INTRODUCTION TO THE CRACKING WITH OLLYDBG DIVIDES 52 Good the aid termno and I believe perhaps that he did

not have much repercussion because it was difficult, but good the winner del the aid has been HIEI that control script that repairs calls del crackme asprotect of the forcebody. Anyway I want to them to comment that to many unpackme asprotect does not run to them in spite of using plugin OLLYADVANCED since in he himself, the tilde that creates driver antiRDTSC does not run in all the machines and without that unpackme does not run, anyway, which I have seen is that it completes version of asprotect, in programs that I have seen that way, they have not applied this protection to him and they run perfectly in OLLYDBG, at least so far I did not saw programs that use it and that need antiRDTSC to run, probably not to have compatibility problems or they have cleared it or they diminished with which she is not problematic. But at that if driver works to them RDTSC del ollyadvanced can arrive easily at the OEP, and once to apply script there that this associate.

There we are in the OEP, and when we applied script of HIEI it says to me that my version of OLLYSCRIPT is very old that renews to me, so I look for but the new one that she is the one that this associate and now OdbgScript is called that continuous making Epsylon since original author SHAG I discontinue it, so I place the DLL in the folder plugins.

And resumption the OLLY and I arrive again at the OEP, to remember to deactivate BREAK ON EXECUTE but traera problems.

We see that in spite of being the continuation del the OLLYSCRIPT both appears in the menu so I choose the new one and I look for script of HIEI.

And as soon as it starts it asks the direction to me where those go all calls that in my machine is 19a0000.

When accepting it begins to work. And after awhile

There we see call that before they are dirigian to 19a0000 in my machine now estan repaired, perfect script HIEI, congratulations. Here this script that this commented by the own author, down makes my commentaries. ----------------------------------------------------------------------------------------------------------------------/* ====================================================================.:[CracksLatinoS]:. Script made by: Hiei. Script stops: To eliminate protection AIP del ASProtect SKE v2.3 Objective: UnPackMe_ASProtect.2.3.04.26.a.exe Configuration: Superior ODBGScript v1.3x or, to execute from the OEP and To ignore all the exceptions. Date: 05/AUGUST/2006

- = [Commentary del the Script] = Gratefulness a: Ricardo Narvaja and to Martian (because I used just a little bit of its logic implementing the motor search). ====================================================================*/ bar oep bar codebase bar codesize bar base_aspr bar base_aip bar ini_iat bar to dir bar dir_iat bar sig bar dest bar api bar cont cmp $VERSION, 1,30//I consult the version del the OllyScript. jb err_version ask Introduces the direction towards which they point calls emulated by ASProtect: cmp $RESULT, 0 je to leave mov base_aip, $RESULT//I keep introduced direction. mov oep, eip//I keep the OEP. gmi eip, codebase//I look for the direction of beginning of the Code section. mov codebase, $RESULT//I keep the direction from beginning. gmi eip, codesize//I look for the size of the Code section. mov codesize, $RESULT//I keep the size from the section. add codesize, codebase//To the size extreme him dir. of beginning. mov ini_iat, 460814//I keep the direction from beginning of the IAT. mov base_aspr, [46C048]//In dir [46C048] keeps the base from the section where it is known that api must go calls. add base_aspr, 3B02E//To that base extreme him a constant to obtain the direction where api is seen. bphws base_aspr, x//I put a HBP in the direction where api is seen. jmp to look for to look for: find codebase, # E8?#//I look for calls from the Code section. cmp $RESULT, 0//If they are not calls, I finish the process. je no_calls mov to dir, $RESULT//If they are calls, I keep the direction. mov sig, to dir//I move the direction of another variable. mov dest, to dir//I move the direction of another variable. add sig, 5//sig contains the direction of the instruction that follows call.

Inc. dest//Increase dest, to obtain opcodes after the E8. mov dest, [dest]//Volume offset codified in call, after opcode E8. add dest, sig//Now dest has the direction destiny del call. cmp dest, base_aip//Is call to ASProtect. je to execute Inc. dir//If it is not, I update the leader search. mov codebase, to dir//I move the leader and I look for again. jmp to look for to execute: //If I am here, then call went to ASPr. mov eip, to dir//I move to eip the direction where I found the Call to ASPr. run//and I execute. eob to verify//If there is bp, the label to verify takes the control. to verify: cmp eip, base_aspr//the BP is in the awaited zone. jne unexpected mov api, edx//If the BP is in the waited for zone, I keep the value from the API that is in EDX. jmp buscar_api//I look for the API in the IAT. buscar_api: cmp ini_iat, 460F28//Is the final beginning and of the equal IAT. je error//If it is thus, I did not find api in the IAT. cmp [ini_iat], api//I look for the API in the value that takes the leader. je to repair//If the encounter the repairs. add ini_iat, 4//If no, extreme him 4 to the leader to avoid errors search. jmp buscar_api//and I continue looking for. to repair: mov dir_iat, ini_iat//I keep the direction from the IAT where I found the API. ref to dir//I look for references to that direction. cmp $RESULT, 0//If encounter ref. then I must assemble jmp. jne reparar_jump eval Call dword [{dir_iat}]//If nonencounter ref. then I must assemble call. asm to dir, $RESULT Inc. cont//I implement a meter to report in the end how many calls was repaired. Inc. dir mov codebase, to dir mov ini_iat, 460814//I update the leader so that it looks for from the beginning of the IAT the next time. jmp to look for reparar_jump: eval Jmp dword [{dir_iat}]//If I am here is because I must assemble jmp.

asm to dir, $RESULT Inc. cont Inc. dir mov codebase, to dir mov ini_iat, 460814//I update the leader so that it looks for from the beginning of the IAT the next time. jmp to look for unexpected: msg unexpected Shutdown Contino. cmp $RESULT, 0 je to leave run error: eval Error. Please to solve by hand call of the direction: {to dir} h. msg $RESULT run no_calls: bphwc base_aspr eval finished Task,} h has been repaired {cont calls. ;) msg $RESULT jmp to leave err_version: msg Error. The version of OllyScript is inferior to the asked for version. ret to leave: bphwc base_aspr mov eip, oep ret ---------------------------------------------------------------------------------------------------------------------Good I believe that it is clear with all the commentaries that bring, which really does is to locate for any machine, the place where the routine of asprotect, reveals that api is the used one, and that does instead of using BPMs like me ocurrio to my, looks for in that it divides the program keeps the base from this section that was created by he himself asprotect mov base_aspr, [46C048]//In dir [46C048] keeps the base from the section where it is known that api must go calls. add base_aspr, 3B02E//To that base extreme him a constant to obtain the direction where api is seen. bphws base_aspr, x//I put a HBP in the direction where api is seen. jmp to look for There the program is seen in 46c048 has kept the direction from base of the section where it reveals

api, and once one knows that, adding a constant to him, because it found the point for any machine, because the sections are equal, single change the direction in each machine, so at the knowledge the beginning, adding to him a constant we will arrive at, here the key point this 3B02e, but in front of the beginning, so it locates it and it places a HBP there to him so that it stops whenever it is executed. Soon in the part to look for what does is to verify all calls from the beginning of section 401000 and to pay attention if they go to the zone of asprotect according to the value that us pidio that we enter to him. to execute: //If I am here, then call went to ASPr. mov eip, to dir//I move to eip the direction where I found the Call to ASPr. run//and I execute. If it is thus, the CALL changes eip to the direction del TO REPAIR and it executes it and when it jumps an exception jumps to the label to verify by means of eob. eob to verify//If there is bp, the label to verify takes the control. Here it verifies if the Bp this in the waited for place, can happen that somebody forgetfulness to take off some unnecessary BP or of deshabilitar BREAK ON EXECUTE and jumped an exception molstando to script. This part verifies that. to verify: cmp eip, base_aspr//the BP is in the awaited zone. jne unexpected mov api, edx//If the BP is in the waited for zone, I keep the value from the API that is in EDX. jmp buscar_api//I look for the API in the IAT. If we are in the place hoping that is in the point that reveals the IAT, because it is going to see in that it leaves from the IAT this the entrance corresponding to this api that finishes finding. buscar_api: cmp ini_iat, 460F28//Is the final beginning and of the equal IAT. je error//If it is thus, I did not find api in the IAT. cmp [ini_iat], api//I look for the API in the value that takes the leader. je to repair//If the encounter the repairs. add ini_iat, 4//If no, extreme him 4 to the leader to avoid errors search. jmp buscar_api//and I continue looking for. It crosses all the IAT paying attention as it is the entrance corresponding to the same one and when it finds it jumps to repair. Soon having or call or jmp from where I am called to the zone of asprotect, that there is to repair, api correct, the entrance of iat corresponding, if the one is call that there is to repair fixes changing it it by an INDIRECT CALL that takes values from this entrance of the IAT and if hara is a JMP an INDIRECT JMP and repetira everything until again nonencuente but nothing that to repair, and leaves all ready one.

Very good script very clear and organized by parts as to my I like in addition to commented which few authors of scripts take the work to do, and serves to understand what this doing he himself at every great moment HIEI, you gained a trip in the 60 to tiger, jeje but that if there is to come here, to that they give the prize you, jajajajaja, a great hug and thanks. Good the new sera aid but simple is two parts, to see if they participate but, the first sera part to make script to arrive at the OEP del TPP PACK and that repairs to the Stolen bytes del he himself, he is very simple this associate unpackme and above del is tute of Martian the aid 97 who explains like by hand doing it, so he is to sew and to sing, that if single this allowed to use plugins hide to debugger 1,24 and HideOd preferredly and the Ollyscript clarifying who version uses del he himself completes it of ODbgScript, nothing else, thus we unified all in the same. The second sera part to do script that repairs to the IAT del the TPP pack both scripts is separated and they are possible to be written down in part 1 or part 2 or both so it is to taste of each one so. PARTE1: Script that arrives at the OEP and fixes stolen bytes PARTE2: Script that repairs the IAT and leaves it correct. Single the 3 can be used plugins mentioned.(bah is not going to ask if they must clear the command bar jeje) They must until day 30 of August to send the solutions remember that they are possible to be written down in both parts or 1 single one as they want. I wait for solutions, in awhile tute of Martian estara in my Web here. http://storage.ricardonarvaja.com.ar/web/CONCURSOS%202004-2006/CONCURSO%2097/ I am about to it to raise in a ratito. Thanks to participate Until part 53 Ricardo Narvaja