Results 1 to 15 of 15

Thread: AsProtect - new version?

  1. #1
    norby
    Guest

    AsProtect - new version?

    Hi!

    I found one proggie with probably new version of Asprotect. It has a new redirection system for all kernel32.dll and comctl32.dll APIs (except of those emulated). First it does some heavy SMC (about 20 jumps) and then it executes first few instructions of redirected function in its address space...

    for example:

    0177:00A0068C PUSH EDI
    0177:00A0068D PUSH 00000127
    0177:00A00692 SUB EDX,EDX
    0177:00A00694 PUSH BFFA191F
    0177:00A00699 PUSH DWORD PTR FS:[EDX]
    0177:00A0069C MOV FS:[EDX],ESP
    0177:00A0069F JMP BFF77AF2

    and then it jumps to kernel32 and skips first few instructions


    KERNEL32!CreateFileA
    0177:BFF77ADF PUSH EDI
    0177:BFF77AE0 PUSH 00000127
    0177:BFF77AE5 SUB EDX,EDX
    0177:BFF77AE7 PUSH BFFA191F
    0177:BFF77AEC PUSH DWORD PTR FS:[EDX]
    0177:BFF77AEF MOV FS:[EDX],ESP
    0177:BFF77AF2 MOV EDI,[ESP+14] <--jumps here
    0177:BFF77AF6 SUB EAX,EAX
    0177:BFF77AF8 LEA ECX,[EAX-01]
    ...

    it prevents bpx and I also tried to trace it with Revirgin 1.30 and ImpRec, but both failed; I had to trace all APIs manually

    The only function where ImpRec's tracer succeeded, was GlobalUnlock, where it jumped to the beginning of the function and it didn't skip any instructions in kernel32 code

    proggie: xxx.imagedupeless.com
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Hi Norby,

    Yep... THAT is IT, the new version of AsProtect ...

    This kills Imprec and Revirgin for sure, i am impressed that you get Imprec to trace one kernel API, i couldnt get any ... AsProtect is really going into VBox direction with its IAT redirection scheme... plus poly-enigine generated to calculate jump to redirected API and "rebased" each run... so each run you will get a different decryption routine address and a whole set of different decryption keys... ..

    I just came out with this idea of ripping decryption routine out of AsProtect and hence code this plug-in... please help me test it so hopefully i can improve it and make it more generic... I have only tested it with this apps and on my win2k box...

    Norby : I am impressed you traced everything manually .. you are lucky it is only 17h kernel imports

    Anyone else seen other apps protected with new Aspr ?

    thanx
    crUsAdEr
    Attached Files Attached Files

  3. #3
    norby
    Guest
    Hi crUsAdEr,

    thanks for the plugin, good work :-)

    it works in W98 without problems (with this program)..

    I downloaded some other Asprotected programs today, but all were protected with older versions...

    btw: I even found one asprotected program that didnt work packed, only unpacked ...(Secret Explorer, xxx.lastbit.com)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    About plugin.

    Hi crusader,
    Is this plugin supposed to work with Imprec or RV? Or both?
    It can't get it to work on my box (XP)

    regards,
    hobgoblin

  5. #5
    Most probably for Imprec.RV doesn't has a plugin feature...
    esther


    Reverse the code,Reverse Your Minds First

  6. #6
    hobgobling,

    can u be more specific? like wat went wrong? plug in does not load, not recognised? or fail to trace? if so wat errors code doea it give in the log window? like 201, 202 or 220 etc...

    cheers
    crUsAdEr

  7. #7
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    Hi..

    Hi crusader,
    It loads, it traces, but all it returns is error code 204.
    BTW, it was a typo in my last post. I'm cracking this one on WinME, not XP.

    regards,
    hobgoblin

  8. #8
    _Servil_
    Guest
    hi !

    crUsAdEr you were too fast ! ;-)

    since i had no idea how to rip the key from .aspr (is the api calcluated each time the same way?), since the emu seems to be modified each time a tried to follow the code, maybe this will work too ?


    tried for imagedupes and win98 only , however
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    wow, is it a tracer? some comment would be good (wonder why few ppl put comments on their codes... i have only coded a tracer with debug API only.. so it is a good exercise to look at this code... pretty long though :/...

    any reason why is this win98 only???

    Hobgoblin : error 204 = Invalid pointer, which you will probably see a lot because aspr inserted lots of junk value in between First Thunk so of course the plug in will report error 204.. you must check on the valid pointer pointing to a redirected API routine... take notes that First Thunk are quite spread out, pretty far apart so make sure you get you IAt range right...

    cheers
    crUsAdEr
    Last edited by crUsAdEr; November 22nd, 2002 at 23:30.

  10. #10
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    Figured it out...

    Hi crusader,
    I figured it out. I'm just a little bit impatient sometimes. ...
    I unpacked it successfully, and it runs smoothly...
    But when I tried your plugin, I got error 205. After cutting away all the invalid thunks, I used a plugin tracer named aspr13.dll, and all imports except 4 go resolved. These I traced manually. Is it you that wrote the tracer plugin too?

    regards,
    hobgoblin

  11. #11
    Hi Hobgoblin,

    Nah.. the plug in tracer is written by Servil.. all credit goes to him...

    Funny, cos my plugin doesnt have error code 205??? at least not the one posted above... are you using the same one as above :>??

  12. #12
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    Well...

    Hi Crusader,
    I might have used another one.
    I'll check it out later on. It seems like I mixed yours with another one (older).

    regards,
    hobgoblin

  13. #13
    hobgoblin:

    Perhaps yours is the second version of +Spl/\j's from October which appeared in the thread "RV tracer seems not work on... "

    Regards.
    JMI

  14. #14
    _Servil_
    Guest

    Re: Figured it out...

    Originally posted by hobgoblin
    ...and all imports except 4 go resolved. These I traced manually.
    hi hobgoblin, about the unresolveds, those are my bugs, soorry about that, anyhow i'm glad to hear it worx..
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15

    Report

    Crusader !!

    Your plug-in works fine with me , on Win2K , all Kernel.dll apis were resolved with your plug-in ( nothing needed to be resolved manually )

    but as Hobgoblin said with Servil's several apis in Kernel.dll stayed unresolved , and don't know what is with Comctl32.dll
    because I didn't try to do after.

    For those who might could't find IAT , here it is

    Regards Soldat
    Attached Files Attached Files

Similar Threads

  1. AsProtect 1.2x [New Strain]
    By ByteL0rd in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: June 2nd, 2003, 11:42
  2. AsProtect ... still
    By TaGaDaPaF in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: September 17th, 2002, 08:09
  3. AsProtect...
    By 0ldMan in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: April 15th, 2001, 23:16
  4. can't crack newer version using older version tuts.
    By bas in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: February 12th, 2001, 21:40
  5. Need a newer version of AsProtect decompressor
    By Hexon in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: November 11th, 2000, 12:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •