Results 1 to 11 of 11

Thread: Stuck on aspr

  1. #1
    fALC0N
    Guest

    Unhappy Stuck on aspr

    After reading a lot of threads about aspr, I gave a shot to unpack Available Domains Pro at h**p://w*w.alphacomsoft.com and as you might have guessed stuck at runtime.

    Found the OEP at 391F5 (correct?)

    Fixed (?!) the IAT thru Imprec, tried RV too but it crashes.
    IAT RVA=77000 Size=7C4
    After resolving entries it refused to run...

    I wish to know if there are any D-D code in this. If anyone can shed some light in finding
    D-D code in apps in general is very much appreciated.

    Maybe some of the gurus here could give me some hints where have I done wrong.

    I've attached my resolved iat

    fALC0N
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    foxthree
    Guest

    Talking ASPR is always fun !

    Hi there:

    No D-D tricks in this one. [Even if it did, it doesn't matter ]

    A cursory glance of your rebuilt IAT, also shows that everything is fine, too! I'm attaching my rebuilt IAT thru' RV so that you can analyze this one more!

    OEiP == 391F5 <--- Correct!

    By, not running, do you mean the FAULT 0Eh after running the unpacked ADomains? That is easily fixed. There is a redirected call to ASPR code! NOP it and everything is fun

    For further reference, search the forum. You'll find enough references for redirected code fixing.

    Signed,
    -- FoxThree
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    fALC0N
    Guest

    Unhappy Doesnt' Work

    Thanks for replying foxthree but it still gives me an error at 016f:0043715c and NOP'ing just doesn't resolve it.

    Is there something i'm missing?

    Is it a redirected call?

    Thanks,

    fALC0N
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    foxthree
    Guest
    Hi Falcon:

    No. NOPing 016f:0043715c will not work. You've to NOP the caller itself. It will be at 0040f5d or something like that. Look in the call stack. If you NOP the caller, everything is nice

    BTW, the instruction 016f:0043715c is not the problem. It is the instruction above it that refers to "ASPR" memory that causes the page fault. I think, it is something like MOV EAX, ECX or something where ECX == EXXXX (ASPR mem area).

    Find it man and have fun

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    fALC0N
    Guest

    Unhappy Nooo :(((

    Hi foxthree,

    No matter what I've tried, it just doesn't work... I even tried with your iat, I tried, I tried, I don't like to give up!

    Is it something else ?? I must be missing something pretty badly!

    fALC0N
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    foxthree
    Guest

    Hex Editor ???

    Hi there:

    What Hex Editor are you using to paste the IAT? DO NOT USE HexWorkshop as it is broken for > 2MB file sizes. Use UltraEdit.

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    fALC0N
    Guest
    Hi foxthree,

    I never used hexworkshop (and I didn't know it couldn't handle >2Mb files).

    I used imprec's fixdump and rv's fixdump at all times.
    fALC0N
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373

    437150

    hi

    Did you get the aspr memory 'check' sorted at ~437150 ? It is NOT a rediirected call.

    For me the aspr mem was E73431....of course this is gone. But this is only a simple sub eax,ecx check. (E73431 - E73431 == 0)

    So, find offset in dumped exe for 31 34 E7.....found at raw offset 0x9F9D8 so change the bytes to D8 F9 49.

    Now target runs because 49F9D8-49F9D8==0

    Spl/\j
    Carve my name into your arm :)

  9. #9
    fALC0N
    Guest

    Exclamation hmmm

    Hi Splaj

    Thanks for looking at this aspr problem !!
    And you are right! when i do that it passes that point, but now it gets stuck at 016f:0044bbe8.
    Also is this thing running on anyone's comp?? or am I the only one

    I appreciate your help
    fALC0N
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    fALC0N
    Guest

    Unhappy did everyone quit?

    I guess I'm stuck dead on this
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    foxthree
    Guest

    Wink Nope ;)

    Hi FalCon:

    Here is once again a step by step things to do:

    (1) Find OEP. You already did this. Dump using /dump command of ICEDump. Specify the image size and image base correctly.

    (2) Run RV and rebuild the IAT. Again, you've done this correct using ImpREC

    (3) Thirdly, when you run, you'll find app crashes.

    Single step in SICE and find that a call at 407F50 makes a call to ASPR as +SplAj mentions (sub ECX, EAX or something like that).

    What I've done is to NOP out this entire call. (Yes, it is not required). [You can also do a "cleaner" patch by what +SplAj guru said.]

    NOP the call to ASPR code at 00407F50 (5 NOPs) [Flag check code]

    Try this step by step.

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Stuck with CRC or similar check..
    By swifty in forum The Newbie Forum
    Replies: 12
    Last Post: July 4th, 2007, 02:10
  2. Stuck on dongle emulation
    By sal in forum The Newbie Forum
    Replies: 3
    Last Post: May 26th, 2007, 01:41
  3. Stuck with registry query
    By toones in forum The Newbie Forum
    Replies: 1
    Last Post: January 1st, 2005, 15:48
  4. Stuck with an App
    By LOUZEW in forum The Newbie Forum
    Replies: 10
    Last Post: November 22nd, 2003, 11:39
  5. Stuck with MosASCII
    By RenHoek in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: March 4th, 2002, 00:04

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •