ARTeam Tutorial

Visit: http://cracking.accessroot.com | http://forum.accessroot.com

ASProtect 1.31 manual unpacking

Information ASProtect manual unpacking
Target Unpackme7.exe
Available www.freewebs.com/d3ux/Unpackme7sol.rar
Tools OllyDbg 1.10  ImportREConstructor
Protection none
Level Beginner
Category Unpacking
Author(s) ThunderPwr  October 2004
Requirements Windows 2K, XP, IE 5.5 and above for best viewing


1. Introduction


This tutorial is an estension of other tutorial writed from Deux and Nowhere Man based on ASProtect 1.31 manual unpacking. From original tutorial more deeply investigation will be made to better understand how unpack this nice protector and how rebuild the import table (IAT) using ImportREConstructor. During this tutorial a general approach is taken, no other hypotesis about protector type is made before analysing the executable. My approach to find the right IAT entry is slightly different than cited tutorial, I think about this that is more general and useful from didactical point of view, a future tutorial will be write on script approach and code injection in order to make the work more faster, this is more better especially for complex program.


2. What we can do


Manual unpack the target (dumping process memory and IAT rebuilding).


STEP 1 – Executable file analysis after installation


This target has no need of installation because came in a single executable file, first step is check if the target program is encrypted/packed or in a plain form. In order to make this we can use the PEiD file scanner, see figure 1 for detail:


Fig. 1 PEiD file scanner detail.

In order to have some idea about OEP (Original Entry Point) you can use the generic OEP finder feature, with this you have:


Fig. 2 OEP from PEiD.

This can't be the real OEP, but is only for our main idea about this.


STEP 2 – Manual unpacking


Now is time to know the target, execute it and look is behaviour, there is a simple dialog box:


Fig. 3 Main program dialog box.

Press the Cool...! button to close the program.
Load the executable into OllyDbg and select the plugin IsDebuggerPresent:


Fig. 4 Starting code after you've load it into OllyDbg.

As usual with ASProtect, in order to find the real OEP you must disable exeception handling from the debugger, to do this go to the Options menu and then select Debugging options (or simply press Alt+O):


Fig. 5 Select the debuggin options menu.

Now look if your settings match this one (if not change it accordling to the figure 6):


Fig. 6 Debugging option settings.

In order to reach the OEP you must use the exception method, you have to skip all the exception with SHIFT+F9 until you reach the last exception before the program start, below is reported the exact procedure which you have to do:

1. Set IsDebuggerPresent plugin
2. Count and skip all the exceptions until program start.
3 . Restart OllyDbg (CTRL+F2)
4 . Set IsDebuggerPresent plugin
5 . Skip all the execeptions (SHIFT+F9) until you're able to reach the last one.
6 . Press ALT+M (to view the program memory) and place a memory breakpoint on access on section CODE.
7 . Press SHIFT+F7 and F9 to skip the last exceptions, when OllyDbg stop on the section CODE you've reached     the      OEP (in some case you've to search also for stolen bytes).

Now I will drive you in step by step process to better understand it; when you've load the target into OllyDbg the code showed must be the same below figure 4, set IsDebuggerPresent plugin and press F9 to run the program. OllyDbg stop on the first exception:


Fig. 7 First exception.

at the bottom of the OllyDbg code window you can see the type of exception:


Fig. 8 Description of the exeception.

Now you must count for all other exception and skip with SHIFT+F9 untl the program is able to run and yopu can show the dialog of figure 3, when this appear I've counted 40 exceptions, then is time to restart OllyDbg and skip only 39 exeception, after you've do it there are this code:


Fig. 9 Code snippet on the last exception.

Because the program can start, the EIP must reside on the section CODE of the program (which is on 00401000 area), our purpose is stop the program exactly into the first instruction executed into this memory area, in this mode you're able to reach the real OEP. To do this we can place a breakpoint on memory access into the section CODE; well press ALT+M in order to show the memory window and then right click to place the breakpoint:


Fig. 10 Set the memory breakpoint on access on the section CODE.

Now you can skip the last exception with SHIFT+F7 and SHIFT+F9, OllyDbg break on section CODE into the 00401029 address:


Fig. 11 Snippet of code about first break into code section.

at the first look this code appear without sense, but you must remind which this is a new code rebuilded from ASProtect and then can't be analyzed from OllyDbg when you've loaded the executable, to show the right code you must perform a code analysis, then press CTRL+A or make right click and choose Analysis and then Analysis code:


Fig. 12 Code on OEP before analysis.

now the code appear in much more familiar mode:


Fig. 13 Code at the OEP after analysis.

Scroll up a bit into the code:


Fig. 14 Code at the OEP after analysis.

now you can dump the program with 00401000 as OEP and check if this work, but this can't work because you've to rebuild the import table (IAT) which is destroyed from ASProtect. More precisely ASPRotect make a redirection of the original API call into the ASProtect section, only in this place execution is addressed to the right API, then our work now is find the right API call and rebuild the original import table.
This work can be made in several way, more general is follow each entry into the packed executable and find the right API address then replace the bad entry with the real address into the IAT, this can take a lot of time especially in a complex program because the bad entry can be numerous but is more general; other method is based on magic call, in this case there are some call into the code which is able to destroy the IAT, the main goal of this techinique is skip this call by NOP in order to keep valid all or the major part of the IAT entry.

First step is about IAT localization, IAT is charcterized by indirect call to the Windows API then one method to find it is about indirect call searching (which have opcode equal to FF 25); now we have to make a binary search trough the code, then place the cursor on our OEP and make right click to select Search for and Binary string (or simply press CTRL+B):


Fig. 15 Searching the indirect jump.

then a new window arise, write FF 25 into the HEX box:


Fig. 16 Binary search dialog box.

when you press the OK button you land in this code:


Fig. 17 IAT.

there is many indirect jump, only the first is about a valid entry, other is still invalid then you have to find the right one in order to rebuild the IAT:


Fig. 18 Rebuilded IAT from ASProtect.

one interesting point to note is that indirect jump is all outside the executable process memory, if you look at the memory map executable have one image which start on 00401000 and size 1000, all IAT indirect jump is about 008CXXXX memory address which is in a different section, outside the executable area, then to make the dumped file working you've to rebuild the IAT inside the program image.

Now we have to find where the IAT is compiled, in this mode you can find how ASProtect manage the API call and how store this into the jump table, to do this task restart OllyDbg and set again the IsDebuggerPresent plugin, now press CTRL+G into the dump window and write 008C0378, then place a memory breakpoint on writing in this address, then press F9 to run the program. OllyDbg stop on the first exceptions, skipp all exceptions with SHIFT+F9 until you're able to reach the first memory writing breakpoint on address 00891CE4, skip this with SHIFT+F9, there are another exceptions and finally the our memory breakpoint on 008A5834:


Fig. 19 Searching for the IAT writing by ASProtect.

well this is our first API address and is writed on into 008C0378. Now step through the code with F8 until you reach this section:


Fig. 20 Other API entry.

In 00401116 you've a new entry about GetModuleHandleA API.
Press F9 again to show the next entry:


Fig. 21 Other API entry.

In 00401122 you've a new entry about DialogBoxParamA API.
Well, press CTRL+G and write the first jump table address then 0040110E:


Fig. 22 Jump table during rebuild process.

restart the program and place a memory breakpoint in this table in order to stop execution when ASProtect write the new API, first break is about ExitProcess API, next is about GetModuleHandleA:

    
Fig. 23 Stop on the IAT writing.

stepping trough the code bring our analysis into on 008A551A address, press F9 and OllyDbg stop on the next API:

   
Fig. 24 Breaking on the BeginPaint API.

press F9 there are a new breakpoint in 008A369A:

   
Fig. 25 Breaking on the DialogBoxParamA API.

step again with F7 until you reach the RETN instruction then press F9:

    
Fig. 26 Breaking on the EndDialog API.

press F9, there are a new break on 008A5755:

   
Fig. 27 Breaking on the EndPaint API.

press F9, there are a new break on 008A5755:

   
Fig. 28 Breaking on the LoadBitmapA API.

press F9, there are a new break on 008A5755:

   
Fig. 29 Breaking on the SendMessageA API.

press F9, there are a new break on 008A5755:

   
Fig. 30 Breaking on the BitBlt API.

press F9, there are a new break on 008A5755:

   
Fig. 31 Breaking on the CreateCompatibleDC API.

press F9, there are a new break on 008A5755:

    
Fig. 32 Breaking on the DeleteDC API.

press F9, there are a new break on 008A5755:

    
Fig. 33 Breaking on the DeleteObject API.

press F9, there are a new break on 008A5755:

    
Fig. 34 Breaking on the SelectObject API.

press F9, there are a new break but now this is a break due to an access violation when writing:

    
Fig. 35 Break due to exception (access violation when writing).

press SHIFT+F7 to skip this exception and press F9, there are a new breakpoint on 008ADC5D again this is about exception on 008ADC5D, now you've to skip all other exception until you reach the last exception before program starting which is on 008A46E9 (see figure 9), now if you press again SHIFT+F9 program can be executed.

Well, now you're able to write this table about right API entry:

Jump table address
API function
00401110
  kernel32.ExitProcess
00401116
  kernel32.getModuleHandleA
0040111C
  user32.BeginPaint
00401122
  user32.DialogBoxParamA
00401128
  user32.EndDialog
0040112E
  user32.EndPaint
00401134
  user32.LoadBitmapA
0040113A
  user32.SendMessageA
00401140
  GDI32.BitBlt
00401146
  GDI32.CreateCompatibleDC
0040114C
  GDI32.DeleteDC
00401152
  GDI32.DeleteObject
00401158
  GDI32.SelectObject

Fig. 36 Entry table.

Next step is dump the program, then start OllyDump plugin, be careful to set all option as reported below:


Fig. 37 OllyDump settings.

press the Dump button and choose a dumped.exe filename for the dumped process.
Now is time to rebuild the IAT table into the dumped file, to do this you've to change the jump table address to a valid TABLE ENTRY and then use ImportREC to rebuild the IAT, first step is change indirect address on the the jump table and choose a free area how to store the DLL API entry, for example 00401160 then you've:


Fig. 38 Jump table.


Fig. 39 API address table.

all API entry con be retrieved from our previous analysis, be careful to set also the Chunk separation (00 00 00 00).
Now start ImportREC and pick our process (which is freezed on OllyDbg), now you've to set the right IAT parameter before get the import API address:

OEP = ImageBase - RealAddress = 00400000 - 00401000 = 00001000

RVA = ImageBase - API table start address = 00400000 - 00401160 = 00001160

Size = TableWidth = 0040119C - 00401160 = 3C


Fig. 40 ImportREC.

press GetImports button:


Fig. 41 ImportREC with imported function.

all entry is valid then now you've to fix the dumped file, then press the Fix Dump button and choose the file dumped.exe:


Fig. 42 ImportREC after dumped fixing.

close ImportREC and check if the fixed program work, ImportREC save the fixed file with a _ character then you've to launch the dumped_.exe executable:


Fig. 43 Fixed executable (dumped_.exe).

Well done, fixed file run right then manual unpacking is finished succesfully!



3. Conclusion


I hope this tutorial can be useful to better understand ASProtect manual unpacking and using of OllyDbg and ImportREConstructor.

Any suggest, correction or criticism is welcome, if you need help about this tutorial or other stuff you can reach me on ARTeam forum.



4. Greetingz

[MAIN TEAM]
| Nilrem | Ferrari | MaDMAn_H3rCuL3s | EJ12N | Kruger | Shub-Nigurrath | Jdog45 | Teerayoot | R@Dier | ThunderPwr | Eggi |

ThunderPwr