Results 1 to 14 of 14

Thread: In Win2K how to defeat the anti-debug trick of ASProtect?

  1. #1

    In Win2K how to defeat the anti-debug trick of ASProtect?

    In Win9x, with the aid of SuperBPM, IceDump, and FrogsICE, it is comparatively easy to bypass these tricks. Some tricks can be defeated manually using SoftICE/TRW2000.

    But in Win2K, these tools don't work any more(I can't find the corresponding version of SoftICE to let it work with IceDump).

    Recently I just want to go further on unpacking. Sure ASProtect is a good choice for practice I have the experience of manual-unpacking earlier versions of ASProtect. But it seems difficult to find the OEP of latest version because breakpoints seldom get hit.

    I heard of the following anti-debug/anti-unpacking tricks may be used in ASProtect:
    1. IDT check
    2. clear debug register dr0~dr7
    3. MeltICE
    4. INT 3 backdoor of SoftICE
    5. BPX detection
    6. lots of SEH
    7. CRC
    8. polymorph
    9. API hook & redirect & emulation
    ......
    Some of the above are privileged operations, so they need administrator token in Win2K Server.

    My question is:
    How to bypass the anti-debug tricks in order to find the OEP? Is there a convenient way?
    Yes this target has been talked about too much but I have no clue to find the OEP yet. And thank you for your guidance.
    Last edited by Solomon; September 14th, 2001 at 03:05.

  2. #2
    tsehp
    Guest
    brand new emerging tool to do this :

    the revirgin tracer, download and see the readme.

    in summary, the rv tracer allows you to run the app and define like icedump's tracer some oep domains to freeze the app.

    When you locate the oep, actually use procdump on the beta and it works, so you don't need anymore sice or another tool to be loaded.

    my tracer actually have very small countermeasures against detecting it, but when some will appear, I'll code some countemeasures asap
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373
    In the mean time.....

    If you have the DriverStudio version of SI and have D/L that latest
    NTICE.SYS for XP/2K from Compuware then I can tell you the offsets to patch in Nmtrans.dll / Ntice.sys / and Siwvid.sys as to hide your softice in Win2K

    Also to get to the OEiP for ASPR target in Win2K follow the Int2E about 21 times and your nearly there I wont post here (yet) exactly the solution cos RV will find the OEiP for you so Alexey
    should not be concerned with a manual trick.

    Also the problem I see from testing RV with the tracer is you HAVE to know what the f*ck you are doing with ASPR EiP tricks and one way is to follow the RET at the ASPR OEiP and see the 'higher' code (eg 550000) it rets to then set a trace between 401000 and that 550000.

    Normally aspr dips a couple of times back into real code and sets a few redirection pointers , maybe Initializing some critical sections (greetz Nchanta) before finally being at the OEiP so you should LOG all those entries cos you will have to make a JMP patch to fix your dump as well as tracing the redirected code back to the original code and patching that as well.

    I point you to w*w.glocksoft.com (AAAnalyzer 1.06 & EasyMailf as current ASPR targets) See the tricks :-)

    have phun as usual :-)

    +Spl/\j
    Carve my name into your arm :)

  4. #4
    Thank you +tsehp and +SplAj

    Now I have all the SoftICE versions(got from w**.exetools.com), including DriverStudio v2.0, v2.01 and v2.5b2. And I downloaded the latest patch NTICE.SYS from Numega's site(http://www.compuware.com/products/numega/drivercentral/resources/whistler.htm).

    INT 2E occurs too frequently coz many progs invoke this for sys service.
    Last edited by Solomon; September 17th, 2001 at 22:25.

  5. #5
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373
    Patching SI DriverStudio 2.x in Win2K/NT4
    =========================================

    (c)2001 SplAj

    Objective :- To hide SI from lame detector code :-)

    1) NTice class driver check(meltice)
    2) BHCK boundschecker check
    3) GF,MJ check
    4) UnhandledException check
    5) SIWVID class driver check
    6) Int 1
    7) Actual installation of SI in the registry.....
    etc

    Approach :- Understand the tricks/methods of detection
    and trick them in return :-)

    WARNING
    =======
    Patching system drivers like NTICE.SYS is VERY risky. Please
    do not blame the MB or it's owners/admins for any PSOD that may
    occur after patching (....looks purple on my Sony ) You patch and
    play at your own risk make sure you reset the CHECKSUM !!! - use LordePE.

    I choose 'xTice' as the replacement for NTice. It can be any ascii

    A) NTICE.SYS (in sys/drivers)
    =============================

    (Latest update ICEBABY from compuware: 'ver'== DriverStudio tm 2.01 (build57)
    file size 1,275,590 says 4.2.1 (build 58) in properties.)

    patch the following offsets : (but LOOK 1st !)

    1) 1FC63 : GF.......MJ to xF........xJ
    2) 4869B : Kernel32!UnhandledEx..... to 32!xnhand
    3) CE2C0 : Unicode N.T.i.c.e to x.T.i.c.e
    4) CE2E4 : Unicode N.T.i.c.e to x.T.i.c.e
    5) CE990 : Unicode N.T.i.c.e to x.T.i.c.e
    6) CEC30 : B.c.h.k.d to x.c.h.k.d
    7) D6150 : Ascii NTice to xTice

    reset checksum ! and make a backup !

    B) NMTRANS.DLL (in SI directory)
    ================================

    1) patch the ASCII \\.\NTice to \\.\xTice
    (MUST match the 'x' to same as NTICE patch)

    C) SIWVID.SYS (in sys/drivers folder)
    =====================================

    2 patches:- Look for UNICODE \S.i.w.v.....
    and replace with \.x.i.w.v.......

    reset checksum ! and make a backup !

    REBOOT and check for the presence of SI with 'detect.exe'
    included as a zip attachment.

    +Spl/\j
    (c)2001
    Carve my name into your arm :)

  6. #6
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373
    the attachment ..........
    Attached Files Attached Files
    Carve my name into your arm :)

  7. #7
    That's great!
    The unicode string "\\.\Siwvid" in NTICE.SYS also need to be changed, or SoftICE window will not pop up

    After the above modification, SoftICE can be detected only by int 1.

    Many Thanks!


    BTW:
    I got many errors(runtime access violation error) when running the dumped G-lock EasyMail v3.22 build 100. Don't know why.

    I took the following steps to dump it:

    1. Find the OEP manually(OEP = 006EAFC0):
    xxxxxxxxx: POPAD
    015b4283: JMP EAX

    2. change the JMP EAX to JMP EIP, then use ProcDump to make a full dump, with the following options checked:
    Recompute object size
    Optimize PE structure
    Use actual import infos

    3. Use "Import REConstructor 1.2 Final" to resolve the import functions and paste the new IT into the dumped exe. Only 5 functions have to be manually resolved:
    2F5280: GetCommandLineA
    2F541C: (use GetModuleHandleA to emulate RET 4)
    2F5488: GetVersion
    2F54FC: GetCurrentProcessId
    2F550C: (Use SetLastError to emulate RET 4)

    4. Change the EntryPoint of the dumped exe to 2EAFC0(6EAFC0).

    then run it,but too many runtime errors What's wrong with what I did?

    Sorry for so many questions/requests
    Last edited by Solomon; September 18th, 2001 at 00:26.

  8. #8
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373
    Solomon

    great work to find that last code before JMP EAX .... I so enjoy that in Win2K. More satisfying than waiting 30 mins for Icedump to do everything

    Please use RV now in Win2K, Tsehp worked VERY hard to bring us the tracer and API emulator. Works great :-)
    For any RET004 use LockResourse API , this is the correct one. Anything else will corrupt the stack (plain ret) or EAX has a new value or worse 0 !!!

    RV is auto coded to paste LockResource ..............

    I unpacked and fixed EasyMail3.22 in 15mins under Win2K + RV. Thats 4x as fast as usual than in Win98/ME.

    I enclose my RV resolved.txt and IAT to paste at 0x3FD000

    Also patch those bytes at offset 0x2C7068 ..4E 4F 54 20 etc
    with an hex '0D' then any name you like to replace the rest of text 'OT REGISTERED'.. like +Spl/\j :2001 - fits perfect

    Also try LordPE to dump...........

