triz-
May 31st, 2002, 05:26
First off, I just want to say that without Fravia's site and this messageboard, I'd still be wandering around muttering "Why does the disassembler crash!?!" and giggling to myself. You guys are a tremendous source of information and without the site, I wouldn't know half of what I do
That said, I throw myself before the mercy of the court seeking some pointers for ASProtect. I've been tinkering with it on and off for a little while now, and I think I've gotten the hang of getting to OEP and dumping (one step at a time ).
My setup: Win 98 SE, SoftIce 4.00
Target: h**p://www.sapphiregames.com/15pack/15pack.zip (500k)
Downloaded, unzipped, installed and checked with PEId..."Asprotect." Drat, my arch-nemesis once again.
Loaded Icedump and Iceload, and ran. Broke on INVALID's, traced a few steps and ran a /tracex 400000 470000 (half lazy and half ignorant as to when to set a breakpoint without ASPR clearing it - I'm trying ). Broke on the usual 4010xx RET - F10, traced again. Here's where it gets interesting (to me, anyways)
PUSH EBP
MOV EBP, ESP
MOV EAX, [ESP+0C]
MOV [004XXXXX], EAX
POP EBP
RET
Tracex breaks on this chunk of code 3 times I believe (I typed this from memory, and my short-term memory is a bit hazy sometimes, so bear with me if I goofed up a register in there somewhere). I believe the [004XXXXX] address changes each time, although I'm not positive. After tracing out of the third and /tracexing again, it travels on to 4457A8 which appears to be OEP.
/option p i0
/dump 400000 457A8 c:\dump.exe
Allrighty, close SoftICE and load Revirgin. Pick 15pack.exe from the menu, "Table corrupt, enter OEP blah blah" Enter 004457A8 for OEP and click Fetch IAT.
"Nothing found." Ummm...
I don't recall why, but I entered 401000 eventually, and got RVA of 4912C and Length of 5D0. IAT Resolver -> Resolve again....hm, there it is??
Here's where I falter. For example:
19 00049178 00C11270 0000 ?????? ??????
???? doesn't sound too useful . Close 15Pack, bpx GetVersion, run again. When SI pops, D C11270 to find a lot of ???'s. F5 - oh, there's something there now. U C11270 to get
PUSH 00
CALL Kernel32!GetModuleHandleA
PUSH DWORD PTR [00C16CF0]
POP EAX
RET
D C16CF0...lots of 000's. F5 again - now there's something there. "81B7A260" (this address seems to change everytime I run it). D 81B7A260 - "C:\Program Files\15-Pack 1.28\15pack.exe" Why thank you kind program, if you hadn't told me where the EXE was I might have lost it
Something else that seems...different (wrong? ) In Revirgin, using 00401000 as OEP, there's a number of KERNEL32 functions, followed by 3 USER32, 3 ADVAPI32, some OLEAUT32 functions, 4 more KERNEL32's, some other assorted functions, then even more KERNEL32s...I was under the impression they were generally in one group together?
I realize ASProtect has been discussed quite frequently in the past (I've read some of it over and over again trying to find something I might have missed), but it was starting to drive me a bit crazy, so I decided to take a new small target, do what I can, document my steps and present it here hoping to maybe learn something else from the masters
Another thing:
15PACK.EXE 252,416 bytes
15DUMP.EXE 284,587 bytes
15DUMP2.EXE 252,928 bytes (I forget why I made 2 dumps This one looks to close to be a good dump - if anyone gets a good dump of this, could you tell me how big your dumped EXE is?)
That said, I throw myself before the mercy of the court seeking some pointers for ASProtect. I've been tinkering with it on and off for a little while now, and I think I've gotten the hang of getting to OEP and dumping (one step at a time ).
My setup: Win 98 SE, SoftIce 4.00
Target: h**p://www.sapphiregames.com/15pack/15pack.zip (500k)
Downloaded, unzipped, installed and checked with PEId..."Asprotect." Drat, my arch-nemesis once again.
Loaded Icedump and Iceload, and ran. Broke on INVALID's, traced a few steps and ran a /tracex 400000 470000 (half lazy and half ignorant as to when to set a breakpoint without ASPR clearing it - I'm trying ). Broke on the usual 4010xx RET - F10, traced again. Here's where it gets interesting (to me, anyways)
PUSH EBP
MOV EBP, ESP
MOV EAX, [ESP+0C]
MOV [004XXXXX], EAX
POP EBP
RET
Tracex breaks on this chunk of code 3 times I believe (I typed this from memory, and my short-term memory is a bit hazy sometimes, so bear with me if I goofed up a register in there somewhere). I believe the [004XXXXX] address changes each time, although I'm not positive. After tracing out of the third and /tracexing again, it travels on to 4457A8 which appears to be OEP.
/option p i0
/dump 400000 457A8 c:\dump.exe
Allrighty, close SoftICE and load Revirgin. Pick 15pack.exe from the menu, "Table corrupt, enter OEP blah blah" Enter 004457A8 for OEP and click Fetch IAT.
"Nothing found." Ummm...
I don't recall why, but I entered 401000 eventually, and got RVA of 4912C and Length of 5D0. IAT Resolver -> Resolve again....hm, there it is??
Here's where I falter. For example:
19 00049178 00C11270 0000 ?????? ??????
???? doesn't sound too useful . Close 15Pack, bpx GetVersion, run again. When SI pops, D C11270 to find a lot of ???'s. F5 - oh, there's something there now. U C11270 to get
PUSH 00
CALL Kernel32!GetModuleHandleA
PUSH DWORD PTR [00C16CF0]
POP EAX
RET
D C16CF0...lots of 000's. F5 again - now there's something there. "81B7A260" (this address seems to change everytime I run it). D 81B7A260 - "C:\Program Files\15-Pack 1.28\15pack.exe" Why thank you kind program, if you hadn't told me where the EXE was I might have lost it
Something else that seems...different (wrong? ) In Revirgin, using 00401000 as OEP, there's a number of KERNEL32 functions, followed by 3 USER32, 3 ADVAPI32, some OLEAUT32 functions, 4 more KERNEL32's, some other assorted functions, then even more KERNEL32s...I was under the impression they were generally in one group together?
I realize ASProtect has been discussed quite frequently in the past (I've read some of it over and over again trying to find something I might have missed), but it was starting to drive me a bit crazy, so I decided to take a new small target, do what I can, document my steps and present it here hoping to maybe learn something else from the masters
Another thing:
15PACK.EXE 252,416 bytes
15DUMP.EXE 284,587 bytes
15DUMP2.EXE 252,928 bytes (I forget why I made 2 dumps This one looks to close to be a good dump - if anyone gets a good dump of this, could you tell me how big your dumped EXE is?)