@$@$#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@@$@ @#$#$@
        @@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@  @#$#$#$@
         @@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#$@ @#$#$@
          @#$@ 
          @#$@       @$@$@$@$@ @$@$@ $@$@$ @$@$@ $@$@$   @#@#@#@#@@ @$@$@ $@$@$ @$#$#$#@
          @#$@      @#$#$#$#$@@ @#$#$#$#$#$ @#$#$#$#$#$ @$#$#$#$#@@@ @#$#$#$#$#$ @#$#$@
          @#$@    @ @#@#@#@#@#@ @#$@$#$#@@@ @#$@$#$#@@@ @#@@    @#$@ @#$@$#$#@@@  @$#@
          @#$@#$#$@ @#@#   #@#@ @#$@ @@@    @#$@ @@@    @$@     @#$@ @#$@ @@@     @$#@
          @#$@@#@#@ @#@#@#@#@#@ @#$@ @@     @#$@ @@           @#@#$@ @#$@ @@      @$#@ 
          @#$@#$#$@ @$@$@$@$@$@ @#$@        @#$@         @@#@@#@#@#@ @#$@         @$#@
          @#$@    @ @$@#        @#$@        @#$@        @#$#$#$#$#$@ @#$@         @$#@
          @#$@      @$@#        @#$@        @#$@        @#$@    @#$@ @#$@         @$#@
          @#$@      @#@#@#@#@#@ @#$@        @#$@        @#$@#$#$#$#@ @#$@         @$#@
          @#$#@     @$@$@$@$@$@ @#$#@       @#$#@       @#$@#@#@#@#@ @#$#@       @#$#$@
        @#@#@#@#@    @#@#@#@#@ @#@#@#@     @#@#@#@       @#@#@#@#@# @#@#@#@     @$#$#$#@  
                            Visit: http://cracking.accessroot.com
Genere Unpacking ASProtect
Target Advanced PDF to HTML Converter v1.5
Target URL http://grinders.withernsea.com/tools/pdf2ht15.rar
Tools OllyDbg 1.10 Step 2, ImpRec, LordPE, PEiD, Hide Debugger
Protection ASProtect 1.22 - 1.23 Beta 21 -> Alexey Solodovnikov
Level Beginner
OS Requirement Windows XP (Target Unpacked On XP), 800X600 Res.
Author Ferrari, 17th June 2004

                                                                  

.:: Introduction ::.
         Special thanks to Britedream, R@dier, cl0ud aka Mephist0 for thier excellent and easy to follow tutorials on ASPR. This tutorial is my contribution to the  ARTeam - OllyDbg Tutorials Collection. In this tutorial I shall cover the steps on how to Manually unpack ASProtect 1.22 - 1.23 Beta 21.
 So all you expert reverse engineers, if you find my tutorial boring then just do an unconditional jump to the end of this tutorial ;-) But all you newbie - wannabe unpackers  enjoy reading my tutorial and don't fall asleep ;-) 

 Most developers these days use protectors/compressors on their programs to try and thwart people from reversing them and seeing how they work. Unpacking has become an integral part of reversing, while there are many un-packers available learning to manually unpack a program is a skill we all need.
       

  "There can be no protection, that will never be cracked -- this truth is not worth arguing with."       

--- Alexey Solodovnikov ---

 

 

.:: Finding Original Entry Point (OEP) ::.

            Ok lets start our mission ;-) But before we fire up Olly make very sure you copy the "HideDebugger.dll" plugin in the "plugins" folder. Also don't forget to edit your "ollydbg.ini" file to enter the full path to your plugins folder i.e   'Plugin path= 'X:\....\plugins'.

     Now lets fire up Olly. Well, now  hit F3, locate 'pdf2html.exe.exe', Open. You will get some Entry Point Alert. Hit 'OK' then 'Yes'.  Before proceeding in Olly click on Options-->Debugging options-->Exception Tab. Refer Fig.1 for the correct settings.  These settings are very important to get to the OEP.