    +Spl/\j
    Attached Files Attached Files
    Carve my name into your arm :)

  9. #9
    tsehp
    Guest
    the api emulator works now on win98, oep are also very easy to find using rv's tracer on win 2k, read the manual.
    I usually choose eip stop domain 400000 until 600000 and press "until back" all the time, until the listing shows the usal
    push ebp
    ... without any rets in proximity.

    then you dump with procdump (rv's new function pretty soon I promise)

    only a very small problem resides, aspr just tests sometimes for the iat tracer to have arguments, like a call to an api function, so that's why some getprocaddresses are not found and the tracer lands into nowhere, actually enter the api address manually and I also soon fix this.

    another target from glocksoft, awaiting better....

    analyser.exe has some tests to detect if aspr is present or not.
    first dump and resolve with rv, the last entry that is not found by api emulator doesn't work with the tracer (soon ) but you can enter address of getprocaddress

    then dump with rv + procdump oep is 504154
    empty all the bytes around 508430 , it's still the mem alloc trick, first discovered by splaj on wswatch

    you've got a redirected call by aspr here :

    seg000:00504170 change this
    seg000:00504170 ; was redirected into aspr to reach 503cec
    seg000:00504170 call sub_503CEC
    seg000:00504175 nop

    and finally remove the nag here :

    1
    seg000:00447CD1 change this
    seg000:00447CD1 mov eax, 2
    seg000:00447CD6 nop
    seg000:00447CD7 test eax, eax

    included is the usual it.bin + rv resolved import's text file.

    does someone has the new aspr sdk ? I'll be interested to see how it is asked to include such tests inside the target.

    regards,
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    I learned a lot from this post and successfully unpacked several asprotected progs with RV. Thank you masters

    BTW:
    some data for Advanced Administrative Tools v4.31 build 720
    OEP = 0061A598
    RVA of IAT = 2221E0, length = A34
    one redirected call:
    CS:0061A5B4 call [0061EE4C] ===> call 00619B7C

  11. #11
    exit_2
    Guest
    What SuperBPM does in Win9x, tries NTdump's (part of NTiceSET) "Preserve BPM" to do in NT.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Old Retired Man Uradox's Avatar
    Join Date
    Sep 2002
    Location
    Australia
    Posts
    42
    A small post much later

    I did the patching required to hide ntice DS 2.7, sice window wouldnt show when requested. Found some patches that did the same thing as posted here - they did the same.
    Just curious if this is a common problem?

  13. #13
    Uradox:

    One can assume that you have made a patch in the wrong place. Did you try the patch posted by nikolatesla20 in the Tools of the Trade Forum here on 10-23-02, titled: "Driver Studio *2.7* anti detect patches" It works fine on my Win2k Sp3. We have not had reports here of anyone losing the SI window after using that patch.

    If you used the exact addresses shown in the Solomon thread it is extremely unlikely that they would work because that was a discussion of "'ver'== DriverStudio tm 2.01 (build57) file size 1,275,590 says 4.2.1 (build 58) in properties.)" +Spl/\j cautioned to "Check first" for the proper addresses. Did you "check"???

    Try reloading SI and try nikolatesla20's patch.

    Regards.
    JMI

  14. #14
    Old Retired Man Uradox's Avatar
    Join Date
    Sep 2002
    Location
    Australia
    Posts
    42
    Ah yes my stupidity for not checking offsets
    Sorry

Similar Threads

  1. An anti-attach trick.
    By walied in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: December 20th, 2011, 14:37
  2. some anti-disassembler trick ?
    By NoLOcKs in forum OllyDbg Support Forums
    Replies: 2
    Last Post: May 13th, 2009, 17:00
  3. How to defeat the fuction of CrypKey (6.1) anti-debug?
    By aaa2520 in forum The Newbie Forum
    Replies: 4
    Last Post: October 24th, 2006, 19:22
  4. ASProtect high memory address trick
    By Solomon in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: March 18th, 2004, 11:15
  5. New security anti debuging.How to defeat it?
    By Anonymous in forum OllyDbg Support Forums
    Replies: 1
    Last Post: May 22nd, 2003, 03:42

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •