Unpacking Aspack 1.08.04
 
Target
DETTEN CRACKME #10
******************

Cracker: figugegl
Email: figugegl_2000@yahoo.de
Date: 29.10.2001
Tools: Softice, Procdump, LordPE, Hexeditor, Filescanner
Level 1-10: 4
The Tracing

The first part of this tutorial is about unpacking Aspack 1.08.04 by hand to get the program's listing. Then we reverse the algorithm and finally code a keygenerator.

a) Manual unpacking
-------------------

As usual, we load the target into our favourite Fileanalyzer - i always use viper's FileinsPEctor XL. We see that the program is packed with Aspack 1.08.04. We also have a look at the imports. There are only four, among them GetProcAddress. The lazy cracker takes Caspr to automatically unpack the program, but we're going to do it the hard way. I always try to unpack by hand first, and only if i fail, i'll take a generic unpacker.

We load Icedump, set a bpx GetProcAddress in Softice and start the crackme. Softice pops up here:

        0167:00413063 53            PUSH EBX

        0167:00413064 50            PUSH EAX

        0167:00413065 FF95284B4400  CALL [EBP+00444B28]

        0167:0041306B 898528404400  MOV [EBP+00444028],EAX ; si pops up here

        0167:00413071 8D9D4A4A4400  LEA EBX,[EBP+00444A4A]

        0167:00413077 53            PUSH EBX

        0167:00413078 57            PUSH EDI

        0167:00413079 FF95284B4400  CALL [EBP+00444B28]

        0167:0041307F 89852C404400  MOV [EBP+0044402C],EAX

        0167:00413085 8D85C1394400  LEA EAX,[EBP+004439C1]

        0167:0041308B FFE0          JMP EAX

        0167:0041308D 00F0          ADD AL,DH

We start tracing with <F10>, always looking out for a call to address 40xxxx. Soon there's a call edi, with edi = 401000:

        0167:0041311A 8B3E          MOV EDI,[ESI]

        0167:0041311C 03BD284A4400  ADD EDI,[EBP+00444A28]

        0167:00413122 FF37          PUSH DWORD PTR [EDI]

        0167:00413124 C607C3        MOV BYTE PTR [EDI],C3

        0167:00413127 FFD7          CALL EDI ; call 401000

        0167:00413129 8F07          POP DWORD PTR [EDI]

We step into the call with <F8> but see a ret command only - this seems to be a little trick to distract crackers. There are a couple of "backward-jumps", in this case we set a bpx to the instruction following the jump and let Softice run with <F5>. But we have to disable all other breakpoints to prevent Softice from popping up at the same address several times. Eventually we come to the jump to the original entry point (OEP). Well, actually it's not a jump but a return, but with the same effect:

	0167:004133A0	B800100000    MOV EAX,00001000

	0167:004133A5	50            PUSH EAX

	0167:004133A6	0385284A4400  ADD EAX,[EBP+00444A28]

	0167:004133AC	59            POP ECX

	0167:004133AD	0BC9          OR ECX,ECX

	0167:004133AF	8985F13C4400  MOV [EBP+00443CF1],EAX 

	0167:004133B6	7508          JNZ 004133C0

	0167:004133B8	B801000000    MOV EAX,00000001

	0167:004133BD	C20C00        RET 000C

	0167:004133C0	6800104000    PUSH 00401000 ; address of OEP

	0167:004133C5	C3            RET ; jump to OEP

 
Dumping


Now we dump the file. Before we can do that, we put the program in a endless loop, so it doesn't mess up the unpacked program in memory. Type: "a <enter> jmp eip <enter> <esc> <f5>". Now let's do a fulldump with Procdump. In the Options - Import section we mark "rebuild new import table", this makes it usually much easier for us to get a fully working program and a listing that shows all import functions correctly.

We're almost done: we only have to correct the entry point. Load the dumped file in Procdump's PE-Editor and set the EP to:

OEP - Image Base = 401000h - 400000h = 1000h

We start the program and IT WORKS! The listing looks good as well, there are all import functions visible.

Now let's crack the crackme...
back to tutorials