Unpacking files packed/protected with the New
ASProtect
A tutorial brought to you July 17th - by Predator
[PC/pGC]
Hello there. Earlier, I explained to you how you can patch a program inline which is packed by ASProtect. Shortly after my tutorial came out, the author of ASProtect updated his program so my tutorial became obsolete. For a long period of time, the new ASProtect was not defeated. The only solution was the MemPatch Server (c) Ivanopulo, but that is a private tool. So how do we crackers deal with the new version of aspr? I've got the answer, and I'll show it to you in this tutorial.
TARGET PROGRAM: AD
Picture Viewer
v1.32
http://abroaddesign.hypermart.net/picview/picview.zip
Well now, our mission is to unpack a target program which has been packed with ASProtect - and the unpacked file must run perfectly. To accomplish this result, we have to go through the following steps:
Please read on for a detailed discription on how to do this.
Locating the OEP - Original Program Entry Point
[MY IDEA] Basically, it works like this. I thought, that the bytes at the OEP would be unpacked/treated first and before the other bytes, by ASPR's unpacking scheme. I was right :) -- I run a program, wrote down/remembered an address (just any RVA that's all) and BPM on it. When ASPR reads from/writes to that RVA for the very first time, bpm X on the line of code that did that and re-run the app yet again. I noticed that the first view bytes it wrote, are at the RVA of the OEP! ----- Unlucky me I was in like a 'trance' while doing this and I'm afraid I allready forgot the -exact- process. Nevertheless, with the way described below, the OEP shouldn't be hard to find, perhaps even easy. And I guess I'll go into trance again and find out what I did before.. LOL.
[SAY WHAT] Perhaps if you have tried, you will find out that tracing from the entry point of the packed file is not a good idea while this will take hours and hours. So, how the fuck do we locate the OEP? It's not that complicated once you know how to do it.
[LETS DO IT] First thing to deal with is when running the program, there's a bitchy SoftICE check. Let's quickly get this thing over with, and download IcePatch (great tool) at http://protools.cjb.net/ for example. If you don't know how to use this tool, don't ask me but read the readme or something. Ok, no more SoftICE checking. What's next?
We're going to write down the RVA of some unpacked code, anywhere. Run PicView, go to menu option '?' and click on 'About'. Now enter softice, and bpx on 'ShowWindow' API (bpx ShowWindow). Now close the about, and softice will pop up - press F12 and shit untill yer in the code of PicView. The address I wrote down myself was "449EEE" and you can do that too. Ok, don't exit SoftICE yet but type: BPM <RVA_you_wrote_down>. For example, if you are using the same RVA as me, it would be: BPM 449EEE. Now close PicView and run it again. SoftICE will break (ofcourse) - now follow these exact instructions: Press F5 for 7 times. Once you did that, press F12 for 2 times. You'll now land into the following piece of code, and please remember that the RVA's will be almost 100% sure different on your computer, while ASPR uses some random RVA's it seems :) - Code snippet:
| 0167:0059D51C | EB13 | JMP 0059D531 |
| 0167:0059D51E | E9F505FFFF | JMP 0058DB18 |
| 0167:0059D523 | 66B80E00 | MOV AX,000E |
| 0167:0059D527 | E8D4F1FFFF | CALL 0059C700 |
| 0167:0059D52C | E88308FFFF | CALL 0058DDB4 |
| 0167:0059D531 | 8B4508 | MOV EAX,[EBP+08] |
| 0167:0059D534 | 8D4818 | LEA ECX,[EAX+18] |
| 0167:0059D537 | 8B4508 | MOV EAX,[EBP+08] |
| 0167:0059D53A | 8B10 | MOV EDX,[EAX] |
| 0167:0059D53C | 8B4508 | MOV EAX,[EBP+08] |
| 0167:0059D53F | 8B401C | MOV EAX,[EAX+1C] |
| 0167:0059D542 | E85DF7FFFF | CALL 0059CCA4 |
| 0167:0059D547 | 5F | POP EDI |
| 0167:0059D548 | 5E | POP ESI |
| 0167:0059D549 | 5B | POP EBX |
| 0167:0059D54A | 59 | POP ECX |
| 0167:0059D54B | 59 | POP ECX |
| 0167:0059D54C | 5D | POP EBP |
| 0167:0059D54D | C20400 | RET 0004 |
Now trace the call (F8) at address 59D542 (again: the address on your computer will be different) - and trace a bit (F10). You'll soon enough see the following line of code: 8B45F8 MOV EAX,[EBP-08]
Now, step through that line of code and look at EAX - it contains the OEP, that's it baby! For this example target, the OEP = 4E3DF8
Memory dump
Ok so you survived part 1. Now let's get our asses moving on part 2.
We dump 2 seperate files, and we're going to use IceDump (get it at protools, for the URL look above in this tutorial). File 1 will be the entire image, and file 2 will be the untouched Import Table. After this, we'll merge them and go to step 3.
Fire up ProcDump and run the PE-Editor on PicView.exe. You'll have to remember the RVA of the image base, and the size of the image for now. Ok, so now you have to run PicView again and get softice to break on the OEP. One possible way to do this, is like this:
1. Hexedit PicView.exe and at the
entry point, put a new byte (CCh) and remember the old one (in this case,
60h).
2. Type bpint 3 in softice - and now run PicView and softice will
break. Type "EB EIP 60" to restore the original byte.
3. Type: BPM
<address_of_oep> X. For this target, it would be: BPM 4E3DF8 X. Now press
F5 and softice will break at the OEP!
Ok let's dump the image now. If you
use an old(er) version of IceDump, type in softice: pagein d
<rva_of_imagebase> <size_of_imagebase> <filename>.
For this
specific target, the commandline would be: pagein d 400000 144000
c:\temp\image.exe
But, ofcourse, if you run the new icedump you'll have to
replace "pagein d" with "/dump"
Now, part 2 of step 2: dump the untouched Image Table. First look at ProcDump's PE editor again (you didn't close it did ya?) and click on "sections". The ".idata" section is the one we are interested in, and what we want to know is the RVA of .idata and the virtual size of it. For this target, the RVA = E9000 and the vsize = 3000.
Ok, let's dump the table then! Clear all breakpoints in softice, and type: bpx LoadLibraryA (while this is one of the API's that AsProtect has to use to initialize the real import table). Now run PicView yet again, and softice will break. Press F12, yer now in some ASProtect code. Dump the import table by typing: pagein d <rva_of_idata+rva_of_imagebase> <size_of_idata> <filename> (or if you use new icedump, replace "pagein d" by "/dump"). --- For this example target, that commandline would become: pagein d 4E9000 3000 c:\temp\idata.dat
Now, step 3 of part 2: we have to merge the dumped exe file and the untouched import table. In my opinion the best way of doing so is using Hex Workshop (www.hexworkshop.com) and open our "image.exe". Now go to the offset of .idata which is in our example: E9000. Select the same number of bytes as the size of our new import table (in our example: 3000) using shift and pagedown/cursor keys or something... and now go to: "File -> Replace by file" and select "idata.dat" file. Now, the bytes in image.exe will be updated by idata.dat. Merging completed!
Last step: edit the PE header so the program will run, not crash
Few, are you feeling that we are coming close to the end of the tutorial? Well I hope so too cuz my fingers are starting to hurt ;)
We need to make some changes to the new image.exe using ProcDump's PE-Editor. So load image.exe in it. First thing to change is the program entry point. Remember you wrote down the OEP? Now substract the imagebase from it (usually 400000, see procdump) and you have got the entry point you should enter in procdump. For this example program, it would be: 4E3DF8 - 400000 = E3DF8 = entry point.
Second, click on "directory" and change the RVA (not the size, only RVA) of the Import Table (again, in this example: E9000). Press OK and now enter "Sections". In order to be able to disassemble the unpacked file, start by editing the "CODE" section (well, the first section of the file and in this case it's CODE) and change the Section Characteristics from C0000040 to E0000060. Now, the PSize must be made Equal to VSize and the Offset must be made equal to the RVA -- this is due to the fact the file is now unpacked and we started dumping the image from RVA 400000. So, in this example, for CODE section, the PSIZE == VSIZE == E3000. Furthermore, the OFFSET == RVA == 1000. Now press OK. Here comes the bad news (oh well.. not so bad) : you'll have to do this for every section the file has, so that means also for .DATA and .ASPR and so on. Always copy the VSIZE over the PSIZE and after that copy the RVA over the OFFSET. Once you finished this all, press OK. Press OK again and you can safely exit procdump.
And hey, we're done!! Try running the unpacked file (image.exe) - it will run perfectly, no problem - and you can disassemble it.
Again ASProtect is completely DEAD. Goddamnit how many times do we have to make clear to software authors that commercial ready-made protections fucking suck DICK.
Well, I'm kind of tired right now.. so I'll stop writing - but first I want to give greetings and credits to RISC (http://csir.cjb.net) while I used his method of dumping/fixing the PE - it's great!
Signing off,
Predator [PC/pGC]
Visit my site: http://www.predatorpc.com/