Page 1 of 2 12 LastLast
Results 1 to 15 of 21

Thread: WinSniffer 1.3 [ASPACK???]

  1. #1
    foxthree
    Guest

    Question WinSniffer 1.3 [ASPACK???]

    Hello:

    I'm pretty new to the cracking scene and here is some of my analysis on a product called WinSniffer (winsniffer.com). Current Version is 1.3

    I *think* it is ASPACKed (though no clue as to the version and such) [ How: Run WinHEX and search the memory for ASPACK String and lo there it is]

    I'm trying to unpack this and am 95% successful (almost !)

    Here is what I've done:

    1. Loaded the target under revirgin (thanks, tsehp) and traced and found the OEP: [004104FF, am i right btw?]

    2. Dumped the target at this location using procdump [is this correct way of doing things or should i use icedump]

    3. Using Revirgin complete rebuilt the IAT. <--- ROCKS!!!

    4. 2-3 IAT entries were not finding so I did trace and found them all.

    5. Created a section and patched the generated IT.bin into this. So now I have a completely IAT re-built WSMDI.exe

    6. Reset the OEP using the PEditor tool.




    However, when I run this app, it crashes stating that 0x77fc97a0 referenced memory at 03f3df08 (inside ntdll.dll) I'm stumped as to why this has to happen. I followed Predator's tutorials to the word and I think I'm almost close to completely unpacking this program.

    Any clues/insights as to what is happening will greatly help me. I'm attaching the revirgin generated IAT.txt file for analysis

    Thanks to all the good "gurus" here in advance,
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    oLD SpeKKeLed HeN SpeKKeL's Avatar
    Join Date
    Aug 2001
    Location
    earth....
    Posts
    153

    aspr....

    Hajo,


    Yep aspr-protected..( not protected with latest aspr !)
    Okee your oep=correct ,4104ff

    First look at eax around 415240 after getmodulefilename , hardcode the number in your dumped.exe in someway or bypass.
    Again on the call at 4105b6.

    Didn't compare whole your resolved.txt file but the 2 api-calls on
    0003B348 and 0003B34C aren't correcti think.Just replace by:

    0003B348 017FC968 002F KERNEL32.dll
    0003B34C 017FC960 002F KERNEL32.dll

    After this all should work...



    SpeKK
    Attached Files Attached Files
    Last edited by SpeKKeL; February 15th, 2002 at 06:29.

  3. #3
    Hi

    I have rebuild IT and found:

    0003B348 KERNEL32.dll LockResource
    0003B34C KERNEL32.dll GetCommandLineA

    Include IT

    Regards
    Attached Files Attached Files

  4. #4
    oLD SpeKKeLed HeN SpeKKeL's Avatar
    Join Date
    Aug 2001
    Location
    earth....
    Posts
    153

    yep you're right !

    Yep that's better !!

    overlooked >>0003B34C KERNEL32.dll GetCommandLineA !
    Now you don't have to correct the addresses i mentioned


    Set bpx getversion when prog is loaded in si and see the api's are stored in memory (1803640 for getcommandlinea)



    SpeKK
    Last edited by SpeKKeL; February 15th, 2002 at 08:26.

  5. #5
    foxthree
    Guest

    Angry Thanks but still not working! :-(

    Hi SV/Spek:

    Thanks for all your tip. Yep, I got it right this time and every thing seemed so cozy. Until I ran the executable. Just nothing! Absolutely nothing. I tried to debug it into softice but it wouldn't even execute 1 single instruction.

    What's happening here? Any ideas. I tried to put INT 3 in the OEiP, still nothing, just hourglass and nothing!

    Any ideas would greatly help clear my ignorance.

    BTW, my unpacked executable is around 2.3 Megs. Is that what you guys have got too?

    (My IAT is not EXACTLY same as you guys, if it helps)

    Thanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    oLD SpeKKeLed HeN SpeKKeL's Avatar
    Join Date
    Aug 2001
    Location
    earth....
    Posts
    153
    TRy find out why your iat is different...,
    Try s.v's resolved iat in your dumped.exe (should work)
    Yep dumping will give 2.3 mb but realigning the file will reduce it
    to 500k.