         

      Fig.1

00401000 > 68 01505200 PUSH pdf2html.00525001<---------- You are initially here
00401005 |. E8 01000000 CALL pdf2html.0040100B
0040100A \. C3 RETN
0040100B $ C3 RETN

 

      Now after setting the exceptions, back in main CPU window hit Shift+F9 once and then hit Ctrl+B. Refer Fig.2     

Fig.2

      When you hit OK you will see below code. Put BP (F2) on the second CALL. This "CALL" is called as 'The Magic CALL'. It will fix most of the IAT for us :-)     

00B5264C E8 53FCFFFF CALL 00B522A4
00B52651 E8 8AFEFFFF CALL 00B524E0<-------------- Put BP here
00B52656 8B17 MOV EDX,DWORD PTR DS:[EDI]<---------- You will land here

     After putting BP on the Magic CALL hit Shift+F9 19 times and Olly will break at our Magic CALL. Now refer the figures for next steps.     

Right Click-> Binary-> Fill with NOP's



Hit Shift + F9 once and then hit " - " key and then select all the NOP's and hit "Alt+Backspace" to undo changes.

     After you undo the changes hit Shift+F9 7 times and you are at the last exception If you hit Shift+F9 one more time then the target will run, so be careful and don't hit Shift+F9. What you see now is the ASPR code and our aim is to get into the target code i.e the OEP and we are now close to it :-)

Note: Now if you are a newbie you may wonder why we put all these break points and all. Because we are single stepping through the code to see what it is doing. For example when you are watching a movie and something happens in a flash that your eyes fail  to notice it. So what you do. You switch to "Slow motion" :-) Exactly the same logic is used here. When you hit F9(play button on your remote control)the program runs and you don't know how the code was executed. When you put break points(pause button on remote control) and hit F9 the program code is executed and as soon as it reaches the BP it will stop. And we use F7 and F8 keys (slow motion buttons on remote control) to single step through the code.  

  Ok now back to the last exception. Scroll down till the RETN and put BP(F2) on it and hit Shift+F9 and Olly will break on the RETN.

     Now hit Alt+M to open the Memory Window. For instructions refer Fig.3    

     After putting BP on code section close this memory window and back in main CPU window, now hit only the " F9 " key once and you land at the fake OEP (if you set the exceptions correctly earlier). Above this fake OEP are the Stolen bytes or the missing bytes which we will have to find and reinsert in the unpacked target.

00464E70    00 DB 00<---------- Stolen Bytes start and Real OEP
00464E71    00 DB 00
00464E72    00 DB 00
.
.
.
00464E95    00 DB 00<---------- Stolen Bytes End
00464E96    FF DB FF <--------- Fake OEP
 

     Oh my god so many stolen bytes...eek!!! Easy to find trust me :-) We will find the stolen bytes later. DON'T close Ollydbg. Now open LordPE and dump the target full.

.:: Fixing The Import Address Table (IAT) ::.

     Ok after dumping the unpacked target from memory to hard disk, open Imprec since we have to fix the Import table which ASPR destroys. So don't try to run the dumped file. It will crash ;-)

In Imprec enter the OEP like this:                                                   EP = Fake OEP - base = 00464E96 - 00400000 = 00064E96

     Thats it. Now click on the "Fix Dump" button-> select and double click on our dumped.exe A new exe viz. "dumped_.exe" will be created in target folder. Don't run it yet. It will crash too since we have not inserted the stolen bytes :-P

 

.:: Finding And Inserting The Stolen Bytes ::.

     Okay now comes the fun part. So refresh yourself, make yourself comfortable and fasten your seat belts. :-P

 The easiest way to find the stolen bytes is when you land on the Fake OEP, click on View-> Run Trace and scroll down till you find EBP=ESP. But in this case the trace log is empty. So now another way to find the stolen bytes.

    Close Imprec and restart Ollydbg. Load the target again in Olly and this time don't goto the Magic Call. Make your way straight to the Last Exception.Put BP on RET and hit Shift+F9, Olly breaks. When olly breaks at the RETN hit F7 to trace into the RET and see this code:

Note: For newbies. The address i.e 00B6504C etc. will be different in your case and everytime you load the target in Olly. So don't panic and always keep your eye on the byte patterns nowonwards eg. see below jump i.e E9 87090000

00B6504C /E9 87090000 JMP 00B65E7C<----------------------- Hit F7 Again
00B65051 |8CAF B9CCC78D MOV WORD PTR DS:[EDI+8DC7CCB9],GS
 

     Keep tracing with F7 till you rech this JNZ where you will loop. To get out of this loop put BP below it and hit Shift+F9

Note: After you get out of the loop hit Alt+B and remove the BP(del).

00B65A65 ^\0F85 EDFFFFFF JNZ 00B65EFC
00B65A6B 6A 50 PUSH 50 <---------------- Put BP here.
 

     The code you see is all trash ASPR code which is decrypting. So keep tracing with F7 only (don't use F8) till you reach here and again you will loop so put BP below JNZ to get out of the loop:

00B65B99 ^\0F85 61FFFFFF JNZ 00B65FA4
00B65B9F 66:81DD 1BDB SBB BP,0DB1B <---------------- Put BP here
 

     Keep tracing with F7. Still you see the trash code. We are looking for the OEP (stolen bytes) Again you get into a loop so again put BP below JNZ (don't forget to remove the earlier BP)

00B65D32 ^\0F85 C8FDFFFF JNZ 00B65FA4
00B65D38 C0D2 E0 RCL DL,0E0 ; Shift constant out of range 1..31 <------ Put BP here

 

00B65D71 /0F85 00000000 JNZ 00B65D77
00B65D77 ^\FFE2 JMP EDX <----------------- Note: Hit F7 and execute this jump....


...And Land here:

00B65051 0FB6C7 MOVZX EAX,BH
 

     Keep tracing with F7. Still you see the trash code. Again you get into a loop so again put BP below JNZ

00B650B7 ^\0F85 DCFFFFFF JNZ 00B65099
00B650BD 90 NOP
00B650BE 90 NOP
00B650BF 90 NOP
00B650C0 90 NOP
00B650C1 66:BA 1482 MOV DX,8214 <---------------- Put BP here
 

     Keep tracing with F7. Be careful when you see this code. We are now very close to our stolen bytes :-)

00B65159 ^\0F85 A6FFFFFF JNZ 00B65105 <----------- You are here
00B6515F FE ??? ; Unknown command
00B65160 - E9 3F4BD39C JMP 9D899CA4
00B65165 B9 7836A5B0 MOV ECX,B0A53678 <----------- Put BP here and hit Shift+F9
00B6516A 8F ??? ; Unknown command
 

     When you hit Shift+F9 Olly will not break but will give an access violation and you will see this fig :-)


 

    Cheers! Now lets insert the stolen bytes in our "dumped_.exe" file. So open it in Olly and start assembling(hit Space bar to enter commands)the stolen bytes.

If you want to avoid typing select the stolen bytes from the first OllyDbg session (where you did the whole work up to now) and then right click and use Binary-->Binary Copy, after this go to the second instance of Olly where you opened the the file dumped_.exe and select the place for stolen bytes (now are all 00) and use Binary-->Binary Paste.

See fig. The stolen bytes fit perfectly in the "00" 's :-)


 

   Now copy these changes to the executable by Right click-->Copy to executable-->All Modification. Then right click on window that pop's up-->save file, double click on dumped_.exe and select overwrite file.

  Finally open LordPE and use the PE Editor since we have to set the Origin to our Real OEP.   EP = Real OEP - base = 00464E70 - 00400000 = 00064E70



 

  Done!! Now run the dumped_.exe and it will run clean :-) Congratualtions!

Hope you enjoyed reading my tutorial and oh my god you still awake :-P

 

                                                              .::-SHOUTZ AND GREETZ ::.                               

                                                     Long Live The ARTeam!!!

              Nilrem | Enforcer | Ferrari | Pompeyfan(ex-member) | mAdMaN H3rLcUl3S | EJ12N | Kruger | Shub-Nigurrath | Jdog45

Special Thanks

         Exetools | Woodmann | VCT | Sir JMI | SatyricOn | LaBBa | R@dier | Britedream | Hacnho | cl0ud (Mephisto) | Zest |  everyone who helped me to learn RE.

Thanks to the authors of ASPR, Ollydbg, LordPE, Imprec, PEiD and PDF2HTML Converter

 

Regards,

                                   

     Copyright ©  ARTeam 2004