Results 1 to 8 of 8

Thread: tsehp : small "anti-trace" in asprotect..?

  1. #1
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815

    tsehp : small "anti-trace" in asprotect..?

    Hey tsehp, RV kicks butt, especially on Win2k, the program tracer OWNS ! -

    <Just a quick note to some beginners out there, if you trace a program and it doesn't seem to land on the OEP as the first instruction, remember asprotect has an API, and it calls into the target before executing it, you are on one of those API's. WRITE IT DOWN! You can use it to your advantage >

    I ran into a problem over the last 2 weeks tho, RV would not resolve all the entries for Bullet Proof FTP Server. When I wrote down the RVA's to the functions, and went in manually with softice, this is what I saw:

    At the RVA called from the IAT address:

    mov eax, [012054A]
    ret

    NOtice that this does not call ANY api whatsoever, it just moves a value into eax as tho it DID call an api, and then returns. So where does this value come from you ask? Well fortunately if you scroll up in the code window in SoftIce you could find the answer (heh heh ! )

    Scroll up some from the code you see listed above, and you would find:

    call Kernel32!GetCurrentProcessId
    mov [012054A],eax

    WOw great fun eh? ASProtect basically takes over calling the conventional startup code in the app, and stores the values away for later. Not a big deal, but it pretty much screws any tracer completely. OH well.

    Yes you can still fix it up by hand, I was just bringing out I don't know if any tracer could ever find this. It is a good technique I think. I also think this must be a newer version of asprotect because I haven't seen it before (Note on asprotect website it says new update for registered users - HEY a new one just came out again TODAY! - but I can't download it of course ?)

    By the way I still can't get this damn BPFTP server fixed out of asprotect, oh well, more practice is needed. (I had no such troubles with BPFTP client). Apparently I still have some calls into ASprotect. (The thing to note is of yet asprotect has not API which gets called INTO. However, it does pass a pointer to the registration information when it calls GetRegistrationInformation. The app accesses this pointer, which is what screws you I think.)

    -nt20

  2. #2
    Kilby
    Guest
    That code has been in asprotect for over a year now, and indeed was one of the ways of slowing down unpacking.

    If you do a bpx getversion before running the packed app you will eventually break on where aprotect captures this value, along with 4 others such as getcurrentprocess.

    These stored values are the easy bit of asprotect to deal with these days.

    BTW I havn't touched asprotect since November, so I assume that more captured values exist these days.

    Kilby...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    tsehp
    Guest
    ok,
    did you tried the api emulator feature ?
    it guesses the api's used by the return value.

    regards,

    tsehp
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Yes actually I did try clicking on API emulator, but it also did not resolve them I could only do it manually, but it is not such a big deal

    But I want to thank you for the wonderful tool of Revirgin it is very good !

    -nt20

  5. #5
    DrFred
    Guest

    Exclamation

    For nikolatesla20

    Yes sometimes api emulator did no resolve them ..

    And another thing new asprotect use a new way to redirect some import ...

    old one as you said :

    mov eax, [012054A]
    ret

    New one :

    Call Kernel32!GetVersion
    push [012054A]
    pop eax
    ret 004

    This make some rebuilder like Imprec to detect wrong import.
    In this case it will detect Getversion but import is not that !!!
    And i noticed import not resolved are always :

    GetCurrentProcessId
    GetCommandLineA
    GetProcAddress
    GetVersion

    Bye
    P.S if you want to deal with this new aspro try CloneCD 4 beta !
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    foxthree
    Guest
    Hello Guys:

    This one is also not new. Search for posting by +SplAj guru and Evaluator.

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    tsehp
    Guest
    Originally posted by nikolatesla20
    Yes actually I did try clicking on API emulator, but it also did not resolve them I could only do it manually, but it is not such a big deal

    But I want to thank you for the wonderful tool of Revirgin it is very good !

    -nt20
    thanks.
    Did you tried the new plugins ? They should be working.

    I'm actually only working on the tracer.


    regards,

    tsehp
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815

    plugin worx great

    Hey tseph, started using the asprotect1.2xx plugin, it works great thanks.

    Sorry to hear about the flame war on the other board. Personally I dont use ImpRec much because it doesn't seem to trace everything as well as revirgin, but of course I haven't tried out the plugins in it yet tho. It is more "stable" but hey its ring3. The one feature I do like from ImpRec is it gives you a good range to find the IAT, if it can't find it on its own. Right now rv just kinda gives up but that's what SI is for, you have to use your brain too. Once you got the numbers the tool works excellent. Especially under Win2K the program tracer rules and its like 50 times faster than Icedump /tracex .

    -nt20

Similar Threads

  1. OllyDbg trace gets "lost" in OS code
    By romkyns in forum OllyDbg Support Forums
    Replies: 5
    Last Post: February 4th, 2012, 21:52
  2. Replies: 0
    Last Post: February 22nd, 2008, 19:30
  3. Terminal Dogma: "the whole crackme is ANTI trace!"
    By ZaiRoN in forum Mini Project Area
    Replies: 11
    Last Post: December 1st, 2006, 19:23
  4. Question to: "trace over system dll"
    By Anonymous in forum OllyDbg Support Forums
    Replies: 3
    Last Post: February 13th, 2005, 04:17
  5. tsehp, please add "refresh process list" feature to Revirgin
    By Solomon in forum Advanced Reversing and Programming
    Replies: 10
    Last Post: November 6th, 2001, 17:54

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •