[ Predator's Cave ]



sorry for the inconvenience ;>


**** iNLiNE pATCHiNG A pROGRAM pACKED WiTH ASProtect - by Predator [PC/MFD] - April 26, 2000 ****

Published by Tsehp April 2000

If you want to download this tutorial in text format, then click HERE.

Oh yes, it can be done! And in this text I will try to explain how. First of all let me tell you that the creator of this packer is quite smart (yet not smart enough) and it took me a lot of time before I finally came up with this. Greetings go to R!SC for setting me on the right track when I was lost, I finished the thing quickly after. AsProtect is a mofified version of ASPack (same creator) and it features high compression ratio, CRC Checking and SoftICE detection (hehe.. and the softice detection is something we will gladly use in this tutorial). Normally if you want inline memorypatch a target (see R!SC's excellent tutorials about it if you don't know what it means or if you don't know how to do it) you can easily overwrite some code in the file and make it jump to your patch. The problem is with ASProtect, that is uses 4 relocating layers. My first idea of doing a patch was let the program patch all the layers in memory one after another, but you'll end up with hours and hours of work and it's the question if the patch will work on all different Windows versions (different addressing in each version). No, that isn't a good solution. Then I came up with the idea of using a Timer you set at the very beginning of the program (the program entry point) that will check every millisecond if the program is unpacked -> if yes then patch and disable the timer, else just go on. Well, I tried but that didn't work. The first time the timer function runs is after the program is allready launched and the nags show up and stuff... so then it's too late to patch. Next idea, let's hook some api the unpacking procedures use and let it point to our patchcode. Forget it, it won't work since every layer has a new address pointing to the api and shit... So what is left? What the fuck can we do about this damn ASProtect? You'll be amazed at how easy it can be to inline mempatch a program packed with it.

R!SC told me the following. The REAL Program Entry Point of the file, is -hardcoded- in the exefile that is on your harddisk. This means you could overwrite the address of the PEP with the address of your patch function and in the patch function after patching jump to the PEP. But there's still the CRC check. He said he wasn't sure if it was hardcoded as well -> IT IS! So what have we got here? This is our approach:

  1. Change the Program Entry Point in the file (with your hexeditor) and change it to the address of your patch function

  2. The patch function will do this: patch the program, then jump to the real program entry point.

  3. Launch the program, grab the NEW crc (after the patches to the file have been made) and write it to the file again so it's updated.

And yes, this works!!

Target: Awave Studio v7.0
Target URL: http://www.fmjsoft.com/download/awave70.zip (about 670 kb)
Protection: NAGS and such (we'll just disable the nag) + packed with ASProtect

Ok girls here we go ;> First of all, let's gather some information we need. We need first of all the real program entry point and we have to make it go to the address of our patch. If you run Awave, you'll see there's a softice detection. Enter softice -> bpx _lopen. Run awave again, you'll see there are 2 calls to _lopen. Play with those 2 jumps and the softice check is history. Ok now, we're allready close to the program entry point. Hit F12 for 3 times, and then start tracing with F10. At a certain time (watch carefully) you'll see that EAX=004A71E7. The program does a PUSH EAX and then a RET. This means it will just go to the program entry point and asprotect is not doing anything anymore the program just runs. Well, our program entry point is 4A71E7. Let's search for that with our hexeditor in awave.exe! You'll quickly notice if you search for the bytes 4A71E7 you won't find it. Remember you gotta use reverse order? Search for: E7 71 4A... holy crap, still nothing found. Hehe.. thing is, the file contains the program entrypoint - image base (which is almost always 400000) so what is left: 4A71E7 - 400000 = A71E7. Then we still gotta use reverse order, so this is what we are going to search for (and you'll find it this time): E7 71 0A. Fear! Now we can change that to the location of our patch code. I use offset 320 (which will be VA: 400320). So we replace the bytes E7 71 0A with: 20 03 00. Now, if you run the program, it will go to the address 400320 instead of the programs real entrypoint! So what we do next: put the patch at offset 320. I won't explain how to remove the nagscreen but I found it very quickly, nop 2 bytes at address 4644D9. My patch at offset 320 looks like this (in HIEW):

00000320 66C705D94446009090 mov w,[0004644D9],09090 (patch the program)
00000329 68E7714A00 push 0004A71E7 (push the real program entry point)
0000032E C3 retn (return to real program entry point)

Ok so, what we have now is this. If you run the program -imagine there isn't a crc check now- ASProtect will do it's work with unpacking and shit and eventually it will jump to our patch instead of the program entry point. The patch will do it's work on the program code, and then go to the program entry point as if nothing happened.

As I said, imagine there is no CRC check. Because there is, we gotta defeat that too. If you'd run the program now, the CRC check will kick you in the nuts :> As said before, the CRC is also hard coded in the exefile. So, we gotta find the comparing between the current crc and the crc the file -should- have and then write the current crc to the file (replace the old one). Then we are home free and we have defeated ASProtect! Ok, you wonder now where the fuck you would find the CRC check. Well, again enter softice and type bpx _lopen. Run awave, and play with the flags to disable softice check. Press F12 only once and step a few times. You'll see a compare between EAX and EBP-8 (if I'm not mistaken). The funny thing is that EBP-8 holds the CRC the file should have, and EAX holds the crc the file has now. Write them both down and exit softice and awave. Hexedit Awave.exe again, and search for the bytes (in reverse order) of the original CRC. The original CRC = 767583A8 so we search for: A8 83 75 76. Hehe, it will be found. Then overwrite those bytes (don't forget that reverse order!) with the new CRC. For me, the new CRC was: 53238D77 so we write: 77 8D 23 53. Exit hiew. Now, because we don't want any crap at all, run FrogsICE so you don't have to manually disable the softice check.

Run Awave.exe, the program will run and it won't show the nag !!! You (or better say: we:) did it !!!!
Again, a ready made protection bytes the dust. I have to admit this one didn't go down that fast, but we all know there's nothing like an impossible to crack protection and this quite proves it I think :-)

Greetings: Well I especially greet R!SC for putting me on the right path, but ofcourse also all the people in Phrozen Crew and Manifest Destiny. I can't forget to mention the hardcore crackers in #cracking4newbies.. furthermore all the people I hangout with on IRC but I won't mention any names because the ones I accidentally forgot would kick me in the nuts for it ;>
Hiyaz to all of you!

Signing off,

   Predator [PC/MFD]