Asprotect
2 Ske
Unpacking using ollyscript
|
Data
|
by "Pnluck"
|
|
29/07/2005
|
UIC's Home Page
|
Published by Quequero
|
....
|
Thanx pn!
|
....
|
....
|
- Home
page (se presente):
http://pnluck.altervista.org
- E-mail:
[email protected]
- Nick,
UIN, canale IRC/EFnet frequentato
|
....
|
Difficoltà
|
( )NewBies (
)Intermedio (X)Avanzato ( )Master
|
|
- In this
tute i explane how unpacking asprotect ske 2. I don't show how
unpack one progie, but i'll use some because i'll reverse the 3 types
of it protection(advance it protection v1 and v2, and
emulate system api).
- Used tools: ollydbg,
ollyscript.
Script: Aspro2_AIP1, Aspro2_AIP2
- A software protected with Asprotect Ske2.
- 1)Find
the OEP.
For find the
oep i used the classic method: count the n of excepiont and at last,
press alt+f9 and set a memory bp of section address 401000
2)Rebuild
the it.
As already told
in prg protected with
asprotect 2(SKE), we can find 3 types of it protection: for Emulate
system api see my article on pmode, for the other 2 i 'll explane them
here.
Advanced Import Protection was already present in old version of
asprotect, but in a simple way. Now there are more decripting
code to we render the life difficult. The AIP(aka Advanced Import Protection) make apis
execute, using LoadLibrary, GetProcAddress and after do a "jmp api",
and
like saying before there are 2 version of this protection. The only
difference between v1 and v2, is the corruption of IAT, exs:
- 0041740C
BA B8 D1 77 4A C9 D3 77 60 DA D1 77 2E 8C D1 77
0041741C 0D D6 D1 77 1B C0 D1 77 43 F5 D2 77 B3 03 D3
77
|
- 0056B3AC
42 24 80 7C F1 BA 80 7C 08
7F 0C F9
4B 6F DD 78
0056B3BC 3A
D9 64 27 A6 0D 81 7C 28 9C 80 7C 97 AA 80
7C
|
As you can see,
there are two iat, the first is ok(v1), instead the second is
corrupt(v2), this is the
only difference.
The AIP replace the "jmp [api]" like this: 00407A68
JMP DWORD PTR DS:[56B3AC] ; kernel32.Sleep, with a call like: 00416746 CALL
00D60000, and this call replace almost of "jmp [api]" in the
protected progie.
I made two ollyscript for the two different version of AIP. The
ollyscript for the first version demands address base of section which
contains the iat and its size(to find the address of api) and the address of call to analize.
The second script demands the address where begins the IAT and the call
to analize. Now i show
how used this second script(the use of first script is similar to this):
-
-
- Find
the oep
List all intermodular calls
Now find call put by AIP: 00E10000
Now find the iat'section, find a jmp [api]:
Where iat begins: 56b21c, and if it is corrupt.
If it is, use the script Aspro2_AIP2:
When you end the rebuilding of all AIP's call, u can dump the
process using ollydump with the rebuild import with method 1.
|
-
Pnluck
Thx to Ntoskrnl, Quake2, Quequero, AndreaGeddon, dM, Silent, and all UIC and Pmode members.
Vorrei
ricordare che il software va comprato e non rubato, dovete
registrare il vostro prodotto dopo il periodo di valutazione. Non mi
ritengo responsabile per eventuali danni causati al vostro computer
determinati dall'uso improprio di questo tutorial. Questo documento
è stato scritto per invogliare il consumatore a registrare
legalmente i propri programmi, e non a fargli fare uso dei tantissimi
file crack presenti in rete, infatti tale documento aiuta a comprendere
lo sforzo che ogni sviluppatore ha dovuto portare avanti per fornire ai
rispettivi consumatori i migliori prodotti possibili.
Reversiamo
al solo scopo informativo e per migliorare la nostra conoscenza del
linguaggio Assembly.