may be listed more than once, is terminated in the IAT by a 00000000 as you mentioned. In earlier versions of Asp, there may have been several groups of 00's between dll's, but the latest versions seem to have given up on this ruse.

It's just a matter of recognizing the final Import address, which usually seems to be a resolved one, so look for the last BFFxxxxx or 7xxxxxxx and you've got your length.

Kayaker

Instructor
June 16th, 2001, 14:23
After work with Revirgin's Resolver and Again Resolver some entrys are empty, what must I do
with this:

awave.exe
01F8
index IAT_address value hint module function
--- -------- -------- ---- -------- --------

58 000BF0F4 00D0C864 0000 ?????? ??????

62 000BF104 00D0C86C 0000 ?????? ??????

83 000BF158 00D0C834 0000 ?????? ??????
84 000BF15C 00D0C85C 0000 ?????? ??????

130 000BF214 00D0C468 0000 ?????? to_Resolve

141 000BF240 00D0C818 0000 ?????? to_Resolve

161 000BF29C 00D0C898 0000 ?????? ??????


314 000BF510 BF231007 0000 ?????? to_Resolve
315 000BF514 BF231007 0000 ?????? to_Resolve
316 000BF518 BF231007 0000 ?????? to_Resolve
317 000BF51C BF231007 0000 ?????? to_Resolve

I work with Tracer and Resolve again, but it doesn't work.

thx for your help

tsehp
June 16th, 2001, 19:03
again I will encourage people to do a little searches before asking those questions :
use the messageboard search feature and use some searches related to revirgin:
the entries you names are alexey's last little tricks, this will be fixed when I'll finish the new tracer, they are not serious enough to engage a new revirgin dev.
this was exactly the same case than numerous ones before, read the splaj related thread about those entries :
for example :
1-some are mov eax,[xxxxxx]
ret

easy to guess->kind of check if asprotect is still present, emulates some single api's that just bring back some single mem values, if this entry is real used, find the value it gets and hard-code it into your dumped target

2-other entries are :
1-code blah blah
2-jz not going to
3-getprocaddress
4-code blah blah

so just replace all this with getprocaddress and it will work fine.

to ease some work, just fix the iat that are really used, you'll see that half of them are really necessary. email for further help.

regards,

+Tsehp

Exocist
July 11th, 2001, 05:05
hi you top blokes

I only joined up today, I have spent the best part of my day learning the techniques found in this forums text and felt confident enough to practice on BeatCreator, packed with ASProtect 1.2 I think...

I'm posting in this thread for 2 reasons, 1) I also have a intrest in Awave Studio 7.3 and have got to the same problems with unresolved API's 2) I am also at the same place with BeatCreator too

now... I have managed to use the tracer to resolve one of the 'unresolved' apis to GetProcAddress, heres the current IAT I have: (attached)

IAT Start RVA: 9D000
IAT Length : 72C

now... being a newbie here I have been going thru pages looking for the thread you mentioned tsehp but the search function only allows me to search thru the last 30 days, I wondered if this thread was mentioned some while ago, I would love to read it. I've had a taste and now I want more

I've always found asprotect to be the thorn in my side, I would love to be able to defeat it. Today is the first day I have used icedump and revirgin, both tools are awesome, thanks a lot!

@ Instructor

did you manage to defeat Awave Studio 7.3? I wrote a process patcher for it, the crack is only 3 byte changes, if you intrested
let me know... I would love your knowledge on unpacking Awave if you have succeeded

thanks again guys

-Ex

splaj
July 11th, 2001, 06:04
Hajo

heer wee goo

method of attack RV v ASPr
=====================

Set BPX GetVersion
start target. SI pops. f12 and scroll up the code window.
You will see a cluster of GetWhatWeNeed APIs.

WRITE DOWN THE FIXED MEMORY ADDRESS that EAX is saved eg

0187:00F5C7DA E82D7CFFFF CALL KERNEL32!GetModuleHandleA
0187:00F5C7DF A3D435F600 MOV [00F635D4],EAX
0187:00F5C7E4 E83B7CFFFF CALL KERNEL32!GetVersion
0187:00F5C7E9 A3D835F600 MOV [00F635D8],EAX
0187:00F5C7EE 68E435F600 PUSH 00F635E4
0187:00F5C7F3 E8347CFFFF CALL KERNEL32!GetVersionExA
0187:00F5C7F8 E8DF7BFFFF CALL KERNEL32!GetCurrentProcess
0187:00F5C7FD A3DC35F600 MOV [00F635DC],EAX
0187:00F5C802 E8DD7BFFFF CALL KERNEL32!GetCurrentProcessId
0187:00F5C807 A3E035F600 MOV [00F635E0],EAX
0187:00F5C80C E8C37BFFFF CALL KERNEL32!GetCommandLineA
0187:00F5C811 A37836F600 MOV [00F63678],EAX

F5

Run RV get your IT traced as much as possible.
WRITE DOWN THOSE MISSING APIS ADDRESS like :-
A0C8FC =>
A0C8C4 =>
etc etc

Close target.

Load target again with same BPX GetVersion

SI pops.

Now unassemble those missing API address you wrote down in RV.. like U A0C8FC, look at the code/API U A0C8C4 etc etc

See some link to the same memory location stored by the GETWhatWeWant API cluster !!! Link them in to RV. EXP the repquired API to get the dll memory location. (eg EXP GETVERSION will show you its memptr)

Now PROBABLY 2 of these API will be code like PUSH EBP, blah POP EBP ,RET004
You only need the C20400 RET004 (actually KERNEL32!ORD_2F is RET004)

manually fix resolved.txt and rebuild the exe. Then you have some more phun :-) confused ?

+SplAj

Exocist
July 11th, 2001, 15:30
thanx +SplAj

I will start from there and see how things go thanks a lot

-Ex

Exocist
July 11th, 2001, 17:31
he he, damn this is fun

I have rebuilt my import table (BeatCreator) and added the following entries:

GetCommandLineA
GetVersion
GetCurrentProcess

and 2 entries (as you already knew!) to the KERNEL32!ORD_2F , both of these were together. and... as you obviously already know, I run the proggie , I have placed a BPX on my Getxxxxxxx entries above jut to make sure they are OK and they are, now I have to determine the cause of my crashing,

what else should I know?

BTW, Awave is packed in ASProtect 1.3, the API cluster approach you mentioned above appears to have changed as the EAX values seem to point to unintialised memory?? I probe into that more to make sure I'm not talking crap heheh

-Ex

Exocist
July 12th, 2001, 01:42
well... now I am stumped

i actually got the program to run by bypassing a CALL location, a 'trial version for blah blah..." dialog comes up as it should but then the program dies with ExitProcess()

whats more, the CALL i bypass contains a pointer to a memory location that should contain the application path ie:

C:\PROGRAM FILES\ZERO-X\ZERO-X BEATCREATOR\ZEROX_BC.EXE

my dumped version points the correct memory location at the same CALL but the text above is not present, some pointers within the dumped .exe must still be out of alignment....

i need some help if anyone is reading... I feel so close to getting this right :/

thanks,

-Ex

Exocist
July 12th, 2001, 02:03
BTW,

if anyone is intrested I have upped the proggie (in it's original state) to [www.filesanywhere.com] along with my IT.TXT & IT.BIN

login: zeroxbc
pass: unpack

thanks again,

-Ex

Exocist
July 12th, 2001, 03:39
hmmm, I found out that my pointer is fine, the problem is in the CALL to:

208 0009D34C BFF676CF 0195 KERNEL32.dll GetModuleFileNameA

from my dumped.exe, it comes back from this CALL with EAX=0 which is not good, consequently it isn't updating the program memory with the C:\PROGRAM FILES\ blah blah mentioned above.

I have done a compare with the packed .exe registers and the unpacked registers at the time of the CALL, they are all fine...

the packed .exe jumps back into asprotect and from there calls GetModuleFileNameA

016F:00A25234 SUB EDX, EDX
016F:00A25236 PUSH BFF92366
016F:00A2523B PUSH DWORD PTR FS: [EDX]
016F:00A2523E MOV FS: [EDX], ESP
016F:00A25241 JMP BFF676DC

damn I'm getting lost now, sorry for all the posts, I'm just hoping some of you have experienced what I am talking about, it would be nice to know that I have dumped and rebuilt the .exe alright and all I need now are some adjustments to make it work??!?

-Ex

frUstrAted_SplAj
July 15th, 2001, 07:24
Hi Ex

can't get your rar file since Thursday (f*xkin filesanywhere needs nukin, even got my own splaj account and still no f*xkin files come back out, tried all methods, copy your files to me , OK but still bombs out part d/l, even e-mail gets me zilch....so sorrry FUCK ahh thats better)

Anyway finally d/l awave7.3 (sooooo slow) and I can confirm my GetVersion hint still works. All 6 GetWotIWant API's cluster are there eventually, you must get back to ASPR code with F12 )

+SplAj

Exocist
July 15th, 2001, 21:32
hey +SplAj

thanks for the efforts m8, cool to know about Awave 7.3, I will take a closer look, sounds like patience is the key to that one it's crazy considering the crack for it is only 3 bytes he he

i have coded a process patcher for zero-x beatcreator, i found during the unpacking process it jumps into the 401000 - 500000 range twice and bangs some bytes into the programs location, this appears to be the perfect time to apply the patches without getting the 'protection error 15' crap.

still, I would love to learn how to unpack this thing properly, I know it would boost my skill levels considerably if I can see the whole project thru, if you still intrested, where can I place the files so you can grab them and take a look?

thanks man.

-Ex

splaj
July 16th, 2001, 03:31
+splaj@y-a+h+o-o.c-o-m

...without any +-

Exocist
July 18th, 2001, 23:36
just saying a big thanks to +Splaj thanks man, you have helped me incredibly

-Ex

Instructor
July 20th, 2001, 00:13
Thanx to all, who posted in this topic.
But some questions are open for me.

Last results:
I used the new Revirgin v.1.11 Build 17

awave.exe
01F8
index IAT_address value hint module function
===========================================================================

58 000BF0F4 BFF84936 15B KERNEL32!GetCurrentProcessId

62 000BF104 BFF8C5AC 149 KERNEL32!GetCommandLineA

83 000BF158 BFF92DFC 1DC KERNEL32!GetVersion

84 000BF15C BFF9622C 15A KERNEL32!GetCurrentProcess

130 000BF214 00D0C468 0000

141 000BF240 00D0C818 0000

161 000BF29C 00D0C898 0000

============================================================================

If I right click on 130 / 000BF214 / 00D0C468 / 0000 and then 'Enable trace' / 'Tracer' it shows me the following adress:

BFF76DAC

Addr:BFF76DAC Ord: 419 (01A3h) Name: GetProcAddress (search the adress in WDasm)

Must I insert this in Revirgin or the 'Ret 0004'???

The same with the second open entry....

141 000BF240 00D0C818 0000

BFF7771A

Addr:BFF7771A Ord: 397 (018Dh) Name: GetModuleHandleA (search the adress in WDasm)

the third open entry can be in 'user32.dll', after 'tracer' it crashes the programm.

How is the correct name of the function Ordinal:002F??, which to insert in 'Revirgin-name of the function'

thx Instructor

att@kk
July 20th, 2001, 16:35
Exorcist - here's what you need to do ...

Firstly, your IAT length is wrong. You've used 700 when it should be 744. Your last export in your .bin is "WINSPOOL.DRV OpenPrinterA" - here's the exports that you are missing (from my ReVirgin saved text):-

451 0009D728 7FE7183E 00B7 WINSPOOL.DRV OpenPrinterA
===============================================
452 0009D730 7FE4FDB7 0075 comdlg32.dll PrintDlgA
453 0009D734 7FE4613E 006E comdlg32.dll GetOpenFileNameA
454 0009D738 7FE4618F 0070 comdlg32.dll GetSaveFileNameA
455 0009D73C 7FE458D2 0069 comdlg32.dll CommDlgExtendedError
456 0009D740 7FE45FD2 006C comdlg32.dll GetFileTitleA
===============================================
As you can see - GetOpenFileNameA sorts out your blank .exe name problem.

Secondly, you know where +SplAj has explained that there will be 2 Kernel32!Ord_2F's close together. Well, in this case there is only one - the second one in your list. You need to use the technique he described and you will find that where you have obtained the first Ord_2F you should find "GetModuleHandleA" instead.

Here's your ReVirgin text file:-

198 0009D324 BFF67463 01F1 KERNEL32.dll GlobalAddAtomA
199 0009D328 BFF66DAF 01FE KERNEL32.dll GlobalLock
200 0009D32C BFF8B9D7 01F5 KERNEL32.dll GlobalDeleteAtom
201 0009D330 BFF6169B 002F KERNEL32.dll
202 0009D334 BFF6169B 002F KERNEL32.dll
203 0009D338 BFF66DF3 0204 KERNEL32.dll GlobalUnlock
204 0009D33C BFF66E15 01FA KERNEL32.dll GlobalFree

Here's mine ...

198 0009D324 BFF7748F 01E4 KERNEL32.dll GlobalAddAtomA
199 0009D328 BFF76DDB 01F1 KERNEL32.dll GlobalLock
200 0009D32C BFF9AF8F 01E8 KERNEL32.dll GlobalDeleteAtom
201 0009D330 BFF7771A 018D KERNEL32.dll GetModuleHandleA
202 0009D334 BFF7169B 002F KERNEL32.dll
203 0009D338 BFF76E1F 01F7 KERNEL32.dll GlobalUnlock
204 0009D33C BFF76E41 01ED KERNEL32.dll GlobalFree

The rest of your work is correct. Sort these two bits out and you are away.

I noticed that once I'd got my dumped file working, the message when you open the program didn't decrement the amount of uses anymore (mine's stuck at 38 out of 50 left). This means that the wrapper decrements the number - the virgin (dumped) Beatcreator.exe only reads it (therefore no wrapper = no program expiry!). Thus all you are left to do is nop out the nags - if you can be bothered.

Anyway, this is a fantastic program for beat manipulation. So good that I went and ordered the genuine version from Button today - I implore anyone else who's going to use it (once they've learnt how to unpack it) to do the same. Button deserve the money for this one.

Finally, many thanks to +SplAj for his posts on this topic - I wouldn't have been able to have sorted this out and learnt what I have without him.

Take care

att@kk

Exocist
July 21st, 2001, 08:00
hey att@kk

thanks for the info, I have this sorted now too, thanks to +Splaj and hence my thank you's to him in the thread above. this was a good learning curve for me, thanks for taking the time to respond with such great info. You have enlightened me on a couple of areas I let 'slip through the gaps', thanks again, it is appreciated

-Ex

att@kk
July 21st, 2001, 18:09
Exorcist

No problem - just trying to help. I learnt a lot too as the only unpacking I'd done before were games (a couple of Codelok examples).

I take it you read a certain magazine then - this 50 try version isn't available off the ZeroX/Button website. Saw your original post and then by coincidence saw it in the shops on the magazine cover - I bought it on the strength of your post thinking it would be a good learning project.

If you want to have a go at some other cool stuff, the April issue (I think) of the same magazine had a load of 14 day limit Timeworks plug in demos on the cd. Didn't buy that one myself so haven't tried them but if you have it then they should keep you busy for a while.

Did you manage to sort out AWave? Regards ...

att@kk

+SplAj
July 25th, 2001, 05:27
....and for anybody who is still trying to unpack this target....

here is my preliminary tutorial, attached for your pleasure.....suits you sir

+Spl/\j
'patch+play' }>

Kilby
July 25th, 2001, 07:08
Splaj,

I found a similar redirect in a target a few weeks ago.

The internal calls where being redirected through the ASPR code, but there was no decryption taking place.

I can't remember what it was, but I will check my notes when I get home.

I certainly think that this is authors simply using the aspr API rather than a new version.

Kilby,,,

+SplAj
July 25th, 2001, 08:47
Hi Kilby glad the 'Frankie Fingers' are behaving

I RV'd this target at the weekend cos ppl had a few probs with it. I noticed that stupid himem call but ignored it cos I just wanted to see if anything was new re RV v ASPR

I got one of those funny hunches last night and hacked away and traced the code , watched it xor, shl blah blah some 4xxxxx code so assumed it was decrypting

But in this game as in everygame ASSUME:NOTHING.

To test , I just re-built a regular OEiP dump (without calling that F1C774) and it seems to work also ? and maybe only extensive use of the Awave features will show what tricks this decrypt /aspr call does ? I was just happy to get a registered unpacked runner call Xwave at 2 am this morning :-)

I new somebody would question that 'decrypt' statement in the tut :* Like I said it's a prelim for discompress.

PS "Alexey" hows the weather in Germany ? viagrakom.de, nice ISP, I connect to faaker.com

+SplAj

Kilby
July 25th, 2001, 10:06
Splaj,

the good Doctor did nothing about the fingers, I have just started reading what I have typed

I think the target was advanced directory printer, but my memory is a bit crap.

I ain't disputing what you found, rather I was expecting to come across something like that in the near future, but haven't as yet.

There was nothing other than, jumping off to some aspr code, lifting the real address from a (small) table and jumping the the NORMAL addr.

All I did was modify the jump table to jump to the 'proper' address.

Two other strange things though;

1: I had to add 2 entrys to the IT as they where completely missing from the apps IT, (used when the dialogbox asks for the recursion depth).

2: The unpacked and rebuild app didn't crash as often when there where a large number of directorys & files to process :P

Apart from that the only other thing I had to do was to correct a spelling mistake in the app, and should have changed the default font size for the printouts.

All in all a strange unpack.

Kilby...

cerb^^
July 25th, 2001, 12:52
Hi,

+SplAj can you please explain how you get to the IAT Length of 0x508. I cant find the right entry for that.


Thx
cerb^^

Exocist
July 27th, 2001, 14:11
Splaj,

you rock mate, I have learnt heaps from you. Your tutorial gave me a good laugh too when you mentioned about renaming the Awave.exe

quote "fuck off, I am a coding God", I believe you are haha, funny shit

thanks again for a sweet tutorial, I'm just about to start working on Awave again following your tut.

-Ex

+SplAj
July 28th, 2001, 04:26
LOL yes a coding god ...... I picked up some tips from woodmann a few weeks ago. I repeat the excercise once a week to keep in tip-top condition and I enjoy it soooo much........ the wife joins in sometimes.

Not sure if that thread is still available with the 30 day search curtailment :-( ....... maybe woodmann can put it in the faq cos it's such a good tip for aspiring RCE big heads

+Spl/\j }>

karmal
July 28th, 2001, 10:39
hi

+splaj, i have read your tut. i have a problem with it:
i cannot find the last entry (DialogBoxParamA). could you explain me how do you found this entry?

thx

karmal

woodmann
July 28th, 2001, 13:17
Quote:
+SplAj (07-28-2001 02:26):
LOL yes a coding god ...... I picked up some tips from woodmann a few weeks ago. I repeat the excercise once a week to keep in tip-top condition and I enjoy it soooo much........ the wife joins in sometimes.

Not sure if that thread is still available with the 30 day search curtailment :-( ....... maybe woodmann can put it in the faq cos it's such a good tip for aspiring RCE big heads

+Spl/\j }>




ummmmmm, was I drunk or something?

Peace, Woodmann

Silly_prefix_Kilby ;)
July 28th, 2001, 15:07
Well if you use Imprec (ducks and covers), it happily shows the address pointed to for getmessageboxparama.

simply get to the oep and dissassemble the address that you have noted down.

Kilby...