Page 1 of 2 12 LastLast
Results 1 to 15 of 22

Thread: BIG-dipper :)

  1. #1
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373

    BIG-dipper :)

    ok u asked for D-D targets !!!

    here is a nice aspr MULTI dipper as a newbie challenge :-

    [http://***.timeutilites.com/downloads/atc.exe]

    thanks to SpeKKel for that one....have phun we did

    Spl/\j

    BTW I have big trouble with RV1.3 destroying its own iat.bin after loading from disk and building. I think I saw someone else with this prob on the 'tools' pages ? Did anyone else come across this prob ?

    The target is CV3.3 from Tamos...somethin new from Alexey ? RI have to speak to the Admiral and fire a shot across his bows

    later
    Carve my name into your arm :)

  2. #2
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    eh, SPLAJ..
    Can't understand your love to ASsPR!
    What you found interesting???


    Paste my IT.BIN in dump at 22C000h.
    Values for PEditor:
    OEP=21CFA4
    IT =22C000 SIZE=0000026C

    I think, will better if you make dump at OEP.
    Old size-check exists
    Attached Files Attached Files

  3. #3
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373

    Cool music to my ears..

    Hi eval

    I tink u misunderstand. I have rebuilt that time thingy a month or so ago. It's just a trget for those interested in D-Dip. Also rebult CV3.3 with RV1.2beta. Just sayin that RV1.3 destroyed IT/IAT bin file in both Win98SE & Win2Ksp3.......hmmmm

    I just mentioned that aspr code is different now. The 61 ff e0 (Jmp EAX) is gotten to in a very 'decrypted' way.

    Somethin different for sure in CV3.3 aspr

    hmmm

    Spl/\j
    Carve my name into your arm :)

  4. #4

    nice one :>

    Thanx Spl/\j for the prog :>...

    Finally get it to work :>... "wow" I must say, 10 dips in before OEP and only 2 should be missed... but the address of the dip in can give quite a hint though...

    A few booby traps to check for AsProtect... this is really one program that integrates with AsProtects, luckily it is quite a simple program so i was able to find (hopefully) all the AsProtect checks...

    Thanx splaj.. this one gives me some further insight of those dip before OEP... fox3, you should definitely try this one.... :>...

  5. #5
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    SPLAJ!

    Maybe because of my poor english I didn't understand you..
    But for me RV1.3 works fine! Nothing bad happens.
    Here again I upladed resoleved&finished.txt and IT.BIN.
    Now "autofix" option choosed.
    Attached Files Attached Files

  6. #6
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    OOPS, SPLAJ!
    I look in your "resolved". All is same as my except IT length!
    Your IT size is wrong. After "resolve again" RV1.3 displays 3B0.
    This value can be used

  7. #7
    foxthree
    Guest

    BigDipper-Analysis (not quite there yet ;-))

    Hi +splaj guru / binh81:

    Thanks for this wonderful exercise. Whoops is what I can say.

    In brief, I'm not able to unpack this one but I present below my analysis. Can you/binh81 verify this? I'm still trying and almost there :->

    Okey: First like binh81 said there are 10 dips at 4504F8, 489A30, 450498, 4504A8, 489660, 450538, 4504B8, 450474, 450498 (2nd time), 4504A8 (2nd time)

    Most of the dips it is:

    PUSH EBP
    4 lines of code
    RET 4 (except in 2 cases where it is RET 8)

    except for the "BIG" dip at 489660.

    Now here is what I did. I bypassed 489660 (r EIP) and then search for the 61,FF,E0 (thanks +splaj). I find it at cs:11A3424. Note the value in EAX: 00489DB8.

    ----------> Marked this as OEiP (cs:00489DB8). Dumped here!

    Now run RV 1.3. I Find the following values:

    RVA: 0008D168
    Lenth: 00000708

    However, the resolved values look mighty strange to me 'cos KERNEL32.DLL is interleaved and same import call is made in 2-3 places (why?) I checked in SICE IAT Table and everything is fine! That is the way IAT is this for this prog. Ok, generated IAT.bin and pasted.

    Did the usual change EiP CALL 489660/JMP 489DB8.

    Run it. Just after click on Evaluate, proggy quits! So let's debug...

    One redirected call I found at 00489E86!

    So find it , traced and found that it calls 004898C4.

