R@diers Tutorials #6

Manual unpacking ASProtect 1.23 RC4 - 1.3.08.24


Information Unpacking for Newbie's
Target Tag&Rename version 3.06
Available http://www.softpointer.com/tr.htm
Tools OllyDbg 1.10, ImpRec, OllyDump  HideDebugger plug-in
Protection ASProtect 1.23 RC4 - 1.3.08.24
level Intermediate
Category Manual unpacking
Author R@dier February 2004


1. Introduction


Hi all, this is tute on Manual unpacking ASProtect 1.23 RC4 - 1.3.08.24
This tute is going to be a bit of a quick and Dirty and will not really
introduce any thing new about this protection but more of a continuation
of what LaBBa covered in his fine tute but using some different methods,
as introduced by britedream, His method of finding the stolen bytes is truly handy.
If I get some time I will write a part two on cracking this target as it is quite easy

I guess I would call this the "One Sweep Method" as we are going to unpack this
proggy in one step fixing the stolen bytes as we go before dumping.

Ok where lets get started

The first Step in unpacking ASPR is hide our debugger



2. Getting Started


The first Step in unpacking our ASProtect target is hide our debugger for
this job we are going to use a nice plug-in for olly called HideDebugger
by Asterix which is included in this tute. Copy the HideDebugger.dll to your
Olly Plug-Ins folder and restart OllyDbg. That's it your debugger is hidden :-)
Now on to the good stuff :-)

Lets Load our target exe: TagRename.exe into OllyDbg and on to the OEP



3. Finding the OEP


When you load the target progy you will get a warning about compressed code
just click no, you should be here
00401000  68 01707C00 PUSH TagRenam.007C7001

Press F9 and lets start debugging, we need to get to the last excetpion
so after you hit the first exception use Shift+F9 to continue until
you get here.



I normally step through very quickly with SHIFT + F9 until i see the:

00D039EC XOR DWORD PTR DS:[EAX],EAX
00D039EE POP DWORD PTR FS:[0]
00D039F5 POP EAX
00D039F6 CMP DWORD PTR DS:[D07EB0],0

<-----Code cut----->

00D03A21 PUSH DWORD PTR DS:[EAX]
00D03A23 PUSH DWORD PTR SS:[EBP-10]
00D03A26 PUSH DWORD PTR SS:[EBP-14]
00D03A29 RETN

As this is usually the last exception, although I have seen a few cases where it is not

Now click on the RETN and then press F2 to set a break point on this instruction
After this is set PressSHIFT + F9 and when it breaks you will be on the RETN
It is at this RETN that many people start tracing with TC EIP<900000 but we will
do it a little different today

Press Alt + M keys and bring up the memory map window
then look for the code section, right click on it and choose set memory breakpoint on access




Now we are going to trace the stolen bytes.
The Press Ctrl + F11
BANG OllyDbg will break here:
(you may need to Press Ctrl + A to re-analyse the code if it looks different to this)
Check out the value of the EAX register, this address will be important to us as it
will be used when restoring the stolen bytes.
In my case it is 0069130C I will explain some more about this later.



Now here is where things really get different.
Press ALT + K and bring up the stack window



Double Click on the Called from=TagRenam.00691B62
Bang!!! you will land here:



Scroll up a bit and this is where your stolen bytes have been taken from
Its time to go get them back :-)


4. Finding the Stolen Bytes and dumping


Ok It is now time to go and find the stolen bytes, a BIG thanks goes to britedream for this Method
No NOP - ing is required, which makes life much easier :-)

From the OllyDbg Menu select: View-> Run Trace
Next Right click trace window and select Hightlight Register -> EBP



Next we are going to look for where EBP=ESP
as this is where we will find our stolen bytes most of the time



PUSH EBP
MOV EBP,ESP
SUB ESP,0C
PUSH EBX
PUSH ESI
PUSH EDI
MOV EAX,TagRenam.0069130C


0069130C which is the value currently in the EAX register

OK Now lets put those stolen bytes back

go back the the main window where the stolen bytes are missing
and use OllyDbg's Assemble cmd to re-insert the bytes, click on the firsy byte
Press space the space bar and start entering the instructions eg (PUSH EBP etc)
it should look something like this


A good thing to note is if the value of EAX or EBX is within the code section then
we will need to have a MOV EAX, SomeValue as part of the stolen bytes
In our case EAX == 0069130C and needs to be included.

Next we need to dump our target, we are going to use the OllyDump Plug-in
for this.
but first we need to reset the EIP, change the origin of the target.
in the main code window right click on the 00691B54 PUSH EBP (which is our OEP)
and select New origin here



ok its now time to dump our target
from the plug-in menu in OllyDbg choose Plugins->OllyDump-> dump Debugged process

Uncheck the Rebuilt import table option
and dump.



Save our dump as dumped.exe

ok we are done on to the Finding and Fixing the Import Table


5. Finding and Fixing the Import Table


Ok its time to get the Import Table so we leave OllyDbg as it is and fire up ImpRec
1. in the Attach to an Active Process, select our target program
2. Click IAT AutoSearch
3. Change Size to 1000 as the original size is too small
4. Click get imports
5. Click Show Invalid, then right click on the imports and choose: trace Level 1



Then click Show Invalid again then right click the imports adn choose Plug-in Tracer ->aspr2
or which ever tracer you are using, when using ASPRrotect 1.22 there will be some unresolved imports.
which will need to be corrected by hand. which is usually FreeResource:

00D01CF0 push ebp
00D01CF1 mov ebp,esp
00D01CF3 mov eax,[D07E24] // DWORD value: 00151EE0 ; FreeResource
00D01CF9 pop ebp
00D01CFA retn 4

Scroll through the rest of the imports looking for any that are within your address range
for me it is 00D00000 to 00DFFFFF, if any are suspect right click it and choose Disassemble/HexView
If it comes back with an read error then you know you can cut it.
Ok, we have checked through our imports and have decided the rest are Fake.
Click on Show Invalid and then right click one of the highlighted imports
and choose cut thunks





Now it is time to fix our dumped.exe
click on Fix Dump and select our recently dumped exe.
After you get the message dumped_.exe saved successfully you can shut down Imprec
Congrats we have fixed the imports on our dumped_.exe and we are done :-)


6. Making the Target Run


Ok lets see if this baby runs :-)

OOOPS NO!!!!

Ok Lets debug this exe and find out why.
we seem to get an Initialization error,



Ok fire up Olly with this target and start stepping through it with F8 to find out why.
As we step through we find this bad call



we will Just NOP the call and see if it runs



SUCCESS it runs


7. Conclusion


A BIG thanks goes to, britedream, LaBBa and Ricardo Narvaja
and all the other from who I have learnt so much as well as the crew on exetools
This tute would not have been possible without their hard work
and willingness to pass the knowledge on to others.

I hope someone may find this tut useful

Best Wishes
R@dier