Page 1 of 2 12 LastLast
Results 1 to 15 of 30

Thread: dll Asprotected

  1. #1
    mR_gANDALF
    Guest

    dll Asprotected

    I was playing with a nice tool, PacthFactyory from http://www.patchfactory.com/ that let you try for 30 days. Borland C++ 6, not packed, with a little nag before the start of the proggie. No packing, no antidebugging, just a time protection scheme based on registry. But, first surprise: The keys keeping time of trial rest on an ASProtect key. So, is it a only registry ASProtect protection? No packing? Sadly not. There is a df.dll that is in fact asprotected. Anyway it is easy to locate the comparison regarding trial, end of trial and regged version. But how to change? No loaders working (fuckfmn from smola - I really like this-; either yoda loader ). AsprStripperXP 1.35 not working, tried all options and traced the dumped (heap of shit). Tried to unpack the dll and rebuild IAT. It Seems easy, emulated and redirected API`s as usual. But then ... Loadlibrarya doesn`t find the new oep of the dll. Ah!... maybe I have to change the import section of the exe file. Second surprise: No df.dll imported library in the vp.exe import section. How is this possible? I can trace throght the LoadLibrayA call within the vp.exe to df.dll. Even more, it looks clear that this dll is responsible of the trial and the nag. It is the first time i see something like this. Any clues?

    Thz

    mR_gANDALF
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Shoob
    Guest
    1023481 JMP EAX

    10003873 PUSH EBP
    10003874 MOV EBP,ESP

    44CCE0 is the call to LoadLibraryA of df.dll...
    Last edited by Shoob; April 10th, 2003 at 18:01.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    mR_gANDALF
    Guest

    The question is...

    How to unpack this dll?

    The keypoint of the protection is in F93D23 jz (either in W98 or WinXP in mycomp). This is RVA of the asprotect code. I guess that unpacking that dll would reverse the protection regarding that it is the only asprotected file in the program. Any clues.

    mR_gANDALF
    [Breaking the bRaIn]
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Since the DLL is loaded by the main prog, and the main prog itself is not packed, can't you allow the main prog to load it and then patch the unpacked process image from the main prog? This would seem the easiest way to handle it.

  5. #5
    Shoob
    Guest
    set an bp on 10003873 dump the dll, change oep and rebuild the iat for the dll. the question is had anyone ever rebuilded an iat for an .dll file
    Last edited by Shoob; April 11th, 2003 at 17:27.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    A little late, and shoobs been trying to tell us this was pretty easy.... but here is some info...

    IAT Start: 09000 (RVA) BASE: 010000000
    End: 09110 (RVA)
    Length: 110

    Fix it!

    Dip-Table at adress: 1016988
    100023B0 100022F0 0 0 10002420 0 0 0 0 0 0 0 0 0

    Jump over all of those!

    Jump to OEP at: 1023048 ( Code: 61FFE000 4C300201 )
    OEP at: 10003873 reached from 1023049

    Dump?

    /Manko

  7. #7
    Shoob
    Guest

    Talking

    i'am junior thanks for the suggestion manko
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Now I see you posted the question, had anyone ever rebuilt IAT for dll... Actually, I had not. And untill I finally saw that button in the upper right corner of ImpREC, I didn't know how...

    ...and about those dips... I'm guessing they don't matter much. Skip or not... I think it won't do much difference, but I did...

    /Manko
    Last edited by Manko; April 11th, 2003 at 17:49.

  9. #9
    Shoob
    Guest
    every day a new fact for me i'm new to this but this dll thingie is a nice option.

    rva: 9034,9068 aren't reacheable (hook and tracer freezes imprec.) An idea without softice?
    Last edited by Shoob; April 12th, 2003 at 06:49.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Hmm... I guess you're trying to use option 2 & 3 tracer? Don't use them. They are not needed, and often do not work.

    Use plugins to resolve asprotect special emulated apis instead. Or do them manually.

    It worked perfectly for me. I have it unpacked and running, so we need to figure out what goes wrong for you.

    Plugins exist in this forum if you search.

    If this is not it, explain further...

    (I guess I'd be a fool to ask if you used the button up in the right corner... since it seems you could get at them... you must have done this...)

    YUP! I just checked and those RVA contain normal apsr-emulated apis... do them manually, if you have not practiced this much... if you have and are bored with this bit use a plugin.
    Ofcourse you HAVE to use sice or olly or something else that can show you what this code looks like... also ther's tons of info on these things here if you search.

    If you need more help, you can always pm me.

    /Manko
    Last edited by Manko; April 12th, 2003 at 05:28.

  11. #11
    mR_gANDALF
    Guest

    My Results

    These are my reults for df.dll:

    oep: 100023B0 (Tracex)
    IAT RVA: 9000 (ImpRec)
    Size of IAT: 114 (ImpRec)
    Unresolved IAT entries (Revirgin)
    F90EFO, F91360, F91388 : False entries.
    RVA (9034) Adress (F91388) -> Equivalent to Mov EAX, C000A04 (but any value will work)
    RVA (9030) Adress(F913CC) -> Equivalent to push 0, GetModuleHandleA, Mov Eax, 81985580 (in my comp this a pointer to the name of the exe loading the dll)

    Then I dump the dll at its oep (icedump). Then dump IAT from revirgin , make a new section in df.dll to inject the rebuilt IAT and redirect 9030 and 9034 to a graft with the equivalent code. Then redirect the oep of vp.dll and the IAT adress.

    But tracing through the LoadLibraryA call within vp.exe takes you to a odd RVA, not 100F001 as in the original dll or the new oep set in the LordPE editor. Then I thougth maybe I should change also the df.dll functions adresses imported by the exe file. But when looking the imported functions in vp.exe the surprises is that df.dll doesnt appear.

    Thats how the story is.
    Surely I`m doing something wrong. Need clues.
    Last edited by mR_gANDALF; April 12th, 2003 at 12:25.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12

    Re: My Results

    Hi!

    Originally posted by mR_gANDALF
    These are my reults for df.dll:

    oep: 10001014 (Tracex)
    IAT RVA: 9000 (ImpRec)
    Size of IAT: 114 (ImpRec)
    Unresolved IAT entries (Revirgin)
    F90EFO, F91360, F91388 : False entries.
    RVA (9034) Adress (F91388) -> Equivalent to Mov EAX, C000A04 (but any value will work)
    RVA (9030) Adress(F913CC) -> Equivalent to push 0, GetModuleHandleA, Mov Eax, 81985580 (in my comp this a pointer to the name of the exe loading the dll)

    Then I dump the dll at its oep (icedump). Then dump IAT from revirgin , make a new section in df.dll to inject the rebuilt IAT and redirect 9030 and 9034 to a graft with the equivalent code. Then redirect the oep of vp.dll and the IAT adress.

    But tracing through the LoadLibraryA call within vp.exe takes you to a odd RVA, not 100F001 as in the original dll or the new oep set in the LordPE editor. Then I thougth maybe I should change also the df.dll functions adresses imported by the exe file. But when looking the imported functions in vp.exe the surprises is that df.dll doesnt appear.

    Thats how the story is.
    Surely I`m doing something wrong. Need clues.
    Oep is wrong. The adress you found is just the adress where aspr-code checks to see if the section is executable. It was a simpel ret, when you found it.

    How do you mean those are false IAT-entries?!

    And the way you resolved those 2 other APis... Hmm...

    Read up good on asprotect and things will become clearer.

    The fact that you don't see df.dll in imports of vp.exe is simply that it's not done that way here. You always have a choice when you build program. Either put it in importstable or load it with code. This programs code loads the dll and then uses APIs to get the adresses of the functions in it.

    /Manko

  13. #13
    mR_gANDALF
    Guest

    Thz Manko

    It`s true, the first RVA breaking into Sice is a ret. Strange code to be a oep. The next time Sice breaks is 100023B0 that checks registry (I misstyped oep , tracex points 1000023B0).
    I know that functions from dll`s may be imported that two ways (chapter 17 of Iczelion assembler tutorials) but thought it was a possibility of error.
    I also thought that F90EF0, F91360 AND F913B4 were false entries becuse they are never called from the code.
    Never read anything about asprotect in dll ONLY.

    So i guess from your words that dumping at the ret RVA and making that oep, and rebuilding IAT with ALL unresolved entries (included those NEVER referenced) injecting the code and redirecting, the program should work.

    I`ll try that way.

    Thanks.
    Last edited by mR_gANDALF; April 12th, 2003 at 12:28.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    Hi!

    I didn't mean you should read up on aspr related to dlls. I meant you needed to study IAT rebuilding in aspr, dip-handling and anything else is never bad.

    Nope! YOU mentioned 10001014 first... I explained what that was, but never suggested you should dump at it. You should dump from OEP which comes after ALL dips.

    I questioned your method to resolve IAT entrys, because sometimes answers are not the same. (Like if you change system, or similar...) And you might be right about some entries NOT being used. But do you know this for sure? Have you tested ALL functions of the program, so you can know they are not being used?

    Ahh! When I look at dissassembly now, they are all used in code...

    (btw, when you have managed all, you will still notice that when you try to make patch, you get an exception... It's just the usual trick... This time, they do not even try and hide it...)

    /Manko
    Last edited by Manko; April 12th, 2003 at 18:34.

  15. #15
    Having played with AsprStripper on a few targets to check against my manual unpacking with Imprec and/or RV, I find that AsprStriper had been identifying three "API's" with multiple addresses.

    AsprStripper has both an "unpacking" and a "Reversing" button. The "unpacking" button will identify the three "unresolved" entries and the "reversing" button will attempt to "resolve" them. However, in reviewing the disassembly of the files when using both of the alternative methods, I did not find any additional API's after using the "Reversing" button and the program seemed to run fine without the three "extra" entries. Imprec revealed nothing other than the "junk" between API's and the usual suspects unresolved.

    I have not looked at this target yet.

    Regards.
    JMI

Similar Threads

  1. Asprotected app, I have the key constants and a working key.
    By komplex in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: January 21st, 2014, 13:24
  2. Ecomsoft products Asprotected
    By LOUZEW in forum Malware Analysis and Unpacking Forum
    Replies: 12
    Last Post: September 15th, 2002, 07:19

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •