Embed Size (px)
Citation preview
LaBBa–rotect Final tut by SPA-"Step-By-Step"
Hi all this is the final tut I'm ever going to do about ASPR .. yep .. I have no more time for those things now in my life..
So what this tut is going to be different from all the others tuts ? 1. It will have pictures 2. It will have new explanation about finding the Stolen bytes 3. It will try to explain as much as I can about this protection..
What this tut won't explain? 1. how to fixed Redirected calls to aspr
Well let's start ! Tools that we will need
1. OllyDbg 1.09d – really cool tool 2. LordPe – tnx to y0da 3. ImpREC v1.6F– Really great tool of MackT 4. HView/HackView – or any other Hex editor 5. WinXP - hehe
Targets that we are going to Unpack (not to crack !!)
Well the technique of the Stolen bytes can't be learned just by doing 1 kind of stolen bytes .. u must do at least 4 apps , so u can see that it's almost the same technique at all kinds that there is out there .. well I can't do for u 4 apps so I will do at least 2 :
1. WTM CD Protect – (www.webtoolmaster.com/download/cdprot.exe) – v1.54
2. Proactive Windows Security Explorer – (http://www.elcomsoft.com/pwsex.html) – v1.00b3 (build 1225)
Steps in Unpacking
1. Killing ASPR anti Debugging 2. Finding The OEP for Dumping 3. Fixing the Import API's Table (IAT) 4. Finding the Stolen bytes and re-insert them
NOTE THIS !!
In all of the apps that we will unpack they will have the same technique for killing ASPR anti-debug and the same technique of finding the OEP and same technique for fixing the IAT (Import Api Table) . The only thing that Won't be the same is : Stolen bytes.. So.. I will only show in WTM CD Protect how to Kill anti-debugging And finding OEP and fixing IAT and all others I will show how we find the Stolen Bytes because all the rest are the same..
So.. Lets Start !
STEP #1 - Killing ASPR Anti-Debug
Well this part is really easy.. After u finished loading the app to OllyDbg Press : Alt+E This will load a table of : Executable Table Press on Kernel32.dll with right click of u'r mouse and choose : View Names
now search for the API called : IsDebuggerPresent when u finds it press on it and then press F2 to set a BreakPoint
Now get back to the main window and Press F9 to let the app Run ***BOOM*** The app is Paused because of some access violation (so fucking what ?!) Continue Pressing : Shift+F9 till u will see at the down of the window :
and will see this code :
77E72E92 > 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]–We are Here 77E72E98 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30] 77E72E9B 0FB640 02 MOVZX EAX,BYTE PTR DS:[EAX+2] 77E72E9F C3 RETN
Now Press F8 just 2 times and then look at the lower window and u will see :
Write down this address : 7FFDF002 This is where we need to change every time we start our debugging The value from 01 to 00 ..
Disable our break point by pressing F2 again on the address that we have set on our break point .
Now restart our app debugging by pressing : Ctrl+F2
Now go to the dump window and press with u'r mouse and then press Ctrl+G ("GoTo") and enter at the Dialog box that appear there the address we wrote : 7FFDF002 Now press on the first byte on the top with u'r mouse and then press with u'r keyboard : 00 and the press OK
STEP #2 - Finding The OEP for Dumping
now we can start running again our app with F9 and Shift+F9 till we will get to the last one time that if we will press again then the app will run this will look like this :
00A539EC 3100 XOR DWORD PTR DS:[EAX],EAX – we HERE 00A539EE 64:8F05 00000000 POP DWORD PTR FS:[0] 00A539F5 58 POP EAX 00A539F6 833D B07EA500 00 CMP DWORD PTR DS:[A57EB0],0 00A539FD 74 14 JE SHORT 00A53A13 00A539FF 6A 0C PUSH 0C 00A53A01 B9 B07EA500 MOV ECX,0A57EB0 00A53A06 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 00A53A09 BA 04000000 MOV EDX,4 00A53A0E E8 2DD1FFFF CALL 00A50B40 00A53A13 FF75 FC PUSH DWORD PTR SS:[EBP-4] 00A53A16 FF75 F8 PUSH DWORD PTR SS:[EBP-8] 00A53A19 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 00A53A1C 8338 00 CMP DWORD PTR DS:[EAX],0 00A53A1F 74 02 JE SHORT 00A53A23 00A53A21 FF30 PUSH DWORD PTR DS:[EAX] 00A53A23 FF75 F0 PUSH DWORD PTR SS:[EBP-10] 00A53A26 FF75 EC PUSH DWORD PTR SS:[EBP-14] 00A53A29 C3 RETN
Now press with u'r mouse on the Ret and set a BreakPoint on it by pressing F2 . now Press Shift+F9 and let it break on the RET ***BOOM*** ok .. now we are on the RET .
Now set a command line with pressing Alt+F1 to : TC EIP<900000 And press enter and let it trace... (u can look at the right down corner of the screen and see there "Tracing")
***BOOM*** now if u sees this kind of code :
00405214 FF DB FF 00405215 25 DB 25 ; CHAR '%' 00405216 DC DB DC 00405217 91 DB 91 00405218 43 DB 43 ; CHAR 'C' 00405219 00 DB 00 0040521A 8B DB 8B
and etc.. all u need to do is Press : Ctrl+A (make Analyze again) now u should see this :
00405214 $-FF25 DC914300 JMP DWORD PTR DS:[4391DC] - we HERE 0040521A 8BC0 MOV EAX,EAX 0040521C $-FF25 D8914300 JMP DWORD PTR DS:[4391D8] 00405222 8BC0 MOV EAX,EAX 00405224 $-FF25 D4914300 JMP DWORD PTR DS:[4391D4] 0040522A 8BC0 MOV EAX,EAX 0040522C $-FF25 D0914300 JMP DWORD PTR DS:[4391D0]
Press F8 1 time to see where this jump will take us too and we will be here :
00A51C64 55 PUSH EBP 00A51C65 8BEC MOV EBP,ESP 00A51C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00A51C6A 85C0 TEST EAX,EAX 00A51C6C 75 13 JNZ SHORT 00A51C81 00A51C6E 813D A47AA500 00>CMP DWORD PTR DS:[A57AA4],400000 ; ASCII "MZP" 00A51C78 75 07 JNZ SHORT 00A51C81 00A51C7A A1 A47AA500 MOV EAX,DWORD PTR DS:[A57AA4] 00A51C7F EB 06 JMP SHORT 00A51C87 00A51C81 50 PUSH EAX 00A51C82 E8 3135FFFF CALL 00A451B8 ; JMP to kernel32.GetModuleHandleA 00A51C87 5D POP EBP 00A51C88 C2 0400 RETN 4
as u can see we are back to the ASPR code by looking at the address : 00A51C64
ok .. now continue tracing the code by pressing F8 after u will do the Ret command u will get to here :
0040531C BA 9C704300 MOV EDX,ACopy.0043709C 00405321 52 PUSH EDX 00405322 8905 B8844300 MOV DWORD PTR DS:[4384B8],EAX 00405328 8942 04 MOV DWORD PTR DS:[EDX+4],EAX 0040532B E8 98FFFFFF CALL ACopy.004052C8 00405330 5A POP EDX 00405331 58 POP EAX 00405332 E8 15E1FFFF CALL ACopy.0040344C 00405337 C3 RETN
ok now we are back in our code but it's still not our OEP because if u will start tracing with F8 u can get to the RET and the app isn't even running.. before we will start tracing we will make a dump to our process and get a dump file .. so Open LordPe/ProcDump and choose our Process and make a full dump of process and save it :
now we can start tracing . press F8 and after the ret u will be at the OEP (fake) :
00436EAD 8B1D 907A4300 MOV EBX,DWORD PTR DS:[437A90] ; ACopy.004386E8 00436EB3 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436EB5 E8 FA25FFFF CALL ACopy.004294B4 00436EBA 8B0D 0C7B4300 MOV ECX,DWORD PTR DS:[437B0C] ; ACopy.00438774 00436EC0 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436EC2 8B15 10374300 MOV EDX,DWORD PTR DS:[433710] ; ACopy.00433750 00436EC8 E8 FF25FFFF CALL ACopy.004294CC 00436ECD 8B0D 707A4300 MOV ECX,DWORD PTR DS:[437A70] ; ACopy.00438750 00436ED3 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436ED5 8B15 C0274300 MOV EDX,DWORD PTR DS:[4327C0] ; ACopy.00432800 00436EDB E8 EC25FFFF CALL ACopy.004294CC 00436EE0 8B0D 047A4300 MOV ECX,DWORD PTR DS:[437A04] ; ACopy.00438764 00436EE6 8B03 MOV EAX,DWORD PTR DS:[EBX]
00436EE8 8B15 DC324300 MOV EDX,DWORD PTR DS:[4332DC] ; ACopy.0043331C 00436EEE E8 D925FFFF CALL ACopy.004294CC 00436EF3 8B0D BC7A4300 MOV ECX,DWORD PTR DS:[437ABC] ; ACopy.0043876C 00436EF9 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436EFB 8B15 28354300 MOV EDX,DWORD PTR DS:[433528] ; ACopy.00433568 00436F01 E8 C625FFFF CALL ACopy.004294CC 00436F06 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436F08 E8 4B26FFFF CALL ACopy.00429558 00436F0D 5B POP EBX 00436F0E E8 45C6FCFF CALL ACopy.00403558
ok this is the OEP without the Stolen Bytes : 00436EAD Write down this address as OEP for now (we will need it for later)
STEP #3 - Fixing the Import API's Table (IAT)
While our app is at the OEP (with out the Stolen Bytes) we can start now fixing the IAT With a Tool Called : ImpREC (Import RE-Constructor) Open ImpREC and choose from the top of the scroll bar our process And then press on "IAT Auto search" (sometimes u will need to enter the OEP that u found if ImpREC can find anything) and the u will see that the size is too small : only 84 ?! So Change it to at least : 1000 Then Press on : Get Import Then press on : Show Invalid Then press on the list that is shown with the right click of u'r mouse and choose : Trace Level 1
***NOTE*******NOTE*******NOTE*******NOTE************* in my computer after tracing a while it got stuck ! so I read at the ReadMe file of MackT and it says there that if u want to cancel Tracing all u need to do is pressing : Ctrl + F12 so I did and then it continue the loading of the tracing results
after the tracing results are done press again : Show Invalid now press on the invalid function with Right clicking on it with u'r mouse and choose from there : Plug-in Tracer -> ASProtect 1.22 now Press again : Show Invalid
now we need to make sure that all the functions that are there are fakes and not a real ones to need to be fixed ..
how we know witch one is real and witch one is fake ??
WAY #1
well remember when we looked for the OEP and then we had a JMP that returned to the ASPR code ?? that address was : 00A51C64 at u'r computer this address will be different then this ..
look at ImpREC on the Invalid API's and look on the "ptr" look at this address foe example : 9412C8FB wow.. this is too big address for us .. our aspr code need to be (in my case) at around : 00A00000 – 00FFFFFF that’s too much too it will still be in the same range of value of : 00A00000 – 00AFFFFF so every thing that will be bigger then this is a fake . WAY #2
Right click on an invalid api and choose : Disasmmble/HexView If Imprec will show u a message box that it got a read error then this is a fake If u can see a code there and didn't got any messages then this is a true api that need a fixing !!
Well I love way #1 much more faster .. I scroll down till I saw one that looked in the GOOD range of aspr address range and choose on it HexView .
ImpREC shows this code :
00A51CF0 push ebp 00A51CF1 mov ebp,esp 00A51CF3 mov eax,[A57E24] // DWORD value: 00141EE0 00A51CF9 pop ebp 00A51CFA retn 4
If you look at what is already in the Import REConstructor, only FreeResource is not present and it seems to fit very nicely alphabetically
Double click on that invalid function and choose FreeResource Now press show invalid again and then right click with u'r mouse on one of them and choose : Cut Thunks
Now press on Fix Dump and choose our Dump file from before..
STEP #4 – Finding Stolen Bytes and re-insert them
Well this is the main tut and the main protection of ASPR for those last versions .. I saw so many Q about this and I had a lot of Q of my own .. One day I wanted to try something and gess what ? ? IT FUCKING WORKED ..
This lil technique that I will show u works on every ASPR version with Stolen and erased bytes …
What we need to do is this :
We have still OllyDbg at the OEP (if not make it so) Now go to the menu and choose : View -> Run Trace This will show u all the code we traced to get to the OEP Go down with the scroll and then u will see that there is allot of this command : REP STOS BYTE PTR ES:[EDI] Just before getting to that JMP if u will press on it.. Olly Will show u in the main widow this :
00A64C48 F3:AA REP STOS BYTE PTR ES:[EDI] 00A64C4A 9D POPFD 00A64C4B 5F POP EDI 00A64C4C 59 POP ECX 00A64C4D C3 RETN
the command : REP STOS BYTE PTR ES:[EDI] is doing the erasing of the bytes that’s way u see at the "run trace" window so many of it ..
so what can we do ?
lets restart our debugging by pressing Ctrl+F2 and then kill the anti-Debugging and get to the place that from there we done the Trace command . but now we will not set a trace command of conditional tracing but we will put a trace for command : REP STOS BYTE PTR ES:[EDI]
Like this :
now press ok and then press F11 To start tracing ***BOOM*** we will land here :
00A64C48 F3:AA REP STOS BYTE PTR ES:[EDI] 00A64C4A 9D POPFD 00A64C4B 5F POP EDI 00A64C4C 59 POP ECX 00A64C4D C3 RETN
just before erasing the bytes.. if we will press F8 all the bytes will be erased and we can't really read all that code at the address that EDI is pointing at .. what can we do ??
we will make it show us what it does by changing the command from :
REP STOS BYTE PTR ES:[EDI]
To :
JMP EDI
Just press the Space key on u'r keyboard and write there : jmp edi Now we will start our tracing with F8 till Olly will stop us because of access violation.. This is my trace log from after the jmp edi:
00A64C7D Main MOV EBX,66F 00A64C82 Main OR EBX,EBX 00A64C84 Main JNZ SHORT 00A64C8D 00A64C8D Main CALL 00A64C92 00A64C92 Main POP EBP 00A64C93 Main SUB EBP,4BE14D 00A64C99 Main LEA EAX,DWORD PTR SS:[EBP+4BE0F2] 00A64C9F Main LEA ECX,DWORD PTR SS:[EBP+4BE194] 00A64CA5 Main ADD ECX,EBX 00A64CA7 Main MOV DWORD PTR DS:[ECX+1],EAX 00A64CAA Main LEA EAX,DWORD PTR SS:[EBP+4BE136] 00A64CB0 Main LEA ECX,DWORD PTR SS:[EBP+4BE0FA] 00A64CB6 Main MOV DWORD PTR DS:[ECX],EAX 00A64CB8 Main MOV EAX,145E 00A64CBD Main LEA ECX,DWORD PTR SS:[EBP+4BE0FF] 00A64CC3 Main MOV DWORD PTR DS:[ECX],EAX 00A64CC5 Main LEA ECX,DWORD PTR SS:[EBP+4BE194] 00A64CCB Main LEA EAX,DWORD PTR SS:[EBP+4BF394] 00A64CD1 Main PUSH ECX 00A64CD2 Main PUSH EAX 00A64CD3 Main CALL 00A64C4E 00A64CD8 Main POPAD 00A64CD9 Main PREFIX REP: 00A64CDE Main JMP SHORT 00A64CE3 00A64CE3 Main JMP SHORT 00A64CE6 00A64CE6 Main JMP SHORT 00A64CEA 00A64CEA Main PUSH DWORD PTR FS:[0] 00A64CF1 Main PUSH DWORD PTR SS:[ESP+B] 00A64CF5 Main MOV DWORD PTR SS:[ESP+4],EBP 00A64CF9 Main PREFIX REPNE: 00A64CFD Main ADD ESP,4 00A64D00 Main JMP SHORT 00A64D03 00A64D03 Main PREFIX REPNE: 00A64D07 Main LEA EBP,DWORD PTR SS:[EBP+EDI*2+5C] 00A64D0B Main JMP SHORT 00A64D0F 00A64D0F Main JMP SHORT 00A64D14 00A64D14 Main LEA EBP,DWORD PTR DS:[ESI*4+69FA7294] 00A64D1B Main JMP SHORT 00A64D1F 00A64D1F Main JMP SHORT 00A64D23 00A64D23 Main JMP SHORT 00A64D28 00A64D28 Main PUSH DWORD PTR FS:[0] 00A64D2F Main JMP SHORT 00A64D32 00A64D32 Main PUSH 14C99F1 00A64D37 Main JMP SHORT 00A64D3A 00A64D3A Main POP DWORD PTR SS:[ESP] 00A64D3E Main POP EBP Access violation when reading [014C9A20]
Well at this call we will get alert from Olly about access violation…
A64D3F FF55 2F CALL DWORD PTR SS:[EBP+2F
all we are going to do is press space-bar and just nop this call we will have automatic 3 nop now continue trace after the nop and the next call will be the same prob and same solution just nop it and again trace with F8 , and again we have same prob same solution just nop it !
we will have this after the 3rd nop :
now continue to trace with F8 and u will be like this : we will make that jmp and then will be at the same prob with this line :
A64D57 66:8105 3A9A4C01>ADD WORD PTR DS:[14C9A3A],0AB25
well again … same solution just nop it !
"Till when we will going to stop this ? " u must ask u'r self .. well we need to get to a simple command called :
Push EBP
This is one of the ways it could look like .. it also could look like :
MOV DWORD PTR SS:[ESP+4],EBP – same as Push EBP
Well as soon as we will find one of those .. we found our Stolen bytes So lets continue .. press F8 again after the nop and we will have
A64D60 EB 01 JMP SHORT 00A64D63
after this jump we will be in this really nice code :
00A64D63 55 PUSH EBP -- Stolen !! 00A64D64 8BEC MOV EBP,ESP -- Stolen !! 00A64D66 81EC 0C000000 SUB ESP,0C -- Stolen !!
00A64D6C 66:8105 4F9A4C01>ADD WORD PTR DS:[14C9A4F],0AB25 -> this line is invalid – Access Violation ..
well now let continue tracing and nop that lil add word command and then we will be here after the trace :
A64D75 EB 01 JMP SHORT 00A64D78 – we will jump 00A64D78 53 PUSH EBX - another stolen bytes
00A64D79 66:8105 5C9A4C01>ADD WORD PTR DS:[14C9A5C],0AB25 – this is invalid – Access Violation .
now we will continue the trace and nop that : ADD Word…
and we will trace till here :
00A64D85 EB 02 JMP SHORT 00A64D89 00A64D87 00A64D89 83EC 2C SUB ESP,2C 00A64D8C 83C4 28 ADD ESP,28
ok now after those two Sub and ADD we know that the Stolen Bytes are over .. If u will continue with this tracing u will see that it’s the same kind of code all over again and again and again …. So.. what do we have ??
PUSH EBP MOV EBP,ESP SUB ESP,0C PUSH EBX
If u would look at the op codes of the command :
81EC 0C000000 SUB ESP,0C
we see that its a lot of bytes .. so we will change it from SUB command to an ADD like this :
ADD ESP, -0C
This will take only 3 Bytes !!! and not like before 6 bytes…
Now this is very important .. we need to reset our debugging (ctrl+F2) and retrace :
TC EIP<900000
And after the tracing we need to look where we landed .. We landed here : 00405214 -FF25 DC914300 JMP DWORD PTR DS:[4391DC]
this will jump to ASPR code :
00A51C64 55 PUSH EBP 00A51C65 8BEC MOV EBP,ESP 00A51C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00A51C6A 85C0 TEST EAX,EAX 00A51C6C 75 13 JNZ SHORT 00A51C81 00A51C6E 813D A47AA500 00>CMP DWORD PTR DS:[A57AA4],400000 ; ASCII "MZP"
00A51C78 75 07 JNZ SHORT 00A51C81 00A51C7A A1 A47AA500 MOV EAX,DWORD PTR DS:[A57AA4] 00A51C7F EB 06 JMP SHORT 00A51C87 00A51C81 50 PUSH EAX 00A51C82 E8 3135FFFF CALL 00A451B8 ; JMP to kernel32.GetModuleHandleA 00A51C87 5D POP EBP 00A51C88 C2 0400 RETN 4
if u will trace with F8 this code u will get to the last: RET 4 This "ret 4" is not a plain "ret" this mean for us that before this Procedure was called there was a PUSH before we called this procedure . so trace after the "RET 4" And u will be here :
00405314 50 PUSH EAX 00405315 6A 00 PUSH 0 00405317 E8 F8FEFFFF CALL ACopy.00405214 0040531C BA 9C704300 MOV EDX,ACopy.0043709C – we ret to here! 00405321 52 PUSH EDX 00405322 8905 B8844300 MOV DWORD PTR DS:[4384B8],EAX 00405328 8942 04 MOV DWORD PTR DS:[EDX+4],EAX 0040532B E8 98FFFFFF CALL ACopy.004052C8 00405330 5A POP EDX 00405331 58 POP EAX 00405332 E8 15E1FFFF CALL ACopy.0040344C 00405337 C3 RETN
if u will scroll a bit up u will see that there was a push to EAX value and a 0 this means that the value of EAX is important to us… when u will trace the command : POP EAX and execute it pleas Write down the value of EAX.. EAX= D9C .. we will need it later..
when ImpREC will fix the procedure of aspr code to an API we will need to push the right value to it .. or else it will crash … after the "Ret" we will return to the main retina of the unpacked file…
00436EAD 8B1D 907A4300 MOV EBX,DWORD PTR DS:[437A90] ; ACopy.004386E8 00436EB3 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436EB5 E8 FA25FFFF CALL ACopy.004294B4 00436EBA 8B0D 0C7B4300 MOV ECX,DWORD PTR DS:[437B0C] ; ACopy.00438774 00436EC0 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436EC2 8B15 10374300 MOV EDX,DWORD PTR DS:[433710] ; ACopy.00433750 00436EC8 E8 FF25FFFF CALL ACopy.004294CC 00436ECD 8B0D 707A4300 MOV ECX,DWORD PTR DS:[437A70] ; ACopy.00438750 00436ED3 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436ED5 8B15 C0274300 MOV EDX,DWORD PTR DS:[4327C0] ; ACopy.00432800
00436EDB E8 EC25FFFF CALL ACopy.004294CC 00436EE0 8B0D 047A4300 MOV ECX,DWORD PTR DS:[437A04] ; ACopy.00438764 00436EE6 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436EE8 8B15 DC324300 MOV EDX,DWORD PTR DS:[4332DC] ; ACopy.0043331C 00436EEE E8 D925FFFF CALL ACopy.004294CC 00436EF3 8B0D BC7A4300 MOV ECX,DWORD PTR DS:[437ABC] ; ACopy.0043876C 00436EF9 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436EFB 8B15 28354300 MOV EDX,DWORD PTR DS:[433528] ; ACopy.00433568 00436F01 E8 C625FFFF CALL ACopy.004294CC 00436F06 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436F08 E8 4B26FFFF CALL ACopy.00429558 00436F0D 5B POP EBX 00436F0E E8 45C6FCFF CALL ACopy.00403558
so lets try to make sense of all we got here … we know that the main retina should look like this :
now its time to reinsert the stolen bytes to Dumped and ImpREC'ed fixed file… open HView and go to the address that we wrote as OEP : 436EAD now u should see this :
Code_OEP : PUSH EBP MOV EBP,ESP ADD ESP, -0C PUSH EBX CALL some_procedure
PUSH EAX PUSH 0 CALL ACopy.00405214 – aspr code that later will be fixed by ImpREC
- - - - Ret
Continue the main app code
The procedurewe called
We can see clearly that we cant just call the procedure without inserting a value to EAX ! because of that the stolen bytes will be like this :
PUSH EBP - 55 – 1 byte MOV EBP,ESP - 8B EC - 2 byte ADD ESP, -0C - 83 C4 F4 - 3 byte PUSH EBX - 53 - 1 byte MOV EAX , D9C - B8 9C 6D 43 00 - 5 byte
Sum of : 12(Dec) == C (Hex) stolen bytes
now start tracing back by pressing with u'r left arrow until u will see many 00 00 00 like this :
so as we can see our Stolen bytes will ends at : 436EA8 (not 436EA7 !!!) so lets see where we should start writing our Stolen bytes : we have : C (Hex) stolen bytes so : 436EA8 – C = 436E9C now go to : 436E9C and start writing down the stolen bytes we found :
PUSH EBP - 55 – 1 byte MOV EBP,ESP - 8B EC - 2 byte ADD ESP, -0C - 83 C4 F4 - 3 byte PUSH EBX - 53 - 1 byte MOV EAX , D9C - B8 9C 6D 43 00 - 5 byte
For the last part all we need to do is open an PE-Editor and Change the OEP of the file like this :
OUR_OEP_RVA – Image Base = EP
436EA8 – 400000 = 36EA8
Press OK and Exit ..
That’s it .. We Are Done !! :D
ASPR Stolen Bytes Part II
This is the Second way of ASPR Stolen bytes that exists so .. I will just show what is done just for the Stolen Bytes and then will give only general info about the value of standard thing we need to find and found..
This time we are going to Unpack an app called : Proactive Windows Security Explorer v1.00b3(build 1225)
Step #1 - Killing ASPR anti Debugging
Apply the entire first tut about this part
Step #2 - Finding The OEP for Dumping
Like the first tut : Press F9 and then Shift+F9 till u will be at the last one that u are able to Press F9 then set a Break Point on the Ret down then Press Shift+F9 and let it break there ..
003E3CAB 3100 XOR DWORD PTR DS:[EAX],EAX 003E3CAD 64:8F05 00000000 POP DWORD PTR FS:[0] 003E3CB4 58 POP EAX 003E3CB5 833D BC7E3E00 00 CMP DWORD PTR DS:[3E7EBC],0 003E3CBC 74 14 JE SHORT 003E3CD2 003E3CBE 6A 0C PUSH 0C 003E3CC0 B9 BC7E3E00 MOV ECX,3E7EBC 003E3CC5 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 003E3CC8 BA 04000000 MOV EDX,4 003E3CCD E8 3ED3FFFF CALL 003E1010 003E3CD2 FF75 FC PUSH DWORD PTR SS:[EBP-4] 003E3CD5 FF75 F8 PUSH DWORD PTR SS:[EBP-8] 003E3CD8 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 003E3CDB 8338 00 CMP DWORD PTR DS:[EAX],0 003E3CDE 74 02 JE SHORT 003E3CE2 003E3CE0 FF30 PUSH DWORD PTR DS:[EAX] 003E3CE2 FF75 F0 PUSH DWORD PTR SS:[EBP-10] 003E3CE5 FF75 EC PUSH DWORD PTR SS:[EBP-14] 003E3CE8 C3 RETN -- SET BP HERE !!!
Now set a command line with pressing Alt+F1 to : TC EIP<900000 And press enter and let it trace..
the OEP after the Stolen Bytes is : 43396B (Write it down we will need it) u will be here : 0043396B FF15 1C724500 CALL DWORD PTR DS:[45721C] 00433971 33D2 XOR EDX,EDX 00433973 8AD4 MOV DL,AH
00433975 8915 A4435400 MOV DWORD PTR DS:[5443A4],EDX 0043397B 8BC8 MOV ECX,EAX 0043397D 81E1 FF000000 AND ECX,0FF 00433983 890D A0435400 MOV DWORD PTR DS:[5443A0],ECX 00433989 C1E1 08 SHL ECX,8 0043398C 03CA ADD ECX,EDX 0043398E 890D 9C435400 MOV DWORD PTR DS:[54439C],ECX 00433994 C1E8 10 SHR EAX,10 00433997 A3 98435400 MOV DWORD PTR DS:[544398],EAX 0043399C 6A 01 PUSH 1
this is a normal Call in the main procedure.. we will make our Dump of process now .. Open ProcDump/LordPE and dump fully the process .
Step #3 - Fixing the Import API's Table (IAT)
Open ImpREC while the app is paused at the OEP and Choose our running process .. Choose : IAT AutoSearch Now u will see that the Size if nice.. and big like it should be : 6D8 So this time we don't need to change it to : 1000 Now press Get Imports And do like the first tut : Trace Level 1 Then Plugin Asprotect 1.22 ..
But this time there is none invalid Thunks like before .. so we are lucky.. Now fix the dump file ..
Step #4 - Finding the Stolen bytes and re-insert them
Like before We have still OllyDbg at the OEP (if not make it so) Now go to the menu and choose : View -> Run Trace This will show u all the code we traced to get to the OEP Go down with the scroll and then u will see that there is allot of this command : REP STOS BYTE PTR ES:[EDI] And again like before : lets restart our debugging by pressing Ctrl+F2 and then kill the anti-Debugging and get to the place that from there we done the Trace command . but now we will not set a trace command of conditional tracing but we will put a trace for command (Ctrl+T): REP STOS BYTE PTR ES:[EDI] Now press F11 to start trace.. When we will break on this command we need to change it to : (By pressing space bar)
Jmp EDI
Now we will start tracing the "jmp edi" with F8 till we will get to an access violation an we will be here :
00A75E1A EB 02 JMP SHORT 00A75E1E 00A75E1C CD 20 INT 20 00A75E1E 36:EB 02 JMP SHORT 00A75E23 ; Superfluous prefix 00A75E21 CD 20 INT 20 00A75E23 26:EB 02 JMP SHORT 00A75E28 ; Superfluous prefix 00A75E26 CD 20 INT 20 00A75E28 68 BE04336F PUSH 6F3304BE 00A75E2D 0E PUSH CS 00A75E2E 895424 04 MOV DWORD PTR SS:[ESP+4],EDX 00A75E32 66:8135 56BC4E01>XOR WORD PTR DS:[14EBC56],1BBD – this is the access violation..
now we will nop all access violation we will get (space bar and : nop command like before) till we will get to a : PUSH EBP Or MOV DWORD PTR SS:[ESP+4],EBP – same as Push ebp
So if u traced and "nop" all access violation u should get to a "jmp short" and get here :
64:FF35 00000000 PUSH DWORD PTR FS:[0] 0E PUSH CS 896C24 04 MOV DWORD PTR SS:[ESP+4],EBP – here !!! 66:8135 C9BC4E01>XOR WORD PTR DS:[14EBCC9],1BBD – access violation F2: PREFIX REPNE:
Ok so .. our first stole byte was found ("Push Ebp") trace it and the nop the access violation at that :
XOR WORD PTR DS:[14EBCC9],1BBD"
Now after u will trace the command : " PREFIX REPNE" u will be here :
00A75EB2 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4] – getting address ready for ESP so Stolen bytes can continue .. 00A75EB6 8BEC MOV EBP,ESP - Stolen 00A75EB8 6A FF PUSH -1 - Stolen 00A75EBA 68 C8C94500 PUSH 45C9C8 - Stolen 00A75EBF 68 C0744300 PUSH 4374C0 - Stolen 00A75EC4 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] - Stolen 00A75ECA EB 02 JMP SHORT 00A75ECE - jmps to more stolen bytes 00A75ECC CD 20 INT 20
00A75ECE EB 02 JMP SHORT 00A75ED2 - we jmp to here 00A75ED0 CD 20 INT 20 00A75ED2 66:812D F6BC4E01>SUB WORD PTR DS:[14EBCF6],0D03E – Access violation !!!
so if u traced this code we found that there are more stolen bytes and the jmps and get stuck at another access violation :
SUB WORD PTR DS:[14EBCF6],0D03E
So now "nop" this so we can continue :
A75EDB EB 01 JMP SHORT 00A75EDE
we will jmp to here :
00A75EDE 64:FF35 00000000 PUSH DWORD PTR FS:[0] 00A75EE5 0E PUSH CS 00A75EE6 894424 04 MOV DWORD PTR SS:[ESP+4],EAX 00A75EEA 66:8135 0EBD4E01>XOR WORD PTR DS:[14EBD0E],1BBD 00A75EF3 F2: PREFIX REPNE: ; Superfluous prefix 00A75EF4 EB 01 JMP SHORT 00A75EF7 00A75EF6 -0F8D 64240464 JGE 64AB8360 00A75EFC 8925 00000000 MOV DWORD PTR DS:[0],ESP 00A75F02 83EC 58 SUB ESP,58 00A75F05 EB 02 JMP SHORT 00A75F09 00A75F07 CD 20 INT 20 00A75F09 EB 02 JMP SHORT 00A75F0D 00A75F0B CD 20 INT 20 00A75F0D 66:812D 31BD4E01>SUB WORD PTR DS:[14EBD31],0D03E
as u can see :
00A75EDE 64:FF35 00000000 PUSH DWORD PTR FS:[0] 00A75EE5 0E PUSH CS 00A75EE6 894424 04 MOV DWORD PTR SS:[ESP+4],EAX – push eax
like at "push ebp" we have the same thing . we have 2 commands that are preparing the address we need :
00A75EDE 64:FF35 00000000 PUSH DWORD PTR FS:[0] 00A75EE5 0E PUSH CS
and then come the stolen byte :
00A75EE6 894424 04 MOV DWORD PTR SS:[ESP+4],EAX – push eax
so now we have another stolen byte.. lets continue tracing and we will get to the access violation :
XOR WORD PTR DS:[14EBD0E],1BBD
Just "nop" it so we can continue .. and after the command :
PREFIX REPNE
We will be here :
00A75EF7 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]- setting ESP 00A75EFB 64:8925 00000000 MOV DWORD PTR FS:[0],ESP - Stolen 00A75F02 83EC 58 SUB ESP,58 - Stolen 00A75F05 EB 02 JMP SHORT 00A75F09 00A75F07 CD 20 INT 20 00A75F09 EB 02 JMP SHORT 00A75F0D 00A75F0B CD 20 INT 20 00A75F0D 66:812D 31BD4E01>SUB WORD PTR DS:[14EBD31],0D03E – access violation !!! 00A75F16 EB 01 JMP SHORT 00A75F19
the command : 00A75EF7 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]
is getting again a value for ESP so the stolen bytes can continue :
00A75EFB 64:8925 00000000 MOV DWORD PTR FS:[0],ESP 00A75F02 83EC 58 SUB ESP,58
now we have 2 more stolen bytes .. keep tracing till the access violation at command :
00A75F0D 66:812D 31BD4E01>SUB WORD PTR DS:[14EBD31],0D03E
just "nop" it so we could continue tracing
A75F16 EB 01 JMP SHORT 00A75F19
we will jmp to here :
00A75F19 64:FF35 00000000 PUSH DWORD PTR FS:[0] – getting ready 00A75F20 0E PUSH CS - getting ready 00A75F21 895C24 04 MOV DWORD PTR SS:[ESP+4],EBX – Stolen 00A75F25 66:8135 49BD4E01>XOR WORD PTR DS:[14EBD49],1BBD -violation 00A75F2E F2: PREFIX REPNE:
again as can see we have same code , 2 commands to set value for push and the push that is a stolen byte :
MOV DWORD PTR SS:[ESP+4],EBX – PUSH EBX
Now again we trace till access violation .. make it "nop" trace and get here :
00A75F32 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4] –getting ESP 00A75F36 EB 02 JMP SHORT 00A75F3A – jmps 00A75F38 CD 20 INT 20 00A75F3A EB 02 JMP SHORT 00A75F3E – jmp again
A75F3E 66:812D 62BD4E01>SUB WORD PTR DS:[14EBD62],0D03E-violation
we will nop the access violation and continue here : A75F47 EB 01 JMP SHORT 00A75F4A – jmp
we will jump to here :
00A75F4A 64:FF35 00000000 PUSH DWORD PTR FS:[0] – getting ready 00A75F51 0E PUSH CS - getting ready 00A75F52 897424 04 MOV DWORD PTR SS:[ESP+4],ESI-Stolen 00A75F56 66:8135 7ABD4E01>XOR WORD PTR DS:[14EBD7A],1BBD-violation 00A75F5F F2: PREFIX REPNE:
as u can see .. it’s the same.. 2 commands to get value and then a stolen byte of push :
MOV DWORD PTR SS:[ESP+4],ESI – PUSH ESI
After we will trace and nop the access violation we will get here :
00A75F63 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4] 00A75F67 EB 02 JMP SHORT 00A75F6B 00A75F69 CD 20 INT 20 00A75F6B EB 02 JMP SHORT 00A75F6F 00A75F6D CD 20 INT 20
nothing is done in this code .. keep tracing and u will get to here :
00A75F7B 64:FF35 00000000 PUSH DWORD PTR FS:[0] – getting ready 00A75F82 0E PUSH CS -getting ready 00A75F83 897C24 04 MOV DWORD PTR SS:[ESP+4],EDI – Stolen ! 00A75F87 66:8135 ABBD4E01>XOR WORD PTR DS:[14EBDAB],1BBD-violation 00A75F90 F2: PREFIX REPNE:
in this code we get more stolen byte :
MOV DWORD PTR SS:[ESP+4],EDI – PUSH EDI
Keep tracing (after "nop") and u will get here :
00A75F94 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]–getting ready 00A75F98 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP – end 00A75F9B EB 02 JMP SHORT 00A75F9F 00A75F9D CD 20 INT 20 00A75F9F EB 02 JMP SHORT 00A75FA3 00A75FA1 CD 20 INT 20 00A75FA3 68 6B394300 PUSH 43396B – fake OEP 00A75FA8 68 7A5DA700 PUSH 0A75D7A – To return to 00A75FAD C3 RETN
well we see that’s its all over .. it ends the stolen bytes and pushes 2 addresses :
00A75FA3 68 6B394300 PUSH 43396B – fake OEP 00A75FA8 68 7A5DA700 PUSH 0A75D7A – To return to when ret
so our stolen bytes are :
896C24 04 MOV DWORD PTR SS:[ESP+4],EBP --- PUSH EBP – 1 Byte ! (55) 8BEC MOV EBP,ESP 6A FF PUSH -1 68 C8C94500 PUSH 45C9C8 68 C0744300 PUSH 4374C0 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 894424 04 MOV DWORD PTR SS:[ESP+4],EAX --- PUSH EAX – 1 byte ! (50) 64:8925 00000000 MOV DWORD PTR FS:[0],ESP 83EC 58 SUB ESP,58 895C24 04 MOV DWORD PTR SS:[ESP+4],EBX --- PUSH EBX – 1 byte ! (53) 897424 04 MOV DWORD PTR SS:[ESP+4],ESI --- PUSH ESI – 1 byte ! (56) 897C24 04 MOV DWORD PTR SS:[ESP+4],EDI --- PUSH EDI – 1 byte ! (57)
so it would look like this :
PUSH EBP - 55 - 1 MOV EBP,ESP - 8B EC - 2 PUSH -1 - 6A FF - 2 PUSH 45C9C8 - 68 c8 c9 45 00 - 5 PUSH 4374C0 - 68 c0 74 43 00 - 5 MOV EAX,DWORD PTR FS:[0] - 64 a1 00 00 00 00 - 6 PUSH EAX - 89 44 24 04 - 4 MOV DWORD PTR FS:[0],ESP - 64 89 25 00 00 00 00 - 7 SUB ESP,58 - 83 ec 58 - 3 PUSH EBX - 53 - 1 PUSH ESI - 56 - 1 PUSH EDI - 57 - 1
so we have sum of : 38(Dec) = 26(hex) Stolen bytes… so our real oep to put our stolen byte is : Fake_Oep – StolenByte(hex) = 43396B -26 OEP = 433945
Open HView get to that address (OEP) and Write those in there and save Now fix the Entry Point of the file with PE-Editor to EP = Image_base – OEP = 433945-400000 = 33945
Save and … That’s all ..
NOTE: I had to unpack many deferent targets to see this thing at the stolen bytes .. this will not allwes be like in this tut ! the "get ready" commands are changing from app to another .. So : LEA ESP,DWORD PTR SS:[ESP+4]–getting ready
And : PUSH DWORD PTR FS:[0] – getting ready PUSH CS - getting ready
Are only for this app!!! U need to find u'r self the pattern it will be used in other apps .. and trust me .. its really easy to see them .. :D
Special Thanks
Eternal Bliss- without u'r tut I would never learn how to unpack.. MackT – Without u'r GR8 tool we would have worked allot harder .. Oleh Yuschuk – tnx for the GR8 tool OllyDbg .. I hope that u will continue doing more upgrades to that tool.. #Unpacking Gods – tnx for helping me when I was in the wrong way WoodMann.cjb.net – all ppl at this board .. keep having fun.. And all other ppl that I probably forgot...
