	Unpacking ASPR 1.3x With OllyDbg
================================================

Writer 	: LaBBa
App	: System Cleaner 4.89 Build 110
Url	: http://www.allerasoft.com/products/systemcleaner/

Pre to this tut
==================
ok listen up ! this is the 3rd time i write this tut !! 
the first time my computer crashed while writing it 
the second time there was a power failure in my house !!

now.. 

this tut is going to show us how to unpack ASPR 1.3x real easy and fast
and finding the stolen bytes real easy and fast too...

and all that without using SoftIce and IceDump and the /tracex !

how u ask ? 

by using OllyDbg !


Needed Tools
================
1. OllyDbg 1.09b2 or newer
2. ProcDump(G-rom)/Pe-edit(y0da)
3. imprec 1.3 (MackT/UCF)(protools.cjb.net)
4. HVIEW / Hex Editor

Steps of Unpacking
=======================
1. Finding the OEP + Dumping
2. Finding the Stolen Bytes
3. Rebuilding the IAT 
4. Fixing the OEP
5. The End.


====================================
Step 1 - Finding the OEP + Dumping =
====================================

1. load Olly and load the App into it (if it asks something just say YES!)
2. now press F9 and the prog will break here :

	017E3414   3100             XOR DWORD PTR DS:[EAX],EAX  <- we break Here!
	017E3416   EB 01            JMP SHORT 017E3419
	017E3418   68 648F0500      PUSH 58F64
 
   why does Olly Break ? we didn't ask for any breakpoints ?!
   well Olly Breaks every time that it enter a new module ... AND WE ARE GOING TO USE IT !!

3. press Shift+F9 so Olly continues to run till the next module.
4. after 26 times of Shift+F9 we will be here :

	017E2D7A   3100             XOR DWORD PTR DS:[EAX],EAX  <-we land here
	017E2D7C   64:8F05 00000000 POP DWORD PTR FS:[0] 	<-here to set a Break Point
	017E2D83   58               POP EAX
	017E2D84   833D 806D7E01 00 CMP DWORD PTR DS:[17E6D80],0
	017E2D8B   74 14            JE SHORT 017E2DA1
	017E2D8D   6A 0C            PUSH 0C
	017E2D8F   B9 806D7E01      MOV ECX,17E6D80
	017E2D94   8D45 F8          LEA EAX,DWORD PTR SS:[EBP-8]
	017E2D97   BA 04000000      MOV EDX,4
	017E2D9C   E8 EFE0FFFF      CALL 017E0E90
	017E2DA1   FF75 FC          PUSH DWORD PTR SS:[EBP-4]
	017E2DA4   FF75 F8          PUSH DWORD PTR SS:[EBP-8]
	017E2DA7   8B45 F4          MOV EAX,DWORD PTR SS:[EBP-C]
	017E2DAA   8338 00          CMP DWORD PTR DS:[EAX],0
	017E2DAD   74 02            JE SHORT 017E2DB1
	017E2DAF   FF30             PUSH DWORD PTR DS:[EAX]
	017E2DB1   FF75 F0          PUSH DWORD PTR SS:[EBP-10]
	017E2DB4   FF75 EC          PUSH DWORD PTR SS:[EBP-14]
	017E2DB7   C3               RETN

   if we do another Shift+F9 the App will start running .. so DON'T!!

5. now move the marker down to :

	017E2D7C   64:8F05 00000000 POP DWORD PTR FS:[0]

   and now press F2 (set Break Point). 
   now press Shift+F9 and Olly will Break at our break point.

6. now trace with F8 (Trace Over) and execute the RETN and you will be here:

	017F4EC8   E9 080A0000      JMP 017F58D5 <- we are here

   execute this jump with F8 too..
   now we will be here:
	017F58D5   D3DE             RCR ESI,CL          <--we Land Here
	017F58D7   B9 7D966271      MOV ECX,7162967D
	017F58DC   81C1 38F10A23    ADD ECX,230AF138
	017F58E2   D3EE             SHR ESI,CL
	017F58E4   BA 9ECC7376      MOV EDX,7673CC9E
	017F58E9   81EA C56EFFD4    SUB EDX,D4FF6EC5
	017F58EF   81F2 B7104902    XOR EDX,24910B7
	017F58F5   C1CA 94          ROR EDX,94 
	017F58F8   8BF2             MOV ESI,EDX
	017F58FA   81EE 87D851D2    SUB ESI,D251D887
	017F5900   C1CE B0          ROR ESI,0B0
	017F5903   8BC6             MOV EAX,ESI
	017F5905   C1C8 28          ROR EAX,28  
	017F5908   53               PUSH EBX
	017F5909   5E               POP ESI
	017F590A   81C5 974FAF73    ADD EBP,73AF4F97
	017F5910   BA 048A9178      MOV EDX,78918A04
	017F5915   F7D2             NOT EDX
	017F5917   F7D2             NOT EDX
	017F5919   81C2 FC756E87    ADD EDX,876E75FC
	017F591F   8BDA             MOV EBX,EDX
	017F5921   41               INC ECX-------------------------
	017F5922   8BD9             MOV EBX,ECX			|
	017F5924   D1C3             ROL EBX,1			| a Realy Long
	017F5926   81F3 A38FD7AC    XOR EBX,ACD78FA3		|    Loop
	017F592C   3BD8             CMP EBX,EAX			|
	017F592E  ^0F85 EDFFFFFF    JNZ 017F5921--------------------
	017F5934   8BC1             MOV EAX,ECX  <<-- Here To Set A Break Point!

   well, we will not trace the whole loop by pressing F8 !! we will put a Break Point
   on :
	017F5934   8BC1             MOV EAX,ECX

   now after setting the Break Point (F2) press F9 (Run) and we will break at our BP

7. now what ?? we trace with F8 / F7(Trace Into) all the way ??!!
   well.. NO!! 
   we have a nice feature in Olly called Command Line
   go to Plugins->Command line->Command line

   now we are going to write a trace command with condition!
   YES ! Olly does have a Trace command! It's called - TC - Trace Condition
   it will trace till the condition is True !
 
   So.. Write in the text Box : TC EIP<900000
   and now press Enter.
   at the window right Down you will see : "Tracing"

   at my Slow computer it took me about 8+ min (350MHz)
   at another computer that i tried it took 2+ min (900MHz Celeron)

   so if anyone would like to buy me a computer u know where to find me and msg me.

8. after the trace is done we break here  :

	0057EA5B     E8             DB E8
	0057EA5C     00             DB 00
	0057EA5D     8A             DB 8A
	0057EA5E     E8             DB E8
	0057EA5F     FF             DB FF

   Hey !!  i Dont See Shit !! what is this ?!
   well this code has not been analysed yet by Olly  
   it doesn't realy matter, cos WE ARE AT THE OEP!
   OEP=57EA5B

9. Important ! at the OEP look at the Value of EAX (top right - CPU Window)
   EAX=57E318
   write it down and Keep it. we could need it !

10. Now open ProcDump/Pe-Edit and Dump our process fully.


===================================
Step 2 - Finding the Stolen Bytes =
===================================

well to the Stolen Bytes there is currently 3 ways:

1. ASPR will Execute the stolen bytes and then go to the OEP like this:

	Stolen_Bytes_1
	Stolen_Bytes_2
	Stolen_Bytes_3
	.....
	.....
	PUSH_THE_ADDRESS_OF_OEP
	RET_TO_OEP

2. ASPR will first Save the Stolen Bytes then it will Erase the bytes From the OEP
   then will Jmp to the OEP like this :

	Stolen_Bytes_1
	Stolen_Bytes_2
	Stolen_Bytes_3
	PUSH EBX 
	PUSH ESI 
	PUSH EDI 
	......
	......
	......
	REPZ STOSB <- Erase the bytes
        POPFD
        POPAD
	JMP_TO_OEP

3. With NO Stolen Bytes it just PopAD and jumps to the OEP (No Stolen Bytes)

   so what we are dealing with ??
   to view the last steps of ASPR before it got to our OEP we need to See the Trace Log
   YES ! Olly got a Trace code log that called "Run Trace"
   so.. choose the menu View->Run trace
   now we will See a new Window .. go to the line one before the last and u will see
   that the CPU window also changes to the same address and it will look like this :

	017F5779   F3:AA            REP STOS BYTE PTR ES:[EDI]
	017F577B   9D               POPFD
	017F577C   61               POPAD
	017F577D  -E9 D992D8FE      JMP SYSTEMCL.0057EA5B  <-- the address of the OEP

  so we are dealing with #2 way! :)

  this i found that its working on winXP NOT win98 :
  so now in the CPU window Press Ctrl+S (Search for Sequence of Commads)
  and write this there :

	PUSH EBX 
	PUSH ESI 
	PUSH EDI   

  you will find :

	01029227   0055 8B          ADD BYTE PTR SS:[EBP-75],DL
	0102922A   EC               IN AL,DX                                                       ; I/O command
	0102922B   83EC 54          SUB ESP,54
	0102922E   53               PUSH EBX
	0102922F   56               PUSH ESI
	01029230   57               PUSH EDI
	01029231   6A 11            PUSH 11

   ignore the "00" and you will have :
   our stolen bytes : 55,8b,ec,83,ec,54
   write them down too we will need them later...

NOW CLOSE OLLY AND EXIT IT...
WE DONT NEED IT FOR NOW...


=============================
Step 3 - Rebuilding the IAT =
=============================

1. first run our app and wait till its loaded.
2. open Imprec and choose our process from the list
3. press on "IAT AutoSearch" 
4. change the size from "BC" to 1000 (BC is too small !!)
5. press on "Get Imports"
6. press on "Show Invalid"
7. right click on the invalid that was shown and choose "Trace level 1"
8. press on "Show Invalid" again .. and now we should get something like this:

	(cut from the saved tree)
	FThunk: 0019E258	NbFunc: 00000400
	1	0019E258	kernel32.dll	00D6	DeleteCriticalSection
	1	0019E25C	kernel32.dll	0228	LeaveCriticalSection
	................
	snip-snip
	................
	1	0019E2A4	kernel32.dll	01D1	GetThreadLocale
	1	0019E2A8	kernel32.dll	01B9	GetStartupInfoA
	0	0019E2AC	?	0000	017E0F2C			<-- good
	0	0019E2B0	?	0000	017E139C			<-- good
	1	0019E2B4	kernel32.dll	018B	GetModuleFileNameA
	1	0019E2B8	kernel32.dll	0183	GetLocaleInfoA
	1	0019E2BC	kernel32.dll	0181	GetLastError
	1	0019E2C0	kernel32.dll	0158	GetCurrentDirectoryA
	0	0019E2C4	?	0000	017E1408			<-- good
	1	0019E2C8	kernel32.dll	0133	FreeLibrary
	1	0019E2CC	kernel32.dll	011C	FindFirstFileA
	..................
	snip-snip
	..................
	1	0019E314	kernel32.dll	00A0	CloseHandle
	0	0019E318	?	0000	0255A00E			<-- BAD
	1	0019E31C	user32.dll	0112	GetKeyboardType
	1	0019E320	user32.dll	019F	LoadStringA
	1	0019E324	user32.dll	01AD	MessageBoxA
	1	0019E328	user32.dll	0026	CharNextA
	0	0019E32C	?	0000	70F7D832			<-- BAD
	1	0019E330	advapi32.dll	00F7	RegQueryValueExA
	1	0019E334	advapi32.dll	00EF	RegOpenKeyExA
	1	0019E338	advapi32.dll	00D8	RegCloseKey
	0	0019E33C	?	0000	F37514C2			<-- BAD
	1	0019E340	oleaut32.dll	0006	SysFreeString
	1	0019E344	oleaut32.dll	0005	SysReAllocStringLen
	1	0019E348	oleaut32.dll	0004	SysAllocStringLen
	0	0019E34C	?	0000	4007F56E			<-- BAD
	1	0019E350	kernel32.dll	0307	TlsSetValue
	1		0019E354	kernel32.dll	0306	TlsGetValue
	1	0019E358	kernel32.dll	01E6	GlobalAlloc
	0	0019E35C	?	0000	017E139C			<-- good
	0	0019E360	?	0000	BF57C0D8			<-- BAD
	.......................
	snip-snip
	.......................
	
   well it continues like this on and on..
   we need to manualy choose all the BAD addresses (Not in the packer code) and then 
   choose "Cut Thunk(s)" from the right click of the mouse on them.
   * Wachout at the end .. there is a good thunk in there..

  now we need to fix those other Good bytes.. u can download from fraviamb.cjb.net some plugs
  i saw there or to read my other tuts about how to rebuild those (New2Cracking.cjb.net or Fraviamb.cjb.net)
  here is my fix :

	0019E2AC-> 017E0F2C ->GetProcAddress
	0019E2B0-> 017E139C ->GetModuleHandleA
	0019E2C4-> 017E1408 ->GetCommandLineA
	0019E35C-> 017E139C ->GetModuleHandleA
	0019E428-> 017E1420 ->LockResource
	0019E47C-> 017E13C4 ->GetVersion
	0019E4AC-> 017E0F2C ->GetProcAddress 
	0019E4B8-> 017E139C ->GetModuleHandleA
	0019E4FC-> 017E13F8 ->GetCurrentProcessId
	0019E500-> 017E13F0 ->GetCurrentProcess
	0019E50C-> 017E1430 ->FreeResource

9. now press on "Fix Dump" and choose our Dumped file..
   imprec will save the file with "_" before the name of the dump file.


=========================
Step 4 - Fixing the OEP =
=========================

1. now open HVIEW /Hex Editor and go to the OEP offset: 57ea5b
   go up (back) to 57ea55 (6 bytes back) and write instead of the "00" our
   stolen bytes. now save our new file.

2. now open ProcDump/Pe-Edit and load to Pe-Edit our rebuild file and change
   the Entery Point to : 57ea55 (because of the stolen bytes)

3. if u will now try to run the App it will Crash!!

4. open Olly and load to it our Fixed File 

5. at the OEP : 57ea55 what is the value of EAX ? Remember that i told you
   to save the value of EAX at the OEP before the dumping ? it was EAX=57E318
   this Value is deffrent from our value that means that we have one more Command
   that is stolen: 

	MOV EAX, 0157E318
 
   in bytes it takes 5 bytes(you can try it your self at HVIEW)
	B818E35700	   MOV EAX, 0157E318
   that means we have 6+5=11(decimal) stolen bytes
   that means that the real OEP is:
   11=B(hex) 
   OLD_OEP-STOLEN_BYTES=57EA5B-B=57EA50
   OEP = 57EA50
   now go to the new OEP at HVIEW/Hex Edit and write there :
	
	55,8B,EC,83,EC,54,B8,18,E3,57,00

   now fix with ProcDump\Pe-Edit the Entery Point to : 57EA50
   and now the prog can RUN!!!!!  
   The End!

(revised by anvile)