    SpeKK

  7. #7
    foxthree
    Guest

    Angry Still not working

    Hi Spek:

    Thanks for all your help. But I'm still not able to make this work. However, I aplogize for a small mistake that i'd made in my previous post. Actually, my IAT rebuilt is exactly the same (I typed as NOT). Sorry!

    I'm attaching my IAT (rebuilt) .txt file. Just see if everything is fine. I'm rebuilding on Windows 2000 BTW. Is this a problem? Also, when I try to run this application, (after final rebuilding the 2MB one), it just fails to load NTDLL.dll by giving some page fault error. That is why my app is not running I guess.

    Also, what version of ASProtect is used to secure this application? How do i find this? Is there any tool?

    Thanks once again for all your help and time. I really appreciate it.

    Regards
    FoxThree
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    oLD SpeKKeLed HeN SpeKKeL's Avatar
    Join Date
    Aug 2001
    Location
    earth....
    Posts
    153
    Strange ,

    Yep just a little difference in iat at 3B178 (check out) , but i don't
    think here lies your problem.(i paste you resolved.txt in my dumped and it ran without probs)

    Try make a new dump.
    (make sure you don't have any breakpoint set at dumping)

    You can make them in several ways try this:
    Icedump from the oep /pedump 400000 104ff dumped.exe
    And now use r.v. to rebuild.
    or
    Trace till the oep> put a jmp eip at the oep >use pe- editor/procdump to make a full dump.
    Use hiew to correct the location 4104ff (jmp 4104ff )into push ebp :mov ebp,esp and now rebuild.
    I use w98 but w 2000 should be no problem ??


    Well don't know what version this is of aspr you can use some
    file inspectors/analysers ....lot's to find on the web.

    SpeKK





  9. #9
    foxthree
    Guest

    Smile Thanks I'll try

    Hi SpeK:

    Thanks for your patience with me. I'll try whatever you've said and I'll get back to you.

    Once again,
    Thanks, man

    Signed,
    FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    foxthree
    Guest

    Unhappy Still not working :-(

    Hi SpeK:

    I tried whatever you said. It still did not work. I'm jus' getting lost. When it seems to work fine for why wouldn't it for me. Infact, like you said the IAT differs in only one place. In fact, this time I chose your IAT.txt and rebuilt. Still the same problem. When I try to debug the re-built application using W32DASM I get this:

    The first thing it tries to do is to load up NTDLL.DLL at 77F80000. Then imme. it throws up this error in a dialog:

    The thread tried to read from or write to a virtual address for which it does not have access at EIP 77e878c1.

    Any clues. Also, if you don't mind can you upload your rebuilt WSMDI.exe so that I can try to run that here and see if that works?

    Also I think the dump I get is just fine. I tried the same approach with a couple of other apps that are ASPROTECTED like CoolMouse without any problems:

    The method I try is:

    (1) Load Process into RV Tracer
    (2) Wait till it breaks on OEiP (in our case RVA-104FF right?)
    (3) Just switch to Pdump and dump the process (remove all the unnecessary options in PDump before doing this, right?)

    Is this method ok? or is this a bug in RV?

    Any other ideas/ suggestions? Is my Win2K a problem (it is without SP). What else? Man, I'm at the end of my wits here...

    Thanks for all your patience,

    FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11

    I do think it's a bug with RV

    Yeah, i do think it's a bug with RV because i have both won 98 and win 2k running, RV gave me slightly different IAT for the same program and sometimes RV does not export IT.bin properly and automatically gave IT an adress of 2ABCFEAA or womething weird like that when i select auto fixed section...

    I just keep trying and it works sometimes... maybe i am doing something wrong but i do find RV behaving weirdly sometimes... or maybe it's anti-RV trick by AsProtect, Alexey frequent crackers'boards often i heard....

    The only full proof method i tried so far is use ImpRec to get the normal IAT without auto trace (because RV doesnt provide that option or else i would prefer RV personally) and then manually replace the rest of the IAT input, normally about 40ish of them.. it's a sure work way!!!

    AsProtect is really a bitch really...

  12. #12
    Hi foxthree,

    OK, i am not sure this help but try anyway... i was checking evaluator's post on deadlisting of IAT, i found that mine are quite different, evaluator : i am using win98se... but i notice the order are the same, as in the order of the offset and the Import...

    There is one entry in winsniffer like this :
    207 0003B348 017FC968 0000 ?????? ??????

    try u 17fc968 will show u a proc with ret4 and below it another proc with ret4, compare the 2 proc they are slightly different... I tried putting this entry 207 as Free Resource and the prog quits silently... try with Lock Resource it runs...
    Looking at the deadlisting by evaluator i found out that lock resource will normally come before Free Resource but i am not sure... digisecret and commview has the same pattern... maybe this is the problem for you?

    Tseph, i found the bug in RV now, when i load saved resolved with RV, RV will not read the last import if it is the only import from another dll, like this case of winsniffer :
    426 0003B6D8 7FF482A8 00D7 ole32.dll OleUninitialize
    427 0003B6DC 7FF4F578 00C0 ole32.dll OleInitialize
    428 0003B6E4 7FE54D20 0008 oledlg.dll OleUIBusyA
    eof
    RV will not load the last import from oledlg.dll unless i make it look like this
    426 0003B6D8 7FF482A8 00D7 ole32.dll OleUninitialize
    427 0003B6DC 7FF4F578 00C0 ole32.dll OleInitialize
    428 0003B6E4 7FE54D20 0008 oledlg.dll OleUIBusyA
    428 0003B6E4 7FE54D20 0008 oledlg.dll OleUIBusyA
    Maybe that is why i get eratic results cos i tend to save then load stuff!!!

    That is all for now, please correct me if i am wrong...
    Thanx

  13. #13
    Al Solodovnikov
    Guest

    huh

    Originally posted by binh81
    AsProtect is really a bitch really...
    And it's just a biginning You'll forget about RV and ImpRec soon.

    ---
    Alex VeryLongRussianSurname
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    foxthree
    Guest

    Unhappy binh81 You're right

    Hi binh81:

    Thanks for your tips. I tried every one of them. I concur with you: There are few bugs (like the weird RVA problem when pasting IAT) when I run on Win2K. I do not have a Win98SE at present where I can test whether my earlier built IAT would work.

    I've tried whatever you've told but still no luck. Same old NTDLL.DLL problem. Ugh!

    Also, I noticed a few things:

    (*) In my rebuilt IAT there were 2 references to LockResource. Why? (ASprotect trick or RV bug)
    (*) Why are the hint values in RV off by 1 i.e if in the hint value for an exported API in KERNEL32.dLL is say c5, in RV it comes as c6. Why? Is it OK? Any explanations (Tsehp?)

    All I can say at the moment is that, by mistake, I chose a wrong ASPROTECTed target. I should've chosen something in the tuts tried and then came back to this. What really frustates me is that I still do not know what I've done wrong. Spek says it works fine for him in Win98 (with *my* rebuilt IAT)? So what gives in Win2K?

    May be like Alexey has written above: Is it time to upgrade Revirgin?

    With many more such questions in mind:

    Signed,
    -- FoxThree

    PS: BTW, binh81 the bug about OLEDLG.DLL is very correct! I'm also able to reproduct it here!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    me8
    Guest
    hhh, i believe reversing gods are able to reverse anything in the world....ones protect, others deprotect, who wins :-))
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Cant unpack ASPACK, even Aspack fails...
    By dipeshrestha in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: August 6th, 2006, 12:46
  2. ASPACK problems with DLL (relocations?)
    By friedo in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: November 2nd, 2004, 11:10
  3. Coding ASPACK dumper
    By canuckcracker in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: August 3rd, 2004, 10:25

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •