You are on page 1of 30

Unpacking Asprotect 2.

XX - SKE

Second Part. The IAT. Tools: OllyDbg v 1,10, OllyScript v0.92 by Shag, Hex WorkShop, Reconstructive Import 1,6, Excel, OllyDump v2.20.108, Plugin Asprotec 1,22 for Reconstructive Import. Good once completed the stage to obtain the Init Table we come to repair to the Import table Address and the jumps to the same one. We will use a mixture of methods, good we begin or rather we follow.

We loaded Olly, we removed all the Hw Bp if it is that it was left some, all the destildadas exceptions, we executed script of exceptions and we are in the OEP. Let us watch the memory

Section .CODE this in 401000, we go there.

And we look for if some jump survived the IAT.

If luckily, we selected in 401218 the additional information and followed that direction in dump.

We changed the Vista.

Good everything seems to indicate that the IAT begins in 5681B8

And it finishes supposedly in 5689D0.

We see sweepings by all sides between the correct calls.

Obtaining the correct values of the IAT.

Good we will use a variation of the method of our friend OtupAtpaxa discoverer who is based on a injertito that fixes all the calls correctly. There where we are in the Olly we take ImpRec

We completed the data of the RVA = 5681B8 - 400000 = 1681B8 Size = 5689D0 - 5681B8 = 818 we give him a little but 820

OEP = The one that this there by defect. We touched Invalid Show., we selected to an entrance anyone and we selected in Plugin Tracers/Asprotect 1.22

Well

It found 2 functions we write down.

Let us reinitiate Olly and we are in EP (Entry Point). We go to dump

Let us mark a few entrances to see that it writes and a BP Memory on Write.

F9 and for here.

It is a curl, we jumped it as always, Bp under the conditional jump. We cleared the Bp of memory, F9, we removed the Bp, and we return to put the Bp on write in the bytes that we are investigating. For here.

F8 and soon F9. and it stops:

It is going to write a good value in the registries we have.

Traceemos a little with F8. We arrived at a curl

Let us follow, we found call in CB7834, we enter with F7

Traceamos up to here.

The registries.

Good, good we watch ESI and we watch EDI. If ESI is worth 0000000A EDI it has the value of ASCII that puts the correct value in the table. Let us continue traceando a little and watching in that direction always it spends that way every time through all the values of the table, bony has something to see. Good we put a Hw Bp on Execution in this one direction.

Let us be watching the registries If ESI is worth 00000008B it also puts values correct.

If ESI is worth another thing no.

Or with this we know that to do, if ESI is worth 0A or 8B not to do anything, but to cause that it is worth 8B.(it reaches this conclusion because if is worth 0A instead of 8B it does not work).

We reinitiated and we stopped in the Bp on Execution.

Let us write the graft.

Let us jump to an empty part at the beginning of this section.

And there we wrote.

Excellent OtupAtpaxa discovery the applause goes for.

Well all ready one we pressed F9.

The CRC of Asprotect I detect to us and stops the execution of the program. But worked? Let us see.

If ! In perfect state.

But we have left a detallecito well. They remember the ImpRec at the beginning discovered 2 entrances of the IAT that was of GetProcAddress we review them. 15620c + 400000 = 56820c

We see that this badly it aims at another API we fix it, we obtain the direction with the command bar of Olly

And the other also.

Well all ready one, we selected all the table and we give Binary him Copy.

And with Hex WorkShop/Paste Special/we kept it as the gold ingot I number 2.

Good we are to half of way now. It lacks to repair us the jumps to the IAT.

Repairing the jumps to the IAT.

We will use the method of ZettK, the truth that its method is brilliant, as between lines them comment that before reading the methods of ZettK and OtupAtpaxa towards by hand. Thanks to share its discoveries friends. Good we go to the OEP

And from there section .CODE in 401000, we look for a jump

And it finds here a jump to the section of Asprotect.

We go for Serch All Commands and we put:

I put some, are several, we copied them

We opened a document of Excel and we stuck the data there.

Good what we needed it is the directions but of bony inverted form 00401228 = 28124000 We used the functions extracts and to concatenate. We extract from position 1, two letters in column B

We moved copying the function to all the cells until the end.

We extract from position 3, two letters in column C and copied the function to the end.

Ends from position 5, two letters in column D and we copied the function to the end.

And finally the same with the column and in the position 7 two letters.

We concatenated E, D, C and B and copied the function until the end

Good in the end we obtain the directions as we wanted.

And we kept the document.

Let us return to Olly.

We were in CALL 401228, we give New him Origin Here

Traceamos a little with F8 and we arrived up to here.

We entered with F7 and we continued traceando with F8 until the following CALL.

We entered with F7 we continued traceando slowly watching the registries with F8 and arrived here.

It is as it perfectly describes to ZettK the direction of which had to jump originally in the IAT instead of making the CALL 0F40000. Good we put a Hw Bp on Execution in 0CB5C91.

We needed to form script of ZettK to repair the jumps. We reinitiated Olly, we left the Hw Bp that we had put and arrive at the OEP Let us look for a free zone; in 566B80 there is a zone and another one in 567000. We copied the directions that we had kept in the leaf of Excel and we stuck them in 566B80, finishes in 566D14.

Let us form script thus.

The final table will be in 567000 and call bad begins in 566B80. We go in dump where this the IAT,

We opened the IAT that we had kept with Hex WorkShop and we stuck it in the correct place.

Now if already we can execute the Script. We remove the Bp of memory and we executed script.

It finishes without problems we see that it did.

Indeed I keep the direction where the jump must go alongside and the entrance of the correct IAT where it must jump. Good we copied (binary Copy) and we kept with HexWorkShop/Paste Special.

We reinitiated Olly, we removed all the Bp if it is that there is, and we return to the OEP. Now we must beat, in the correct places INIT TABLE(55F4C4 - 55F9C8) the IAT(5681b8 - 5689d4) the new jumps (from 567000 in ahead we finished them keeping)

Init Table.

IAT.

New futures jumps.

We are going to an empty zone to write the graft to repair the jumps. We looked for in 567357 is nothing we go and escibimos there.

The data are in 567359 - > the direction here where they are the new jumps. 567361 - > beginning of the IAT 5689D4 - > final of the IAT We go to 567359 and we give a New him Origin Here, we put bp in 567393 so that it stops once finished. To remember remove the BP from memory.

We touched F9 with confidence. And for where it had.

Let us see if it worked.-

If perfect! All the applause to ZettK. Good already we are ready Dumpear and to repair the Table. Before we must remove the Bp and remove the graft (Undo selecion)

And we must remove the data of the graft in zone 567000

Now we change to the true OEP if they remember underneath INIT TABLE.

In 55F9CC - New Origin Here

We overturned it to the disc with OllyDump (Destildar rebuild Import)

We opened Reconstructive Import and we completed the data.

Get Imports and all correct.

Fix dump and we selected the file that we finished upsetting.

Good we will finish the unpacked one in the final part, stolen code. We already passed the worse thing.

Rain.

You might also like