Ok, so I've scanned the file with File InsPEctor, and give me the ASProtect v1.2 compiler.
I'm not sure but i've found the OEP with a GetVersion and F5 until the file is being loaded in memory, then typed "S 0 L FFFFFFFF first bytes of EiP", then I use the result in a "bpmb result x", F5 and F10 many times, I have this (Don't take care about Offsets):

:0000003C B878563412 mov eax, 12345678
:00000041 50 push eax
:00000042 034525 add eax, dword ptr [ebp+25]
:00000045 5B pop ebx
:00000046 0BDB or ebx, ebx
:00000048 8944241C mov dword ptr [esp+1C], eax
:0000004C 61 popad
:0000004D 7506 jne 00000055
:0000004F 6A01 push 00000001
:00000051 58 pop eax
:00000052 C20C00 ret 000C


:00000055 50 push eax
:00000056 C3 ret

Is that the POPAD of ASPROTECT routine ? Because after the ret on 00000056, eax = OEP and ret goes to OEP :

:10089FFF 55 push ebp
:1008A000 8BEC mov ebp, esp
:1008A002 53 push ebx
:1008A003 8B5D08 mov ebx, dword ptr [ebp+08]
:1008A006 56 push esi
:1008A007 8B750C mov esi, dword ptr [ebp+0C]
:1008A00A 57 push edi
:1008A00B 8B7D10 mov edi, dword ptr [ebp+10]
:1008A00E 85F6 test esi, esi
:1008A010 7509 jne 1008A01B
:1008A012 833D1CBFE10300 cmp dword ptr [03E1BF1C], 00000000
:1008A019 EB26 jmp 1008A041

So I make the dump with "a eip, jmp eip" and LORDPE, fix EiP & sections with PEditor, Rebuild IAT with ImpREC (it find every imports, but one discovered with ASProtect plugin).

So I've tested the loading process with no IT, so a message says "Can't Load the plugin", and if that module isn't loaded, some other module of that plug aren't loaded. Now testing with original packed file, and everything is OK, the plug is loading and a Splashscreen appears. Now testing the module with a rebuilded IAT, It loads !!! But damn, no Splashscreen and the sofware that load the plug does'nt appear on the screen, but only in the taskbar. I think my IT is now correct, but it seems that the plug check in memory if ASProtect is loaded, and if not, the plug doesn't give me a Splashscreen and break the software. Please help, how could I fix it ?

Hello UltimAtomMAX

I read your post several times and got more and more mystified !!!

Do you need to find OEiP in latest aspr1.2x targets and also use plugin safely ?

a 'popad' instruction per se does not mean that it's going to reveal the original EntryPoint.
Alexey uses pushad/popad to save/restore registers state a lot of times

Also the plugins with Imprec1.4+ work as they should. I've coded several plugins for different
esoteric IAT protection schemes.....but never had a 'failed to load' problem. You should examine
the 'options' and have a play......./me curious maybe unselect 'use PE Header from Disk' if you are attacking a dll process.


Spl/\j
(c) 2002

Ok so the ASprotected file is the dll (the plugin of the software), not the sofware itself.
My OEP was good, because the dll is now dumped, IAT rebuilded, and little trick fixed, and now the plugin loads perfectly.
But I need to Unpack another dll to crack.
I've already Dumped, but can't have the full IAT with RV/ImpREC, and I don't understand how to rebuild manually the IT.
Could you help me, because I don't know how to trace the unresolved calls... Tried BPX GetVersion, and U XXXXXXXX where XXXXXXXX is the address given by RV, but can't see any call...
Could you explain a detailled "how to" to trace calls with SI...
Thanx.

Hello

If you successfully de-aspr a dll already, then next dll is same procedure...or wtf ?

I am curious to see this target in action, please PM me with URL.

Not same procedure, because i don't know how to trace the unresolved calls of the second dll. The first was easier, cause the IAT was rebuilded sucessful with RV/ImpREC, but the second has many unresolved Imports.
So I don't know how to retrieve them with SI tricks, like you explain in your tuts when there are unresolved Imports. I don't understand for example in your Commview 3.1 tut :

In RV select the CV.exe and unclick --Autofix sections’, then press --fetch IAT’ and RV fills the following :-

IAT Start RVA 001A0230
IAT Length 00000908 (this time correct, but be careful and manually check the jmp table in SICE window)

Press the --IAT Resolver’ and then --Resolve Again’ buttons. All but the following IT have been successfully found :-

021 001A0284 00E8C548 0000 ?????? to_Resolve
022 001A0288 00E8C8F8 0000 ?????? to_Resolve
027 001A029C 00E8C94C 0000 ?????? ??????
064 001A0340 00E8C8F8 0000 ?????? to_Resolve
090 001A03B0 005881EC 0000 ?????? ??????
109 001A03FC 0058826C 0000 ?????? ??????
126 001A0440 00E8C914 0000 ?????? ??????
134 001A0460 00E8C548 0000 ?????? to_Resolve
136 001A0468 00E8C8F8 0000 ?????? to_Resolve
151 001A04A4 00E8C944 0000 ?????? ??????
152 001A04A8 00E8C93C 0000 ?????? ??????
154 001A04B0 005882A0 0000 ?????? ?????? <- these are from Win2K & RV so will be different addresses from Win98/ME

1st Save your resolved.txt J Most can be fixed up with the --Enable Trace’ & --Trace’ function and --Resolve Again’ button pressed. Save your resolved.txt again J Now you have to trace MANUALLY those final few unresolved entries. I can tell you that most are from that API cluster we saw earlier and others will be FreeResourceand LockResource. These 2 API have a RET004 from the stack, so just selecting a random API will fail you with a RET. Take care. Look at the ALPHABETIC names of the resolved.txt. You get a big clue from this J. Ok, to trace is easy.I will do one with you. See item 21/22 MUST be Get??? API.
Close all programs and set a bpx GetVersionagain and start CV.exe. When you F12 back to the API cluster do a U E8C548 (or whatever the memory location is for you). You will see immediately the link to the API cluster EAX stored location. Match the memory to the API. For the item 109 this is LockResource you will see a PUSH blah RET004 code.

021 001A0284 BFF76DA8 01A3 KERNEL32.dll GetProcAddress
022 001A0288 BFF77716 018D KERNEL32.dll GetModuleHandleA
027 001A029C BFF8C5DA 0149 KERNEL32.dll GetCommandLineA
064 001A0340 BFF77716 018D KERNEL32.dll GetModuleHandleA
090 001A03B0 BFF9FA9F 02F5 KERNEL32.dll SizeofResource
109 001A03FC BFF92F48 023E KERNEL32.dll LockResource
126 001A0440 BFF92F1B 01DC KERNEL32.dll GetVersion
134 001A0460 BFF76DA8 01A3 KERNEL32.dll GetProcAddress
136 001A0468 BFF77716 018D KERNEL32.dll GetModuleHandleA
151 001A04A4 BFF84948 015B KERNEL32.dll GetCurrentProcessId
152 001A04A8 BFF96347 015A KERNEL32.dll GetCurrentProcess
154 001A04B0 BFF92F43 0135 KERNEL32.dll FreeResource

An failed to do that :

Set a BPX GetVersion. Press F5 and trace back to asprcode with F12 and see a cluster of API that Alexeyjust maps the return value (in EAX) to memory locations.......


016F:017AC7BC 6A00 PUSH 00
016F:017AC7BE E8897CFFFF CALL KERNEL32!GetModuleHandleA
016F:017AC7C3 A34C367B01 MOV [017B364C],EAX
016F:017AC7C8 E8977CFFFF CALL KERNEL32!GetVersion
016F:017AC7CD A344367B01 MOV [017B3644],EAX
016F:017AC7D2 68AC357B01 PUSH 017B35AC
016F:017AC7D7 E8907CFFFF CALL KERNEL32!GetVersionExA
016F:017AC7DC E83B7CFFFF CALL KERNEL32!GetCurrentProcess
016F:017AC7E1 A348367B01 MOV [017B3648],EAX
016F:017AC7E6 E8397CFFFF CALL KERNEL32!GetCurrentProcessId
016F:017AC7EB A350367B01 MOV [017B3650],EAX
016F:017AC7F0 E81F7CFFFF CALL KERNEL32!GetCommandLineA
016F:017AC7F5 A340367B01 MOV [017B3640],EAX
016F:017AC7FA C3 RET

I've founded the OEP with another trick.

To manually trace a re-directed API just look at the unresolved and then while holding target in EB FE loop Ctl-D into SI and U the call eg from above example :-
027 001A029C 00E8C94C 0000 ?????? ??????

in Si type U E8C94C' and examine the code.

it will look something like :-

0167:0132138E 8BC0 MOV EAX,EAX
0167:01321390 E8DB3DFFFF CALL KERNEL32!GetVersion <- FAKE call
0167:01321395 A1F06C3201 MOV EAX,[01326CF0] <- restore GetCommandLineA
0167:0132139A C3 RET

so if you hade MANUALLY logged that memory block where ASPR saves GetWhatWeWant API result then you will know that [1326CF0] holds result of GetCommandLineA API

Is that it ???

I'm still waiting for PM with URL of target (be quick my PM box is filling with requests...)

Sorry about the target, but only a few people can have it. You cannot get it on the web, but if u find for me an upload place, I can give you the files. I will try your tricks, thanx very much.

Ok, I actually use revirgin to Un-Asprotect a dll target.
Now I select the host process, then the wanted dll in "Select Module to Attach".

Selecting my dll and :
Error
Image Import Descriptor corrupted, enter the OEP and click FetchIAT.

So bypass this error, correcting the actual OEP with the dll's one ( 1921B founded with SI ) and clicking "Fetch IAT" :
Message
Found Nothing

So I decide to run ImpREC to do the same thing, entering OEP, then "IAT AutoSearch" works... RVA : 1A000 Lenght : 620.
So ImpREC does that job, not RV.

Now Switch to RV and lauch "IAT Resolver" ( works ) and "Resolve again" ( works too ), then a lot of imports are unresolved, so I decide to "Save resolved" to resolved.txt
It works.

Now try to resolve an unresolved with ASProtect 1.2 Emu dll.
Found !

Great...
Now it's time to resolve that import, so "Resolve again"...
Argh !!!
WTF !!!
Revirgin
External exception EEFFACE.
What's that ???

Ok, don't want to panic, I close Revirgin, then Start it again...
An re-select the process and the dll...
So don't want to relaunch the "IAT Resolver", and then "Load resolved".

I select my resolved.txt
Argh !!!
WTF !!!
Revirgin
Access violation at address 004AAAFE in module "REVIRGIN.exe". Read of address FFFFFFF9.

Now, what can I do to rebuilt my IAT...
I am under Win2K SP3, maybe that's the sh*t...

Here is the ImpREC IAT, I have the same with RV...
But take a look at the last FThunk, maybe my Lenght is incorrect...
Because I have :
1 0001A470 xrend.dll 001E ?GetComputeParallelDepth@BucketRend@@QAEHXZ
but xrend.dll is the file I want to resolve... So why there is an imported function on itself...???
Or if my lenght is incorrect, how could I find the true lenght ?

So I've traced level 1 some unresolved in the last FThunk, And there is a lot of duplicate imports...
Is this FThunk can be deleted ? Because when I Fix my dump without that FThunk, the files works...
Here is the traced level1 solved tree

You are getting good
________________________________________________
Is this FThunk can be deleted ? Because when I Fix my dump without that FThunk, the files works...
________________________________________________


YOU proved the theory

To get the length take a look at the dump with UltraEdit........examnining the raw offset all should make things a lot clearer.

BTW A.F.A.I.K. EEFFACE, EEFFADE, EE5L1CE, EEFFOUR etc etc are Dumb Delphi exception lookup codes - well maybe not slice and four
Dump the plugin and you'll see.

So thank you for your help, but now I have some other problems to crack the files, but now don't need to ask in that place, seems have no more unpacking problems
Thank you very muuuuuuuuuuuuuch !!!
But need to know how to fix the RV problems...