    Patch it! at 489E86: CALL 4898C4.

    Now run it!

    Weird! Proggy said "Encrypt and Decrypt. Please run ASprotect on this app. API is incorrect" but runs. However each click on the top tabs is giving "Access violation at 45076E while writing to BFF77716 (addr of GetProcAddress)"

    Questions:

    (1) Is my EiP correct?
    (2) Is my IAT correct ? ( I doubt this much!)
    (3) binh81 says 2 dips neesd to be skipped, where as I found only one!

    Can you guide me? I need only tips :-)

    Signed,
    -- FoxThree
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    I dont know what is wrong with my system but I have always problem with finding OEP of new aspr in Win98 SE.Searching popad freezes my system.I can only find by tracex and it gives wrong OEP sometimes like in this example.I have found OEP by Dafixer's tips.

    Anyway I got same error like foxt3 here is the proc which gives error message when you change tab

    Code:
    seg000:0045075C dummy1		proc near
    
    var_4		= dword	ptr -4
    
    		push	ebp
    		mov	ebp, esp
    		push	ecx
    		push	ebx
    		mov	eax, dword ptr ds:GetModuleHandleA_1+2  ;here is the problem.
    		mov	ebx, [eax] 
    		push	dword ptr [ebx]
    		mov	[ebp+var_4], ebx
    		pop	dword ptr [ebx] ;crashes here because it tries to write address in k32.dll
    		mov	eax, [ebp+var_4]
    		pop	ebx
    		pop	ecx
    		pop	ebp
    		retn
    dummy1		endp
    I guess we should fix the pointer where it currently points to IAT.I am not familiar with new aspr

    ps:If someone could explain how to find OEP and this "dips in win98 in a way that newbie can understand I will be quite happy
    "There is only one road to human greatness: through the school of hard knocks." Albert Einstein

  9. #9
    foxthree
    Guest

    LapTonic is right!

    Hi Laptonic:

    I've also got the exact GetProcAddress with the same asm code (I traced just now with SICE) write error like you've mentioned. We've both done something horribly wrong 'cos binh81 reports everything as fine. Anyways, waiting for inputs from +splaj guru/binh81.

    Cool now about your questions:

    Finding OEiP:

    Like yoda, says in Star Wars, "Tricky this one can be !" :->>

    Okey, two things, one what i've observed is most ASPR code after going into ASPR shell once comes back to break at 00401014. Now in between this if you run /tracex, you'll have to wait for like 10-15 mins. Instead do this, dl SuperBPM. Run it. Now load app into ICELoad. Breaks at 0x40001000. Now do a bpmb cs:00401014 x. Let it run. Voila! It breaks at 00401014 almost instantly ;-) Now trace back to ASPR Code. Now give a /tracex. It will speed your finding of OEiP by 40-50% atleast.

    The Second thing is I've also had my PC crash when I search for signature bytes. I wanted to ask +splaj guru himself why this is so? But if you follow my earlier trick, you'll find POPAD. Now load SUPERBPM and bpmp at that mem location. F5 and voila you break at POPAD. Trace and find JMP EAX <grin>!

    Hope this helps,

    Signed,
    -- FoxThree

    PS: For Double Dips, there is nothing better than the big "writing" by +splaj on RegOrganizer 1.3Beta4. See it!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Hi Fox3,

    Yep, look at you dip listing.. most are 450xxx which sets up AsProtect Flag and can not be skipped... 2 dips at 489xxx should be skipped, if you look at the 489A30, it will move 4898C4 into [489E86] but since you have patched it, it should be fine...

    The messagebox of invalid AsProtect API is called when the program check for its API at 48AB00 if i am not wrong.. just change this dword to 00000000 will do the trick...

    Yep, your crashing is caused by the code pointed out by Laptonic, basically [ebx] is one of your IAT entry, so if ATC.exe is AsProtected then [ebx] is redirect to AsProtect memory which is writable, however when we unpack it, [ebx] now points to Window API address and is protected so you can not write data there anymore, but look at the code,

    push [ebx]
    mov [ebp+4], ebx
    pop [ebx]

    the push and pop operation does nothing but indirectly checking AsProtect redirected API... so i just nop both these push and pop or use the "48 40" trick.. then the prog should not crash anymore...

    I found another check when u click the Adjust button.. yep... so watch out...

    Again, i did not find the need to patch OEP to call the big dip at 489660 at all... :>.. it checks keyfile atc.bin...

    Hi Laptonic : here is how i find OEP with AsProtect in 3 second :>
    run the prog, use WinHex to open the prog memory and search "61 FF E0"... yeah u will find it and then bpm there with super bpm... boom you are there... the OEP is always the saem with jmp eax... the dip ia another problem which i have a zen for it but i dont know why and how :>... guess i have done 7 prog with dip already :> so ah well... my softice crash occasionally when i do search in memory with it so i use winhex all the tiem nowadays.. nice prog :>

    that is all for now..

    Cheers
    Last edited by crUsAdEr; March 10th, 2002 at 14:31.

  11. #11
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    binh8!

    That last check is very fun, you will laugh!
    I'm interesting if you find it!

    I will upload soon if..

  12. #12
    foxthree
    Guest

    Thumbs up Cracked this one (completely) ... phew!

    Hi +splaj/bin81/LapTonic:

    Finally, I have cracked this one... and what a fun it was...

    Okey lemme explain:

    First of all we have two problem with the dumped executble:

    (1) On running and clicking on evaulate, we get the horrible "Encrypt/Decrypt... Please repack this with ASPR and blah blah"..

    (2) On click of each tab, we get GetProcAddress write error!

    Solutions:

    (1) This is complex. This is all because of indirect calls to ASPR code. The author must love calling into ASPR ;-)

    There were (atleast) 3 re-directed calls.

    a. at 00489E86: CALL [48AFA8] <-- replace with CALL 4898C4
    b. at 004473A5: CALL [EBX+..] <-- replace with CALL 48460C
    and the *final* one that completes the trick...
    c. at 004843EA:

    Here you'll find

    at 004843EA: LEA EAX, EBP-0C
    : CALL 004504E4 (Ugly function that causes the SEH to be trigged )

    If you, see this call is in a SEH, and when the SEH get triggered, you get our friend the ASPR MsgBox !

    So we should make the SEH not to trigger. Just see the line below the CALL...

    CMP DWORD PTR [EBP-0C], 00

    So this is the trick, normally the code does not come here and even if it does EBP-0C will not be 00 with ASPR Ugh!

    So as +splaj guru would say , "patch"

    at 004843EA: MOV DWORD PTR [EBP-0C], 00

    (Opcodes: C7 45 F4 00 00 00 00
    90 <--- NOP to make it 8 bytes )

    Press F5 Yayyyyyyy.... No more ASPR boxes... Phew!!!

    For (2)

    it is very very simple and binh81 nopping will not work

    So my little trick: Look at the address 004507EA or something.... bpx there. See up there is a PUSH EBP (function prologue heh!!)
    Put a simple RET there ... So no longer memory write checks will be done.

    [Note fellow RCEs: we're successful in this because the function itself is returning RET and PUSH is called within the function. If the function returned anyting other than a simple RET such as RET 4 or RET 8, we will have a corrupted stack if we replace with simple RET]

    Boom.. Boom... No more GetProcAddress Errors!!!!

    Phew... was it a debuggin' session or what!!!!

    Anyways, my most humble thanks to +splaj (for introducing me to the art of D-D , binh81 for being there )

    One small question though:

    What does the attached piece of code do and why does it generate a SEH?

    Answers are gratefully accepted.

    Signed,
    -- FoxThree

    PS: Still have 9 runs to go... close.. but still running...
    Attached Files Attached Files
    Last edited by foxthree; March 10th, 2002 at 20:16.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    Hi eval,

    yeah i did find it... :>...

  14. #14
    foxthree
    Guest

    Lightbulb Is my explanation enough

    Hi Eval:

    Is my explanation above enough?

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    Hi fox3,

    Not sure about the differences between my dump and urs... but i did not patch that many bytes... think must be all the dipping... nopping out push[ebx] and pop [ebx] works fine on my machine... no problem... how can there be problem when u already nop it out? must be error somewhere else...

    think even for "Invalid AsProtect API" massage, i only change one dword value...

    okie.. just confirmed, i made 3 patches only... the prog seems to run fine, updating my time well... think i am gonna keep this :>... cos sice keep stopping my clock when it pops up...

    Ah well... i'll see how :>...

    regards

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •