Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: RegOrganizer 1.3B4: Questions and More Questions (sv / +spl/\j guru!)

  1. #1
    foxthree
    Guest

    RegOrganizer 1.3B4: Questions and More Questions (sv / +spl/\j guru!)

    Hi Folks:

    I'm literally at my wits end with Reg. Organizer. It all started with me reading +spl/\j guru's post of ASProtect 1.4!!! ;-). I wanted to try out Reg. Organizer which has two weirdo Asprotect functionality.

    (1) As +spl/\j mentions, we no longer have our GetWhatWeWantAPIs in one convenient place. The IAT is full of holes (Thanks to sv and +spl/\j for an earlier post for clearing my doubts about this)

    (2) Asprotect does double dipping! (Still not clear about this one)

    See I've managed to work out part 1 perfectly. But whenever I attempt to understand Part 2 of the trick, I hit a empty wall.

    Moreover the problem is compounded by the fact that this particular target is updated weekly (the week before last was Beta 2, last week Beta 3 and now Beta 4) hence I'm unable to get reference values for understanding Part 2.

    So, with all my frustration growing inside me, I finally dled 1.3 B4.

    I've managed to find the following:

    1. ASPR dips into code at 00412A7C
    2. Back to OEiP at 00401000

    Now the problem I'm having is: Where to dump? Should I do it at 00412A7C or at OEiP (like we do always). +spl/\j mentions to dump earlier and patch the jmp 00401000. But my question is How this is done? In my disassembly (after dumping at 00412A7C) such an instruction is not present.

    SV mentions the same thing about RegOrg 1.2Beta 3 ("There is a call (412d34) to do before OEP (401000). "). I also have a similar situation (412A7C before 00401000).

    Again, how is this done? Should I dump it at 412A7C? After that what, because again after doing some init at 412A7C, we go back to aspr. So if we dump here, we still have some unpacked code, right?

    To add to all this, there is a good tut by nchantA where in he explains how to unpack EBook Processor 2.2. I'm having the exactly similar code layout when I break at 00401000: I have a jmp 00401012. Now in this tut, he says that to look down until the first jmp occurs. In our case it occurs at 00526C88. So according to his tut, OEiP RVA = 126C88 and he does a /pedump in icedump.

    I did the exact same thing but when I run my rebuilded app, it crashes at 00526C94 (Invalid Page Fault :-<)

    What am I doing? Please please please clear my doubt. I'm going crazy with this!

    Signed,
    -- FoxThree

    PS: Sorry for this lengthy post but I needed to get this one off my chest ;-). Thanks once again to sv and +spl/\j for helping me out with the earlier "IAT hole theory"
    Last edited by foxthree; March 6th, 2002 at 19:58.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    foxthree
    Guest

    Attaching rebuilded IAT for ref.

    Hi:

    Sorry me again <grin>. I'm attaching my rebuilt IAT.txt file for reference.

    Pls. pls. throw some light on this one....

    Driving me kwazy.... :-(

    Signed,
    -- FoxThree
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Hi Foxthree,

    Think Spl/\j has been busy, he hasnt posted anything for weeks... my post redarding this initialisation wasnot answered either... guess noone has yet to find out what AsProtect really does in those "dip in"..

    I tried to see what AsProtect does when it dips into original code, but i did not gather much... anyway, as Tseph and Spl/\j has pointed sometimes ago... if you skip those two initialisation and then dump at OEP = 401000 as usual then it works no problem...

    Yeah, i did that and have a working dump now...

    Hope that helps.

  4. #4
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373

    double-dip solution

    Hi fellow RCE's. It makes me happy to see 2 new guys here (bin81 & fox3). I have seen all your posts and you are making some good contributions. Thanks and welcome.

    hmmm D-D....

    I thought It was made it clear that in *most* cases the reason for D-D is to Initialize some memory and/or set some variables BEFORE OEiP as an anti-dump measure.

    There are a couple of things to do (after learning a LITTLE ASM) :-

    1) At 1st dip manually RET back to ASPR WITHOUT calling the code
    and DUMP at OEiP. ie SKIP this call.

    2) Let the code run to OEiP and then DUMP... and manually CLEAR the .data area that has been flagged with 'initialized ok' and/or variables set with hex editor.


    Ok.

    Rebuild IAT etc etc.

    Now EXAMINE the code at OEiP. Is there enough space to CALL 1stDIp code and let it RET as is ? For me with RO v123bulit on 19th January I did the following. :-

    OEiP 401000
    1stDip 419A2C

    So at OEiP re-coded to CALL 419A2C and then immediately after JMP 401012 to skip some unwanted bits ? and continue. This worked for me. However what i would recommend is to find a spare block of 000000000000000000 to code some changes.

    ie change OEiP to your new location and then CALL 1stDip and then JMP OEiP

    hmmm is that enough ?

    Ok i'll d/l the latest RO and maybe I can help you exactly- if we all get the same build !!!

    Also use LordPE to Dump/hex edit. It's the best way so far.

    Spl/\j


    PS. I was busy...... then had an accident, so I spent a few weeks with the men in white coats but i'm back now, not full time tho.
    Carve my name into your arm :)

  5. #5
    Hi foxthree

    As +SplAj said, i have done exacltly same process :

    Dump at 401000 without call 419A2C execution.
    Rebuild and paste IT.
    Recode a small code at free space : call 419A2C & jmp 401000.
    Change EOP to this piece of code.

    I don't remember if there is an indirect call, sometime used in ASprotect

    Regards
    SV

  6. #6
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373

    Thumbs up here it is....

    Hello again
    and special greets to sv ...BIG hello m8

    now I can confirm the following regarding RegOrganizer v1.3b4

    OEiP 401000 duh !
    1stdip 412A7C

    Break at 412A7C and make EIP to the RET. Or clear the area around offset 0x1CA980 to reset flag/variables with 00 for about 50 bytes or so

    ImportTable has 505 entries from 1D1134 TO 1D212C

    Tricky API :-
    Line 35 1D13F0 == FreeResource
    Line 38 1D13FC == GetCommandLineA
    Line 40 1D1404 == GetCurrentProcessId
    Line 59 1D13FC == GetModuleHandleA
    Line 62 1D145C == GetProcAddress
    Line 76 1D1494 == GetVersion
    Line 104 1D13F0 == LockResource

    make new IAT/IT to fit 0x2C1000 save as IAT.bin and use LordPE to add section from disk. Fix up header etc etc....

    replace ASPR high call at RVA/raw 0x199398 == 8C 2D 41 (call 412D8C)

    D-D fix :- make bytes at RVA/raw 0x1000 == E8 77 1A 01 00 EB 0B

    401000 CALL 412A7C
    JMP 401012


    That's ASPR 1.4 gone

    Spl/\j
    Carve my name into your arm :)

  7. #7
    Hi SplAj, *the arrogant bastard* :>

    Yep, thanx for the welcome thought, I have never received so much help and guidance before and I should be grateful to the board and the people here ... Yep, Thank you all...

    OK, back to business... :>... so far my finding for Reg Organizer is that the dip at 412A7C allocate heap memory and set up initialisation flag like you said... also i think it check for the key file "regon.bin" with the hash table to check our registration status...

    I skipped this dip and dumped at OEP 401000 as you said, rebuilt IAT and the dump runs fine without calling 412A7C... thus I reckon 412A7C is some kind of addon by AsProtect when the programmers select key file protection feature in AsProtect... hence there is no need to call it at OEP.... i am not sure though...

    However, the OEP at 401000 does look weird...

    That is all folks, :>

    PS : Hope you have recovered from the accident, SplAj :>... Take care when you drive around next time...

  8. #8
    foxthree
    Guest

    +spl/\j guru rocks!!!

    Hi there:

    Firstly my humble thanks to +spl/\j guru for his posting on this topic. Hope you're feeling better!

    Now, I clearly understand the double dipping concept. Yes, ASPR uses this to initialize some memory flags to prevent dumping... but just ret at the PUSH EBP instruction and we can dump all we want ;-) (Once again, my thanks to +spl/\j/SV... )

    Still I have two small questions for SV: <grin>

    1. Since we've bypassed the original call, why do we need to change the OEiP and CALL 412A7C and then jmp to 00401000. If you disassemble the dump, what you see at CALL 412A7C is a simple ret (which we'd coded earlier for dumping).

    So, I think this step is not needed. Correct me if i'm wrong but this step is only needed if you adopt +spl/\j's 2nd method of allowing ASPR to do the initialization and then dump at OEiP and then resetting all the unncessary variables (that cause Page faults btw :-<) to NOPs heh !

    2. What is meant by indirect calls? R u referring to redirected calls?

    Once again, I learnt a valuable lesson in unpacking today. RegOrganizer is no more (not patched yet but unpacked... yes!)

    Like +spl/\j writes in his tutorials, "Patch and play" <grin>

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Fox3,

    u got it wrong, both Splaj and sv meant said that you use "r eip" to skip the call 412A7C, not patch the byte there with a "ret"... which might be bad sometimes if the actual ret is "ret 4" or something like that, u might cause a stack fault...

    Hence, they both still called for 412A7C at OEP again...

    I think so at least :>

    Regards,

  10. #10
    Hi foxthree, binh81, (yo +SplAj )


    "1. Since we've bypassed the original call, why do we need to change the OEiP and CALL 412A7C and then jmp to 00401000. If you disassemble the dump, what you see at CALL 412A7C is a simple ret (which we'd coded earlier for dumping). "

    As binh81 said, when landing in at 412a7c, i just change manually eip to only do a ret (no patching) and continue tracing until 401000. Perhaps this call is no needed to run unpacked exe (humm), i haven't tested !

    "2. What is meant by indirect calls? R u referring to redirected calls? "

    Sometime in Asprotected exe, when tracing , you land in some code like mov [5cafa4],eax with eax = e2c9a0, and at this location (asprotect code) there is code like call [xxxxxx] where xxxxx contain 5c55a0.
    You just have to change at 5cafa4 right value : 5c55a0.
    This exemple is about last Tag&Rename

    Redirected call is more explicit !!!

    Regards

    SV

  11. #11
    foxthree
    Guest

    Thanks to all ;-)

    Hi Folks:

    Firstly thanx to +spl/\j (u're da man ;-)), SV, my buddy binh81 (hi there) and others who have actively posted their solutions to overcome ASPR D-D.

    I personally think D-D is finished !!! <grin>

    Thanks again for your analysis, folks.

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373

    Wink clear ?

    Hi again

    the 412A7C call can be missed out - Evaluator and I discussed this point about previous versions of RO. However I am highly suspicious that if this call is NOT made then using it on ur registry could cause a major fuckup on ur PC

    The redirected call is the one at offset RVA/raw 0x199398 == 8C 2D 41 (call 412D8C) . U can see this cos at startup massagebox comes up about cannot read memory blah blah. Just trce this call in original target and you will see the code call is 412D8C. Again the unpacked target appears to run anyway after the mesagebox....but do you trust this program with ur regitry ....

    BTW I can't walk, never mind drive yet........poor me sob sob.


    cya

    Spl/\j
    Carve my name into your arm :)

  13. #13
    foxthree
    Guest

    Smile Clear!

    Hi +spl/\j:

    As they say in Star Wars: "The training is now complete!" <grin>. Yes. I got what you said. I'll try again later today.

    Thanks once again for your gracious contributions.

    Wish you a very speedy recovery.

    Take care,

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    foxthree
    Guest

    Thumbs up Yes it is really complete

    Hi +spl/\j:

    The "learning" is complete now. Thanks for all your gracious help!

    BTW, can you up the discompress.com. I believe newbies like me can do a lot of learning by reading your tuts. Does it have a mirror?

    Thanks for sharing ur wisdom,

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373

    discompress

    hmmmm....

    I have been asked several times for 'discompress' site'. I thought I had a god angle when I started 2 years or so ago on it. But actually, if you get all the packers/protectors from exetools or wherever and pack Notepad.exe...you can soon gain good experience from unpacking it cos you know the header already.

    ....and thats my point....learning the basics of PE format especially IAT/IT gives a good grounding for unpacking.

    I must say the new tools like RV/Imprec/LordPE/Icedump with tracer make the task a lot easier these days so I don't think there is any real need for a disco comeback......just yet.

    Spl/\j
    Carve my name into your arm :)

Similar Threads

  1. 2 Questions
    By DaBookshah in forum The Newbie Forum
    Replies: 5
    Last Post: November 2nd, 2006, 09:06
  2. rsa Questions
    By tommychong in forum RCE Cryptographics
    Replies: 6
    Last Post: September 14th, 2005, 17:12
  3. Some DRx Questions
    By Lenus in forum OllyDbg Support Forums
    Replies: 3
    Last Post: December 31st, 2004, 04:19
  4. Some DRx Questions
    By Lenus in forum The Newbie Forum
    Replies: 2
    Last Post: December 28th, 2004, 18:11
  5. ??? Questions ???
    By Anonymous in forum OllyDbg Support Forums
    Replies: 4
    Last Post: July 23rd, 2003, 14:52

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •