I'll cover the Steps on unpacking ASProtect. Many detail tutorials on this protector is already available but in this tutorial I will show you how to add sections in the final unpacked exe which crashes because it tries to read from that region which doesn't exsist in the final unpacked exe. I'm composing this tutorial specially for "Aggressor and Namrahus" who asked nice :-). I will not cover all details on why I do certain steps bcoz of limited time but Feel free to ask me questions on ARTeam forums no matter if it's very n00by bcoz I was a n00b at some stage too and my  masters Britedream & R@dier have answered my  lame questions politely so I will do the same to my students :-P, so special thanks to them 8-)

 I assume that you have some basic knowledge of Assembly. I also recommend that you read the tutorials here: http://mup.anticrack.de/  

I reckon that you first read my tutorial on ASprotect 1.21-1.23 for all the settings and some figures especially how to use Imprec.

Download: Click Here

There are three sections in the remaining of this tutorial:
1. Finding the Original Entry point & unpacking the program
2. Dumping our Unpacked target
3. Rebuilding our import table.
4. Adding Section to fix the crashing unpacked target.
5. Registering the unpacked target. (ASLoad can also register it)

So let's finish this off quickly. And yes this is my Final Tut on ASProtect this version and older. Maybe the newer one ;-)

Note: ' ** ' means ask me on AR forums for more explanation.

00401000 >/$ 68 01406A00 PUSH DxAtlas.006A4001
00401005 |. E8 01000000 CALL DxAtlas.0040100B
0040100A \. C3 RETN
0040100B $ C3 RETN

Note: If you need detail explanation on why we do the next steps do ask me on the forums and I'll explain. I have to keep this tutorial short n simple so that u don't get confused with all that excessive explanation. First follow this tutorial till end and ask yourself why we did all these steps coz the deity gave you both eyes with which to see and a mind with which to inquire :-P  If you don't understand then I'm there :-P.

Go into Debugging Options and under the Exceptions tab  only tick 'Ignore memory violations in KERNEL32'. Now, hit Shift+F9 once and Olly will throw an Exception. Hit Ctrl+B and Enter this: 8B 17 89 02 and land below the Magic CALL:

00BF32B4 E8 47FCFFFF CALL 00BF2F00
00BF32B9 E8 7EFEFFFF CALL 00BF313C <-- Put BP (F2) here
00BF32BE 8B17 MOV EDX,DWORD PTR DS:[EDI] <-- Land here. Scroll up
00BF32C0 8902 MOV DWORD PTR DS:[EDX],EAX

Now continue with Shift F9 to pass all the exceptions  till you break on our Break point and then stop. Right Click->Binary-> Fill with NOPS.

How did you find 8B 17 89 02 and Why NOP?

Hint: Try to understand the Fig. or else **

Click Image to Enlarge

Nopping the Magic CALL will fix 99 % of the IAT. The remaining I will use ASPR Imprec plugin orelse **.

After Nopping hit Shift F9 once and then press " - " key select the NOP's and undo changes and then Shift F9  7 times till olly breaks on the last exception. Do not hit shift F9 again orelse target will run  ;-)

00BF39EC 3100 XOR DWORD PTR DS:[EAX],EAX <----- Last Exception
00BF39EE 64:8F05 0000000>POP DWORD PTR FS:[0]
00BF39F5 58 POP EAX
00BF39F6 833D B07EBF00 0>CMP DWORD PTR DS:[BF7EB0],0
00BF39FD 74 14 JE SHORT 00BF3A13
00BF39FF 6A 0C PUSH 0C <----Remember to identify Last Exception
00BF3A01 B9 B07EBF00 MOV ECX,0BF7EB0
00BF3A06 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00BF3A09 BA 04000000 MOV EDX,4
00BF3A0E E8 2DD1FFFF CALL 00BF0B40
00BF3A13 FF75 FC PUSH DWORD PTR SS:[EBP-4]
00BF3A16 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00BF3A19 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00BF3A1C 8338 00 CMP DWORD PTR DS:[EAX],0
00BF3A1F 74 02 JE SHORT 00BF3A23
00BF3A21 FF30 PUSH DWORD PTR DS:[EAX]
00BF3A23 FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00BF3A26 FF75 EC PUSH DWORD PTR SS:[EBP-14]
00BF3A29 C3 RETN <------ Put BP here

 

Put BP on Last RETN and hit Shift F9 and we will break on BP. Press Alt M to open the Memory Map Window, right Click:

00401000   000F5000    DxAtlas    code    01001002     R     RWE
 
and "Set Memory Breakpoint on Access".

Freeze and Read Notes...

***************** Notes 1 ******************

Why set memory BP on code?

Suppose the program was not protected/packed with ASPR and when u load the program in a debugger you will be at the Entry Point(EP) of the program. But when you ASProtect the program, ASPR hides the Original Entry point (OEP) of the program and when u open this ASPR'd program in debugger you see the Entry Point of ASPR code. You open the ASPR'd program with LordPE PE Editor and click on sections and you will see a section (.adata) which contains the ASPr code. So when you put a Memory breakpoint on the code section which contains the program code (look for address 00401000 by pressing Alt M keys) after the loader finishes the unpacking process and as soon as it reaches or to be more precise near (fake OEP) the Entry Point of the program code (due to the stolen bytes technique executed in ASPr code)  it will break due to the memory BP. At this point the program is completely unpacked/decrypted in memory and then you dump with LordPE. The same idea is applicable to most other software Protectors. After u reach the entry point if you continue tracing the program will run in debugger after executing the necessay code.

***************** End Notes ***************

Now "Ctrl F11" to trace and wait for few secs (depends on your processor) you land here (Press "Ctrl A" to analyse):

00407044 $- FF25 A4B24F00 JMP DWORD PTR DS:[4FB2A4]

Select above in Olly -> Right click -> Follow in Dump -> Memory Address and see this in dump window.  In my case I see this:

004FB2A4 64 1C BF 00 64 8A C0 00 02 B0 36 B6 E7 EB DD 77 ᱤ¿詤À뀂똶矝

Read in reverse order - Little Endian i.e 64 1C BF 00 = 00BF1C64 = ASPR address.

Freeze and Read Notes...

***************** Notes 2 ******************

You have actually landed on the JMP to API "Kernel32.GetModuleHandleA". But ASPR has messed up the IAT and redirected this JMP to its own code(encrypted) instead of directly jumping to GetModuleHandleA. How do I know GetModuleHandleA ? Simple, from unpacking experience ;-) When u successfully finish unpacking this target or if you have another Delphi program NOT protected with ASPR, load in olly and enter the First CALL near the OEP. You will see the CALL to GetModuleHandleA.  So select that CALL and press enter and voila you land at 00407044 where u will see the API. :-) You have to see and inquire, remember the lesson ;-) And yes also note that whenever you land on this JMP (after tracing from the Last RETN) this indicates  program is coded in Delphi.

***************** End Notes ***************

Now Continue...

Hit F8 and you will be in ASPR code at address 00BF1C64 . Continue tracing after the RETN 4 you land at 40714C but look at the CALL above (scroll up) have u seen it somewhere before...Notes 2 ;-) :

00407147 . E8 F8FEFFFF CALL DxAtlas.00407044 <--familar address
0040714C . BA 08614F00 MOV EDX,DxAtlas.004F6108 <--You here, Dump
00407151 . 52 PUSH EDX
00407152 . 8905 DC944F00 MOV DWORD PTR DS:[4F94DC],EAX
00407158 . 8942 04 MOV DWORD PTR DS:[EDX+4],EAX
0040715B . C742 08 00000>MOV DWORD PTR DS:[EDX+8],0
00407162 . C742 0C 00000>MOV DWORD PTR DS:[EDX+C],0
00407169 . E8 8AFFFFFF CALL DxAtlas.004070F8
0040716E . 5A POP EDX
0040716F . 58 POP EAX
00407170 . E8 D7C9FFFF CALL DxAtlas.00403B4C
00407175 . C3 RETN

Now Fire up LordPE and **dump this process (but also OllyDump works fine). Open LordPE and dump the target full.

Now trace till: 0040716F . 58 POP EAX  and hit F7 to execute POP EAX and note the value in EAX register i.e EAX = 004F530C bcoz it is part of our stolen bytes !

Continue trace after the RETN you land at Fake OEP. You see this code. To see the proper code you have to remove analysis.

004F5750 \E4524F00 DD DxAtlas.004F52E4
004F5754 00 DB 00  <---------- Real OEP
004F5755 00 DB 00            |
004F5756 00 DB 00            |       M
004F5757 00 DB 00            | S     I   B
004F5758 00 DB 00            | T     S   Y
004F5759 00 DB 00            | O OR  S   T 
004F575A 00 DB 00            | L     I   E
004F575B 00 DB 00            | E     N   S
004F575C 00 DB 00            | N     G
004F575D 00 DB 00            |
004F575E 00 DB 00            |
004F575F 00 DB 00            |
004F5760 00 DB 00            |
004F5761 00 DB 00  <---------|
004F5762 E8 DB E8            
004F5763 DD DB DD           
004F5764 19 DB 19            
004F5765 F1 DB F1
004F5766 FF DB FF
004F5767 33 DB 33 ; CHAR '3' <-- Fake OEP

Right click -> Analysis -> Remove Analysis. and see this proper code:

004F5767 33C0 XOR EAX,EAX

I keep notes (included with this tutorial) of Stolen Bytes (ASPr steals bytes form (the EP)  the orignal file and we have to replace it) which aren't difficult at all. This software is coded in Delphi and I count the number of "00" = 14. Now I refer my Stolen bytes notes. The stolen bytes in this case are:

004F5754 55 PUSH EBP
004F5755 8BEC MOV EBP,ESP
004F5757 83C4 F4 ADD ESP,-0C
004F575A 53 PUSH EBX
004F575B 56 PUSH ESI
004F575C 57 PUSH EDI
004F575D B8 0C534F00 MOV EAX,DxAtlas.004F530C

It fits perfect in place of those 14 "00". But if you want to do the hard  unnecessary work then just open the Trace log and refer this figure:

After inserting stolen bytes press ' Ctrl * ' to set the new origin to Real OEP i.e 004F5754.

Now we need to get the import table and fix our dump.
 

We now have our file dumped.exe which will not work due to the import table being messed up.
Let's start ImpRec and get the imports.In ImpRec select attached to active process and choose our target program. Refer Figure. and also my tutorial on ASPR 1.21-1.23 for details.

Note: The IAT RVA = 000FB190. You should confirm this in every ASPR target by pressing Ctrl B and then enter:  FF 25  and search the start and the end. in this target it starts 004FB190 - 004000000 = 000FB190 and ends at 000FB9E4.

Most of the IAt is fixed due to the CALL that we nopped before. You should cut thunks anything similar to this (trash): D9A7AD56, 69A01575 etc. Why? bcoz did you observe the ASPR memory address range was like when I press Shift F9 to pass exceptions, for eg. 00BF39EC (in ur machine it might be different) at my last exception. So if in Imprec any of these ptr are invalid i.e they are pointing to ASPr address, you need to fix it with the correct address of the API. In this target you will need to fix these unresolved pointers:

rva:000FB1E0 ptr:00BF17A4 = Kernel32.GetProcAddress
rva:000FB1E4 ptr:00BF1C64 = Kernel32.GetModuleHandleA
rva:000FB1F4 ptr:00BF1CD8 = Kernel32.GetCommandLineA
rva:000FB2A4 ptr:00BF1C64 = Kernel32.GetModuleHandleA
rva:000FB324 ptr:00BF1CC8 = Kernel32.lockResource
rva:000FB35C ptr:00BF1C8C = Kernel32.GetVersion
rva:000FB37C ptr:00BF17A4 = Kernel32.GetProcAddress
rva:000FB384 ptr:00BF1C64 = Kernel32.GetModuleHandleA
rva:000FB3AC ptr:00BF1CC0 = Kernel32.GetCurrentProcessID
rva:000FB3BC ptr:00BF1CF0 = Kernel32.FreeResource

I used Imprec ASPR plugin. But if you want detail info then ask me on ARteam forums and I'll tell you how the plugin works and how Imprec fixes the unresolved pointers when click on Trace Level 1 according to my observation :-)

When there are no invalid imports all we have to do now is fix our dumped.exe Click on Fix Dump and select our dumped.exe and we are done.
Our Dump will be saved as dumped_.exe

Load it in Olly and write Stolen bytes since we dumped the process at 0040714C and not at the Real OEP. Copy the changes to the executable and save.

Ok now run the dumped_.exe and it crashes. Now load the crashing dumped_.exe in Olly and hit F9. You will get an Access Violation. Refer Figure.

So we will have to bring this region in our dumped_.exe and then it will run clean. Let's do it! There is a another very easy way by which we can avoid adding this region but my tut is on how to Add section to fix crashing dump :-P

Close dumped_.exe in Olly  and Open the packed DxAtlas.exe and follow all the earlier steps to get to the Fake OEP. When you reach the Fake OEP press ' Alt M ' to open memory map. Refer Figure. for Steps.

Right Click and Save Data to File. Save it in the programs folder

 Fire up LordPE PE Editor and open dumped_.exe and Click on Sections.

Load Section from disk and select the section you saved as in previous figure.

Edit section Header

Click OK -> close the Section window -> click on Save -> Ok -> Click on Rebuild PE -> select our dumped_.exe

Now run the dumped_.exe and it will run clean :-) and also the ASPR Trial Period wil be removed and it will never expire.

But you see a 'Unregistered copy, 30 days Left" Text on the splash screen. To show it registered.

I'll give BIG Hint:

Method 1: Easy lazy patching
1) Load dumped_.exe in olly Put BP here: 00403FE8 31C9 XOR ECX,ECX  and then F9 to run and note EDX register: 00BE3861

2) Right click follow in dump EDX and Change 00 to 01.

Continue to Trace till here:

004F1D04 |> \A1 A87A4F00 MOV EAX,DWORD PTR DS:[4F7AA8]  and follow memory address in dump and see Little Endian(reverse order) the same address 00BE3861 == 01 is moved in EAX == 1.

Enter this CALL: 004F1D09 |. E8 BE7BF1FF CALL dumped_.004098CC

and trace and see the value in EAX == 5 after you RETN.
So this JA (Jump if above) will Jump and register the program:

004F1D10 |. /77 39 JA SHORT dumped_.004F1D4B

Copy the changes to the executable and save and run the dumped_.exe registered. ;-)

Method 2: To display your name in Registered To: ARTeam on Splash Screen

Note: If you do the following steps then you don't need to add the missing section I showed you above :-P  I include this extra info only for aggressor who asked me how to display his name in "Registered To:"

Load dumped_.exe in olly Put BP here: 00403FE8 31C9 XOR ECX,ECX  and then F9 to run and note EDX register: 00BE3861. So let's see where this address was moved in EDX. See stack window where this procedure will return:

0012FF3C 004F1CD2 RETURN to dumped_.004F1CD2 from dumped_.00403FE8

So Ctrl G: 004F1CD2

004F1CC7 |. 8B15 A87A4F00 MOV EDX,DWORD PTR DS:[4F7AA8] ; dumped_.00BE3861
004F1CCD |. E8 1623F1FF CALL dumped_.00403FE8 <-- CALL
004F1CD2 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] <-- You here

Ahaa..look at address 4F1CC7: MOV EDX,DWORD PTR DS:[4F7AA8]

So Right click and follow memory address [4F7AA8] in dump and see little endian (reverse order) and it points to 00BE3861 when program is unregistered.The author of DxAtlas used ASProtect Trial and registration options to protect his program :-P So let's crack ASPR registration. So let's find some free space where we will write our name and then replace 00BE3861 with the address where we write our name. We will use free space here: 00400110   What you do is right click in main window of Olly and Choose View -> Executable file . Ctrl G and type 00400410 - 00400000 = 00000410       

Now see figure.

Now first right click and save file. Then open the saved executable again in Olly and then change the new address in dump window in reverse order at 4F7AA8. And now right cllick and copy to executable and save. See in fig.

Change To

Now run saved dumped_.exe and it will show registered to ARTeam :-P bcoz the JA(Jump if Above) I explained in "Method 1" will jump and register the program.

Still awake?!? As usual we try to summarize what we learnt during this tutorial..hope at least one of the points were new for you :)

1. Search Ctrl B -> 8B 17 89 02 . Put BP on CALL and Shift F9 till break and Nop it to fix 99% IAT.
2. Remeber where I dumped the process with LordPE. Always dump there for delphi programs or else your fixed dumped_.exe will always crash. Fix your IAT with Imprec. Ask me on forums if you do not wish to use the ASPR Imprec plugin. :-)
3. Refer my Stolen bytes Notes ;-)
4. Check the region it tries to read (Access Violation when reading [00xxxxxx]) and bring it in the fixed dumped_.exe
5. If you don't want to do hard work of adding section then patch it by the Method 2 :-P

Thanks for reading my 2 cents 8-) See you on ARTeam forums !!! 

[MAIN TEAM]
| Nilrem | Ferrari | MaDMAn_H3rCuL3s | EJ12N | Kruger | Shub-Nigurrath | Jdog45 | Teerayoot | R@Dier |

[TRIAL MEMBERS]
| ThunderPwr | Eggi |

*****************************

Exetools | Woodmann | VCT | TSRh | TeaM SnD | Sir JMI | SatyricOn | LaBBa | R@dier | Britedream | MarKuS-DJM | Hacnho | cl0ud (Mephisto) | Zest | Hobgoblin | Everyone we missed & you
Thanks to the authors of ASPR, Ollydbg, LordPE, Imprec, PEiD, HideDebugger and DxAtlas
 

[^~=~ (.) Ferrari (.) ~=~^]