Page 1 of 2 12 LastLast
Results 1 to 15 of 17

Thread: new aspr 1.31 un-dumpable?

  1. #1

    new aspr 1.31 un-dumpable?

    readme content:

    1. New EntryPoint Protection
    This improved option now uses advanced technique for changing the
    part of application and placing it to the envelope's code. Original
    code content is changing throw emulation and polymorphic replacement.
    Since this version EntryPoint protection uses a Virtual Machine, which
    makes the removal or recovering of original code practically impossible.

    <---- P-CODE ?



    2. Emulate Standard system functions. One more good option against manual
    unpacking - ASProtect just removes some common functions from protected
    application and executes them in the envelope code.
    You can change this oprtion via the Option Tab ("Emulate Standard
    system functions" option).

    3. New ASProtect polymorphic markers (for EXE files only !)
    By using this marks you could protect any code inside your application.
    In order to use new marks, you need to insert one mark instance at any
    place of the code inside function you would like to protect.


    and a simple function

    before protecting:
    Code:
    00401F44   $  68 981F4000   push    test.00401F98
    00401F49   .  64:A1 0000000>mov     eax, dword ptr fs:[0]
    00401F4F   .  50            push    eax
    00401F50   .  8B4424 10     mov     eax, dword ptr ss:[esp+10]
    00401F54   .  896C24 10     mov     dword ptr ss:[esp+10], ebp
    00401F58   .  8D6C24 10     lea     ebp, dword ptr ss:[esp+10]
    00401F5C   .  2BE0          sub     esp, eax
    00401F5E   .  53            push    ebx
    00401F5F   .  56            push    esi
    00401F60   .  57            push    edi
    00401F61   .  8B45 F8       mov     eax, dword ptr ss:[ebp-8]
    00401F64   .  8965 E8       mov     dword ptr ss:[ebp-18], esp
    00401F67   .  50            push    eax
    00401F68   .  8B45 FC       mov     eax, dword ptr ss:[ebp-4]
    00401F6B   .  C745 FC FFFFF>mov     dword ptr ss:[ebp-4], -1
    00401F72   .  8945 F8       mov     dword ptr ss:[ebp-8], eax
    00401F75   .  8D45 F0       lea     eax, dword ptr ss:[ebp-10]
    00401F78   .  64:A3 0000000>mov     dword ptr fs:[0], eax
    00401F7E   .  C3            retn

    and after protection:
    Code:
     
    00401F44   $- E9 A13D4F00   jmp     008F5CEA
    CRAP
    00401F7E      4D            db      4D
    jumptarget:
    Code:
     
    008F5CEA    68 64BC735E     push    5E73BC64
    008F5CEF    66:9C           pushfw
    008F5CF1    57              push    edi
    008F5CF2    8D7C4B 78       lea     edi, dword ptr ds:[ebx+ecx*2+78]
    008F5CF6    8D7C37 88       lea     edi, dword ptr ds:[edi+esi-78]
    008F5CFA    2BFE            sub     edi, esi
    008F5CFC    EB 01           jmp     short 008F5CFF
    008F5CFE    F3:             prefix rep:                  ; Superfluous prefix
    008F5CFF    8D7C51 2B       lea     edi, dword ptr ds:[ecx+edx*2+2B]
    008F5D03    8D7C0F D5       lea     edi, dword ptr ds:[edi+ecx-2B]
    008F5D07    2BF9            sub     edi, ecx
    008F5D09    F3:             prefix rep:                  ; Superfluous prefix
    008F5D0A    EB 02           jmp     short 008F5D0E
    008F5D0C    CD 20           int     20
    008F5D0E    13FE            adc     edi, esi
    008F5D10    8D7C0C 3B       lea     edi, dword ptr ss:[esp+ecx+3B]
    008F5D14    2BF9            sub     edi, ecx
    008F5D16    8D7C37 C5       lea     edi, dword ptr ds:[edi+esi-3B]
    008F5D1A    2BFE            sub     edi, esi
    008F5D1C    8D7F 06         lea     edi, dword ptr ds:[edi+6]
    008F5D1F    68 BED4ACD1     push    D1ACD4BE


    is this still dumpable?

  2. #2
    Perhaps if you followed the instructions in the FAQ, found in the BIG RED LETTERS you might already have the answer to your own question. Searching with "astrotect 1.31" (without the quote marks) would find you a thread on this forum with a link to a thread on the exetools forum, where something using this version of ASPR, and its unpacking is discussed.

    That's why we have a Search button and why one should follow the rules to use it BEFORE asking a question.

    Regards,
    JMI

  3. #3
    Is there anything new? So-called "Virtual Machine" were used by some commercial protectors before.
    :DWARNING: Shareware authors are reading your detailed discussions without paying you!:D

  4. #4
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    Yes, but...

    I agree on what JMI says about searching. But the question raised is interesting. I'm familiar with the solution outlined by britedream, and the thread about this on exetools. But the question is: have anyone (else) managed to sucessfully unpack this version? I haven't seen anybody posting a solution to this yet....

    regards,
    hobgoblin

  5. #5
    lol... well aspr nanomite is still in its infantile stage... not as convoluted as arma yet... an unpacker is slightly trickier to code since the poly engine used is pretty decent so i guess that is why sydx hasnt rls an unpacker yet!

  6. #6
    Shoob
    Guest
    You mean ASProtect v.1.31 build 06.14 ? thats was no problem for me ... let me know if a newer version is avaiable.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    There are a few places where they claim to have a copy of Asprotect v2.0 Build 06.23 Alpha. And I have seen discussion of that version listed in Russian and Vietnamese. Searching is usually how such things are found.

    Regards,
    JMI

  8. #8
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    You mean ASProtect v.1.31 build 06.14 ? thats was no problem for me ... let me know if a newer version is avaiable.
    The virtual machine feature is only optional, so your target might not have had it activated, even though it used that Asprotect version. Actually, the VM feature in this new Asprotect version is quite buggy, so it is even likely that it wasn't activated in that target.

    And yes, I can confirm the existence of Asprotect 2.0 alpha.

  9. #9
    try to dump this

    notepad, aspr 1.31.5.18
    Attached Files Attached Files

  10. #10
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    Hi JMI

    Hi JMI,
    Maybe I'm misunderstanding you when you wrote:"There are a few places where they claim to have a copy of Asprotect v2.0 Build 06.23 Alpha".
    If you mean that they have successfully unpacked v2.0, that's quite possible. It's packed with Aspack, and is easily unpacked in 3 minutes.
    I'm wondering why nobody seems to have posted a solution to how to unpack a program protected with v1.31 (or v2.0)( as for instance the latest version of WhereIsIt). And of course another way of doing it than britedream described for us. If there is another way.

    regards,
    hobgoblin

  11. #11
    The reference to "where" is a place you visit that claims to have a copy of that version for download. One place which claims to have a tut on version 2 is cracklatinos.

    Regards,
    JMI

  12. #12
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    Hi

    Hi JMI,
    Yeah, I figured that out. I actually downloaded v2.0 from there a while ago. I was merely talking about a tut on how to unpack v2.0 protected programs.

    regards,
    hobgoblin

  13. #13
    There is, indeed, one on the cracklatinos site. hint = 249.

    Regards,
    JMI

  14. #14
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    Hi JMI

    Hi again,
    Thanks for the info, JMI, appreciate it.
    But I can't find it. I have traced through all the pages at the site, but can't find anything related to 249.
    Are you refering to another site than "crackslatinos.hispadominio.net" ?

    regards,

  15. #15
    Yes I am referring to that site. Maybe you should recall that Ricardo's tuts were numbered when he was discussing ARMA and, then, perhaps look in the "/miembros/teorias" section for the number I suggested. I could just post the full path, but that would be cheating, wouldnt it????

    Regards,
    JMI

Similar Threads

  1. another aspr question
    By Sturm in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: October 11th, 2004, 18:31
  2. aspr oep..
    By SpeKKeL in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: April 25th, 2003, 06:52
  3. aspr 'randomizer II' f*xed
    By +SplAj in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: July 12th, 2002, 15:33
  4. Stuck on aspr
    By fALC0N in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: April 6th, 2002, 12:36
  5. WhereIsIt 3.21 (aspr 1.22-1.30 ?)
    By mnk in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: December 10th, 2001, 10:44

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •