					Unpacking asprotect 
			================================================
Writer : LaBBa
Target : Chronograph v2.5
URL    : http://www.altrixsoft.com

well like any other tut this tut is about Unpacking a Packer called :
ASPR or like most ppl know it as : ASProtect 

more and more software comapny uses ASPR as there Packer so if u wish to crack
u will not be able to crack it if u will not unpack it or inline Patching it...
i gess if u r reading this u wish to unpack it.. =D

well all u need is :

1) SoftIce
2) IceDump
3) Pe-Editor - i prefer of yoda (or like ProcDump)
4) Hview or any Hex editor
5) Imprec - Macktus/UCF 


the stapes of the Unpacking:

1) finding the OEP - Original Entary Point
2) dumping 
3) rebuilding and fixing the IAT (Import Api Table)
4) Fixing some Features (Not all ASPR have that...)
5) Crackin the Prog
6) Greeting

Part 1 : Finding the OEP
=========================

well evry prog have an Entry Point .. that means where the prog starts...
when the prog is packed the Entry Point is Changed so becuase of that we 
need to find the Original point that the prog start from...

- open u'r favorite Pe-Editor and check what is the Size of Image of our file
  it's : 1D8000
  Write it down... and keep it.. we will need it for the dumping Part..

load u'r IceDump
load u'r SoftIce Symbol Loader and open the porg that we wish to unpack
Choose on the menu : Module -> Load
there will be a message box with a msg : "....... Load exutable .. ?" just press yes
now SoftIce will Popup (usualy it pops at 401000)

- now do a : bpx GetProcAddress

- then press F5 and then it will break ...

- Press F5 one more time and it will break again...

- press F12 and now clear all : bc *

- now do : bpx GetVolumeInformationA

- and press F5 and wait till SoftIce will Pop..

- now that SoftIce poped press F12 and the clear all : bc *

- now we will use IceDump command write this in softice : /tracex 400000 750000
  this command says that it will trace the code "Step By Step" (like F8) till it
  will reach to the address that is bigger then 400000 and smaller then 750000 
  this way we can insure that we will break at the OEP
- when u will press enter .. SoftIce will start tracing the prog it will take some time..
  so plz do be patience
- ok SoftIce Poped and what do we see ??

0040293C  PUSH      EBP  
0040293D  MOV       EBP,ESP                                                
0040293F  PUSH      ESI                                                    
00402940  PUSH      EDI                                                    
00402941  MOV       EAX,[EBP+08]                                           
00402944  MOV       ESI,004F70BE                                           
00402949  MOV       EDI,EAX                                                
0040294B  XOR       EAX,EAX                                                
0040294D  OR        ECX,-01                                                
00402950  REPNZ SCASB                                                      
00402952  NOT       ECX                                                    
00402954  SUB       EDI,ECX                                                
00402956  MOV       EDX,ECX                                                
00402958  XCHG      ESI,EDI                                                
0040295A  SHR       ECX,02                                                 
0040295D  MOV       EAX,EDI                                                
0040295F  REPZ MOVSD                                                       
00402961  MOV       ECX,EDX                                                
00402963  AND       ECX,03                                                 
00402966  REPZ MOVSB                                                       
00402968  POP       EDI                                                    
00402969  POP       ESI                                                    
0040296A  POP       EBP                                                    
0040296B  RET       0004                                                   

this do nothing... just moving a lil and then returning to the Packer rutine...
so trace this code with F10 till u will return..
now again do : /tracex 400000 750000

and this time we see this when SoftIce Pop:

00409A9C  PUSH      EBP 
00409A9D  MOV       EBP,ESP                                                
00409A9F  MOV       EAX,[EBP+08]                                           
00409AA2  MOV       EDX,[EBP+0C]                                           
00409AA5  MOV       [004F9500],EAX                                         
00409AAA  MOV       [004F9504],EDX                                         
00409AB0  POP       EBP                                                    
00409AB1  RET       0008                                                   

what the fuck ?! we again not in the OEP... (ASPR does some loading of shit)
ok then .. we will trace again with F10 till we return..
and agian do : /tracex 400000 750000

now it takes years ... SoftIce doesn't pop...
relax... take a drink or 2 .. it should take about 3-4 more min (yea..)
lalal
alala
lalal
OK  !!!
SoftIce Poped and now we see is this :

016F:00401578  JMP       0040158A
016F:0040157A  BOUND     DI,[EDX]                                               
016F:0040157D  INC       EBX                                                    
016F:0040157E  SUB       EBP,[EBX]                                              
016F:00401580  DEC       EAX                                                    
016F:00401581  DEC       EDI                                                    
016F:00401582  DEC       EDI                                                    
016F:00401583  DEC       EBX                                                    
016F:00401584  NOP                                                              
016F:00401585  JMP       008EA622                                               
 ==> 0040158A  MOV       EAX,[004E908B]                                         
016F:0040158F  SHL       EAX,02                                                 
016F:00401592  MOV       [004E908F],EAX                                         
016F:00401597  PUSH      EDX                                                    
016F:00401598  PUSH      00                                                     
016F:0040159A  CALL      004E8106                                               
016F:0040159F  MOV       EDX,EAX                                                
016F:004015A1  CALL      004C93B8                                               
016F:004015A6  POP       EDX                                                    
016F:004015A7  CALL      004C931C                                               
016F:004015AC  CALL      004C93F8                                               
016F:004015B1  PUSH      00                                                     
016F:004015B3  CALL      004CA9E0                                               
016F:004015B8  POP       ECX                                                    
016F:004015B9  PUSH      004E9034                                               
016F:004015BE  PUSH      00                                                     
016F:004015C0  CALL      004E8106                                               
016F:004015C5  MOV       [004E9093],EAX                                         
016F:004015CA  PUSH      00                                                     
016F:004015CC  JMP       004D0654     
016F:004015D1  JMP       004CAA2C     

is 00401578  is our OEP ?? is it ???

NO!!! it's a Trick !! 

well in the old version of aspr this trick doesn't apear ... and yes u usualy in the OEP
but ... now in the new versions u will get this trick.. 

so where is the OEP ??

look down u see 2 jmps one after the other ???

016F:004015CC  JMP       004D0654     
016F:004015D1  JMP       004CAA2C     

004D0654  <= The Real OEP !!!

yes .. all u need to do is trace with F10 till u get to : 

JMP       004D0654     

and do one more F10 to make the jump and u will see :

016F:004D0654  PUSH      EBP                                                   
016F:004D0655  MOV       EBP,ESP                                                
016F:004D0657  ADD       ESP,-0C                                                
016F:004D065A  PUSH      EBX                                                    
016F:004D065B  PUSH      ESI                                                    
016F:004D065C  PUSH      EDI                                                    
016F:004D065D  MOV       ESI,[EBP+08]                                           
016F:004D0660  MOV       EAX,[ESI+10]                                           
016F:004D0663  AND       EAX,01                                                 
016F:004D0666  MOV       [004F444C],EAX                                         
016F:004D066B  CALL      004CD278                                               
016F:004D0670  MOV       EDX,[ESI+20]                                           
016F:004D0673  PUSH      EDX                                                    
016F:004D0674  MOV       ECX,[ESI+1C]                                           
016F:004D0677  PUSH      ECX                                                    
016F:004D0678  CALL      004CD5DC                                               
016F:004D067D  ADD       ESP,08                                                 
016F:004D0680  MOV       EAX,[ESI+28]                                           
016F:004D0683  PUSH      EAX                                                    
016F:004D0684  CALL      004CB1F4                                               

it's a Delphi Prog (how can i tell ?? only experienced cracker that debuged many prog can answer that..)
yes it's the real OEP !! 
dont trace anymore when u r at : 4D0654 
just stop and write it down...


Part 2 : Dumping the new file
==============================

when u r at 4D0654 u need to write this for dumping:
/dump 400000 1D8000 c:\tmp\Dumped.exe

that line means ...

/dump -> to make a dump..

400000 -> the Image Base of the file (u can see it at a PE-Editor)

1D8000 -> the Size of Image that we wroted down before the tracing...

c:\tmp\Dumped.exe -> the Path of where we want to save the file and the file name 

now .. some times this method doesn't work.. (i dunno why) the dump is not complete
so i prefer do like this..

when u r at 4D0654 u need to write this for dumping:
a eip
then write:
jmp eip
and press again enter to exit..
what we just do is make the Prog in a loop in the Start of the file.. 
open ProcDump or Pe-Editor ( Prefered..) and choos our proccess in the list and 
right click on the Proccess and Choose Dump Full ...
now save the file ..
and now kill the Process becuase it's in a loop...

fix with Hex Editor the code back to : 55 , 8b in the OEP
becuase we dumped it with a jump to the same place...

now we have an Unpacked file !!

Part 3 : Rebuildin the IAT
=============================
what that means is .. if u will try to run the file now it will crash
why is that ??? because the Api Function was in another place when the file was Packed
so now when we Unpacked it ... the file still goes to the same place and doesn't find
it.. and more then that.. the file we have is a decrypted file so all the Api we have 
R fucked up!
now .. before almost a year ago that Part was almost realy hard!! was needed to be 
half be a prog and half manualy...
but now tnx to Macktus that Build Imprec we can do it real easy...
well there is another prog that also can do it .. called : Revirgin by +Tsehp
but i like Imprec becuase it's Faster...


usualy u would just need Imprec to put in the OEP text box our OEP and press IAT AutoSearch


well run normaly Chronograph and u will see the nag screen... 
and open Imprec ..
in the top line u will need to Choose our Process
now when it finished loading the dll's put all the info in the left down text boxs

the OEP : D0654
mow press : IAT AutoSearch

now u will get a msgbox that will tell u that there is not good OEP :/
well go to the Option and change the : Max recursion to say.. : 10 (just make it bigger)

now press again : IAT AutoSearch
ok it did it ! in the message box just press "ok"

press now on Get Imports and all we get is one section ???
what the Fuck ???
we supposed to get alot of sections....
oh ok .. it's a ASPR trik just press on the : Clear Improts

look the length is : 224 
does it seems right  ?? it's too small .. we will change it to 1000 
( u can change it up too 3000 no need in more)

and now press : Get Imports 
and look how beautiful it is .. so mutch invalid API's ....  :p
well lets fix them.. 

press on : Show invalid
now right click with the mouse on one of the invalid Api's and choos : 
Trace Level1 (disasm)
now that's muth more better.. 

press again on : show invalid 
and right click on one of the Api's an this time choos :
Plugin Tracer (ASProtect 1.2x Emul)
now that is alot better..

Press again : Show invalid 
and we have is just one invalid left ... it is usualy LockResource function =)
so double click on the function and choose :  LockResource 
now press: show invalid 
THERE IS NONE !!!

ok now press : Fix Dump
choose our Dumped.exe file

Thats it!! it's All Done we have unpacked ASPR !!!!


Part 4 : Fixing some Features (not all ASPR have that...)
============================================================
now usualy that is the Part u should start Cracking the prog no more fixing...
but no... 

this time the Programer of the Prog (not of the Packer) done some
Packer Checks in the code so if u will want to run the Prog without the Packer the
Prog will crash... 

NOT ALL PROGRAMERS DO SO !! good for us .. 

but in this case HE DID!!

well if u will load the Unpacked file with symbol loader u will see like this :

016F:004D0654  PUSH      EBP   
016F:004D0655  MOV       EBP,ESP                                                
016F:004D0657  ADD       ESP,-0C                                                
016F:004D065A  PUSH      EBX                                                    
016F:004D065B  PUSH      ESI                                                    
016F:004D065C  PUSH      EDI                                                    
016F:004D065D  MOV       ESI,[EBP+08]                                           
016F:004D0660  MOV       EAX,[ESI+10]   <- here the prog will crash !

as u can see ESI get a value from [EBP+08] and then Pass it to EAX
if u check the value is : 0

that's weird!!! 

so we will need to cmpare it with the real file and see what happens there...

now u must be thinking : oh my god again all the tracing and waiting.. 
well no .. if u got the OEP u don't need to do that again.
just load Sybol Loader and load the prog when SoftIce Pop do : 

bpr 4D0653 4D0654 RW

bpr -> break point on a range of address
4D0654 -> OEP - 1
4D0654 -> OEP 
RW -> when the the Process want to Read or Write from there...

then Press F5 till u will get to the OEP .. when u will get to the OEP clear all :

bc *

now we can see that if we trace with F10 we at :

016F:004D065D  MOV       ESI,[EBP+08] 

that ESI = 4E9034

lets see what happend with EAX :

EAX get a value from ESI and becuase of the wrong value the prog crashes...

let see what the Real file do with the value :

016F:004D0663  AND       EAX,01                                                 
016F:004D0666  MOV       [004F444C],EAX 

well if u will to a AND 01 to EAX it's just to know if eax is 0 or 1 
so it realy doesn't uses that value ...

but if u will look down u will see this : 
016F:004D0670  MOV       EDX,[ESI+20]     -> uses ESI value                                      
016F:004D0673  PUSH      EDX                                                    
016F:004D0674  MOV       ECX,[ESI+1C]     -> uses ESI value                                      
016F:004D0677  PUSH      ECX                                                    
016F:004D0678  CALL      004CD5DC                                               
016F:004D067D  ADD       ESP,08                                                 
016F:004D0680  MOV       EAX,[ESI+28]     -> uses ESI value                                      
016F:004D0683  PUSH      EAX                                                    
016F:004D0684  CALL      004CB1F4                                               
016F:004D0689  POP       ECX                                                    
016F:004D068A  MOV       EDX,[ESI+44]     -> uses ESI value                                      
016F:004D068D  PUSH      EDX                
.....
.....

so as we can see the value that ESI have is the important ...
well we will chang the Unpacked file so ESI will be ESI=4E9034 

open our Dumped file with Hview and Press Enter till u will be in ASM mode
then Press F5 and write : D065D (we r going to 4D065D)
and press enter.

now Press F3 to edit this :

016F:004D065D  MOV       ESI,[EBP+08]                                           
016F:004D0660  MOV       EAX,[ESI+10]

to this :

mov esi , 4e9034
nop

the new Prog will look like that : 

MOV ESI,4e9034
NOP
AND EAX,01                                                 
MOV [004F444C],EAX

now Press F9 to Save and that's all .. now run the Prog and Yes!!! 
it's alive!!! it's alive!!! it's alive!!! it's alive!!! 
yes the Prog do run...

well there is one more fix to be done ..

if u will Press on Get in the Chronograph u will get 2 Message boxs:

1) that there isn't a TCP/IP connection -> becuase we r not online..
2) an error that tells us that the GetSynchroniz was not call from the right place

well that Part is easy just nop the second messagebox and thats all..
** - (Tip - the messagebox is at : 46E27A )

Part 5 : Cracking the Prog 
=============================

well i'm not going to help u with that Part .. this is an Unpacking tut 
not a Cracking Tut... 

and the Cracking Part is realy easy so plz ... do it u'r self...


Part 6 : Greeting
=======================

i would like to thank all of my friends on:
iNFECTED and to my friends at Unpacking Gods and Cracking4NewBies
special tnx to :
Macktus - ^DAEMON^ - SAC - The fraviaMB - Parabyte - NchantA - Eternal Bliss - R2-C2
and to all of the ones that help me lern the ways of ASPR and Unpacking...






