"Step-By-Step"-ASProtect Final tut by LaBBa

Hi all this is the final tut I'm ever going to do about ASPR .. yep .. I have no more time for those things now in my life.. So what this tut is going to be different from all the others tuts ? 1. It will have pictures 2. It will have new explanation about finding the Stolen bytes 3. It will try to explain as much as I can about this protection.. What this tut won't explain? 1. how to fixed Redirected calls to aspr Well let's start ! Tools that we will need 1. OllyDbg 1.09d really cool tool 2. LordPe tnx to y0da 3. ImpREC v1.6F Really great tool of MackT 4. HView/HackView or any other Hex editor 5. WinXP - hehe Targets that we are going to Unpack (not to crack !!) Well the technique of the Stolen bytes can't be learned just by doing 1 kind of stolen bytes .. u must do at least 4 apps , so u can see that it's almost the same technique at all kinds that there is out there .. well I can't do for u 4 apps so I will do at least 2 : 1. WTM CD Protect (www.webtoolmaster.com/download/cdprot.exe) v1.54 2. Proactive Windows Security Explorer (http://www.elcomsoft.com/pwsex.html) v1.00b3 (build 1225) Steps in Unpacking 1. 2. 3. 4. Killing ASPR anti Debugging Finding The OEP for Dumping Fixing the Import API's Table (IAT) Finding the Stolen bytes and re-insert them

NOTE THIS !! In all of the apps that we will unpack they will have the same technique for killing ASPR anti-debug and the same technique of finding the OEP and same technique for fixing the IAT (Import Api Table) . The only thing that Won't be the same is : Stolen bytes.. So.. I will only show in WTM CD Protect how to Kill anti-debugging And finding OEP and fixing IAT and all others I will show how we find the Stolen Bytes because all the rest are the same.. So.. Lets Start ! STEP #1 - Killing ASPR Anti-Debug Well this part is really easy.. After u finished loading the app to OllyDbg Press : Alt+E This will load a table of : Executable Table Press on Kernel32.dll with right click of u'r mouse and choose : View Names

now search for the API called : IsDebuggerPresent when u finds it press on it and then press F2 to set a BreakPoint

Now get back to the main window and Press F9 to let the app Run ***BOOM*** The app is Paused because of some access violation (so fucking what ?!) Continue Pressing : Shift+F9 till u will see at the down of the window :

and will see this code :

77E72E92 > 64:A1 18000000 77E72E98 8B40 30 77E72E9B 0FB640 02 77E72E9F C3 MOV EAX,DWORD PTR FS:[18]We are Here MOV EAX,DWORD PTR DS:[EAX+30] MOVZX EAX,BYTE PTR DS:[EAX+2] RETN

Now Press F8 just 2 times and then look at the lower window and u will see :

Write down this address : 7FFDF002 This is where we need to change every time we start our debugging The value from 01 to 00 .. Disable our break point by pressing F2 again on the address that we have set on our break point . Now restart our app debugging by pressing : Ctrl+F2

Now go to the dump window and press with u'r mouse and then press Ctrl+G ("GoTo") and enter at the Dialog box that appear there the address we wrote : 7FFDF002 Now press on the first byte on the top with u'r mouse and then press with u'r keyboard : 00 and the press OK

STEP #2 - Finding The OEP for Dumping now we can start running again our app with F9 and Shift+F9 till we will get to the last one time that if we will press again then the app will run this will look like this :
00A539EC 00A539EE 00A539F5 00A539F6 00A539FD 00A539FF 00A53A01 00A53A06 00A53A09 00A53A0E 00A53A13 00A53A16 00A53A19 00A53A1C 00A53A1F 00A53A21 00A53A23 00A53A26 00A53A29 3100 64:8F05 00000000 58 833D B07EA500 00 74 14 6A 0C B9 B07EA500 8D45 F8 BA 04000000 E8 2DD1FFFF FF75 FC FF75 F8 8B45 F4 8338 00 74 02 FF30 FF75 F0 FF75 EC C3 XOR DWORD PTR DS:[EAX],EAX we HERE POP DWORD PTR FS:[0] POP EAX CMP DWORD PTR DS:[A57EB0],0 JE SHORT 00A53A13 PUSH 0C MOV ECX,0A57EB0 LEA EAX,DWORD PTR SS:[EBP-8] MOV EDX,4 CALL 00A50B40 PUSH DWORD PTR SS:[EBP-4] PUSH DWORD PTR SS:[EBP-8] MOV EAX,DWORD PTR SS:[EBP-C] CMP DWORD PTR DS:[EAX],0 JE SHORT 00A53A23 PUSH DWORD PTR DS:[EAX] PUSH DWORD PTR SS:[EBP-10] PUSH DWORD PTR SS:[EBP-14] RETN

Now press with u'r mouse on the Ret and set a BreakPoint on it by pressing F2 . now Press Shift+F9 and let it break on the RET ***BOOM*** ok .. now we are on the RET .

Now set a command line with pressing Alt+F1 to : TC EIP<900000 And press enter and let it trace... (u can look at the right down corner of the screen and see there "Tracing") ***BOOM*** now if u sees this kind of code :
00405214 00405215 25 00405216 00405217 00405218 43 00405219 0040521A FF 25 DC 91 43 00 8B DB FF DB ; DB DC DB 91 DB ; DB 00 DB 8B CHAR 'C' CHAR '%'

and etc.. all u need to do is Press : Ctrl+A (make Analyze again) now u should see this :
00405214 0040521A 0040521C 00405222 00405224 0040522A 0040522C $-FF25 8BC0 $-FF25 8BC0 $-FF25 8BC0 $-FF25 DC914300 D8914300 D4914300 D0914300 JMP MOV JMP MOV JMP MOV JMP DWORD PTR EAX,EAX DWORD PTR EAX,EAX DWORD PTR EAX,EAX DWORD PTR DS:[4391DC] - we HERE DS:[4391D8] DS:[4391D4] DS:[4391D0]

Press F8 1 time to see where this jump will take us too and we will be here :
00A51C64 55 PUSH EBP 00A51C65 8BEC MOV EBP,ESP 00A51C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00A51C6A 85C0 TEST EAX,EAX 00A51C6C 75 13 JNZ SHORT 00A51C81 00A51C6E 813D A47AA500 00>CMP DWORD PTR DS:[A57AA4],400000 ; ASCII "MZP" 00A51C78 75 07 JNZ SHORT 00A51C81 00A51C7A A1 A47AA500 MOV EAX,DWORD PTR DS:[A57AA4] 00A51C7F EB 06 JMP SHORT 00A51C87 00A51C81 50 PUSH EAX 00A51C82 E8 3135FFFF CALL 00A451B8 ; JMP to kernel32.GetModuleHandleA 00A51C87 5D POP EBP 00A51C88 C2 0400 RETN 4

as u can see we are back to the ASPR code by looking at the address : 00A51C64

ok .. now continue tracing the code by pressing F8 after u will do the Ret command u will get to here :
0040531C 00405321 00405322 00405328 0040532B 00405330 00405331 00405332 00405337 BA 9C704300 52 8905 B8844300 8942 04 E8 98FFFFFF 5A 58 E8 15E1FFFF C3 MOV EDX,ACopy.0043709C PUSH EDX MOV DWORD PTR DS:[4384B8],EAX MOV DWORD PTR DS:[EDX+4],EAX CALL ACopy.004052C8 POP EDX POP EAX CALL ACopy.0040344C RETN

ok now we are back in our code but it's still not our OEP because if u will start tracing with F8 u can get to the RET and the app isn't even running.. before we will start tracing we will make a dump to our process and get a dump file .. so Open LordPe/ProcDump and choose our Process and make a full dump of process and save it :

now we can start tracing . press F8 and after the ret u will be at the OEP (fake) :
00436EAD 8B1D 907A4300 DS:[437A90] ; 00436EB3 8B03 00436EB5 E8 FA25FFFF 00436EBA 8B0D 0C7B4300 DS:[437B0C] ; 00436EC0 8B03 00436EC2 8B15 10374300 DS:[433710] ; 00436EC8 E8 FF25FFFF 00436ECD 8B0D 707A4300 DS:[437A70] ; 00436ED3 8B03 00436ED5 8B15 C0274300 DS:[4327C0] ; 00436EDB E8 EC25FFFF 00436EE0 8B0D 047A4300 DS:[437A04] ; 00436EE6 8B03 MOV EBX,DWORD PTR ACopy.004386E8 MOV EAX,DWORD PTR DS:[EBX] CALL ACopy.004294B4 MOV ECX,DWORD PTR ACopy.00438774 MOV EAX,DWORD PTR DS:[EBX] MOV EDX,DWORD PTR ACopy.00433750 CALL ACopy.004294CC MOV ECX,DWORD PTR ACopy.00438750 MOV EAX,DWORD PTR DS:[EBX] MOV EDX,DWORD PTR ACopy.00432800 CALL ACopy.004294CC MOV ECX,DWORD PTR ACopy.00438764 MOV EAX,DWORD PTR DS:[EBX]

00436EE8 8B15 DC324300 MOV EDX,DWORD PTR DS:[4332DC] ; ACopy.0043331C 00436EEE E8 D925FFFF CALL ACopy.004294CC 00436EF3 8B0D BC7A4300 MOV ECX,DWORD PTR DS:[437ABC] ; ACopy.0043876C 00436EF9 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436EFB 8B15 28354300 MOV EDX,DWORD PTR DS:[433528] ; ACopy.00433568 00436F01 E8 C625FFFF CALL ACopy.004294CC 00436F06 8B03 MOV EAX,DWORD PTR DS:[EBX] 00436F08 E8 4B26FFFF CALL ACopy.00429558 00436F0D 5B POP EBX 00436F0E E8 45C6FCFF CALL ACopy.00403558

ok this is the OEP without the Stolen Bytes : 00436EAD Write down this address as OEP for now (we will need it for later) STEP #3 - Fixing the Import API's Table (IAT) While our app is at the OEP (with out the Stolen Bytes) we can start now fixing the IAT With a Tool Called : ImpREC (Import RE-Constructor) Open ImpREC and choose from the top of the scroll bar our process And then press on "IAT Auto search" (sometimes u will need to enter the OEP that u found if ImpREC can find anything) and the u will see that the size is too small : only 84 ?! So Change it to at least : 1000 Then Press on : Get Import Then press on : Show Invalid Then press on the list that is shown with the right click of u'r mouse and choose : Trace Level 1 ***NOTE*******NOTE*******NOTE*******NOTE************* in my computer after tracing a while it got stuck ! so I read at the ReadMe file of MackT and it says there that if u want to cancel Tracing all u need to do is pressing : Ctrl + F12 so I did and then it continue the loading of the tracing results after the tracing results are done press again : Show Invalid now press on the invalid function with Right clicking on it with u'r mouse and choose from there : Plug-in Tracer -> ASProtect 1.22 now Press again : Show Invalid now we need to make sure that all the functions that are there are fakes and not a real ones to need to be fixed .. how we know witch one is real and witch one is fake ??

WAY #1 well remember when we looked for the OEP and then we had a JMP that returned to the ASPR code ?? that address was : 00A51C64 at u'r computer this address will be different then this .. look at ImpREC on the Invalid API's and look on the "ptr" look at this address foe example : 9412C8FB wow.. this is too big address for us .. our aspr code need to be (in my case) at around : 00A00000 00FFFFFF thats too much too it will still be in the same range of value of : 00A00000 00AFFFFF so every thing that will be bigger then this is a fake . WAY #2 Right click on an invalid api and choose : Disasmmble/HexView If Imprec will show u a message box that it got a read error then this is a fake If u can see a code there and didn't got any messages then this is a true api that need a fixing !! Well I love way #1 much more faster .. I scroll down till I saw one that looked in the GOOD range of aspr address range and choose on it HexView .

ImpREC shows this code :

00A51CF0 00A51CF1 00A51CF3 00A51CF9 00A51CFA push ebp mov ebp,esp mov eax,[A57E24] pop ebp retn 4

// DWORD value: 00141EE0

If you look at what is already in the Import REConstructor, only FreeResource is not present and it seems to fit very nicely alphabetically Double click on that invalid function and choose FreeResource Now press show invalid again and then right click with u'r mouse on one of them and choose : Cut Thunks Now press on Fix Dump and choose our Dump file from before..

STEP #4 Finding Stolen Bytes and re-insert them Well this is the main tut and the main protection of ASPR for those last versions .. I saw so many Q about this and I had a lot of Q of my own .. One day I wanted to try something and gess what ? ? IT FUCKING WORKED .. This lil technique that I will show u works on every ASPR version with Stolen and erased bytes What we need to do is this : We have still OllyDbg at the OEP (if not make it so) Now go to the menu and choose : View -> Run Trace This will show u all the code we traced to get to the OEP Go down with the scroll and then u will see that there is allot of this command : REP STOS BYTE PTR ES:[EDI] Just before getting to that JMP if u will press on it.. Olly Will show u in the main widow this :
00A64C48 00A64C4A 00A64C4B 00A64C4C 00A64C4D F3:AA 9D 5F 59 C3 REP STOS BYTE PTR ES:[EDI] POPFD POP EDI POP ECX RETN

the command : REP STOS BYTE PTR ES:[EDI] is doing the erasing of the bytes thats way u see at the "run trace" window so many of it .. so what can we do ? lets restart our debugging by pressing Ctrl+F2 and then kill the antiDebugging and get to the place that from there we done the Trace command . but now we will not set a trace command of conditional tracing but we will put a trace for command : REP STOS BYTE PTR ES:[EDI]

Like this :

now press ok and then press F11 To start tracing ***BOOM*** we will land here :
00A64C48 00A64C4A 00A64C4B 00A64C4C 00A64C4D F3:AA 9D 5F 59 C3 REP STOS BYTE PTR ES:[EDI] POPFD POP EDI POP ECX RETN

just before erasing the bytes.. if we will press F8 all the bytes will be erased and we can't really read all that code at the address that EDI is pointing at .. what can we do ??

we will make it show us what it does by changing the command from :

REP STOS BYTE PTR ES:[EDI]

To : JMP EDI Just press the Space key on u'r keyboard and write there : jmp edi Now we will start our tracing with F8 till Olly will stop us because of access violation.. This is my trace log from after the jmp edi:

00A64C7D Main MOV EBX,66F 00A64C82 Main OR EBX,EBX 00A64C84 Main JNZ SHORT 00A64C8D 00A64C8D Main CALL 00A64C92 00A64C92 Main POP EBP 00A64C93 Main SUB EBP,4BE14D 00A64C99 Main LEA EAX,DWORD PTR SS:[EBP+4BE0F2] 00A64C9F Main LEA ECX,DWORD PTR SS:[EBP+4BE194] 00A64CA5 Main ADD ECX,EBX 00A64CA7 Main MOV DWORD PTR DS:[ECX+1],EAX 00A64CAA Main LEA EAX,DWORD PTR SS:[EBP+4BE136] 00A64CB0 Main LEA ECX,DWORD PTR SS:[EBP+4BE0FA] 00A64CB6 Main MOV DWORD PTR DS:[ECX],EAX 00A64CB8 Main MOV EAX,145E 00A64CBD Main LEA ECX,DWORD PTR SS:[EBP+4BE0FF] 00A64CC3 Main MOV DWORD PTR DS:[ECX],EAX 00A64CC5 Main LEA ECX,DWORD PTR SS:[EBP+4BE194] 00A64CCB Main LEA EAX,DWORD PTR SS:[EBP+4BF394] 00A64CD1 Main PUSH ECX 00A64CD2 Main PUSH EAX 00A64CD3 Main CALL 00A64C4E 00A64CD8 Main POPAD 00A64CD9 Main PREFIX REP: 00A64CDE Main JMP SHORT 00A64CE3 00A64CE3 Main JMP SHORT 00A64CE6 00A64CE6 Main JMP SHORT 00A64CEA 00A64CEA Main PUSH DWORD PTR FS:[0] 00A64CF1 Main PUSH DWORD PTR SS:[ESP+B] 00A64CF5 Main MOV DWORD PTR SS:[ESP+4],EBP 00A64CF9 Main PREFIX REPNE: 00A64CFD Main ADD ESP,4 00A64D00 Main JMP SHORT 00A64D03 00A64D03 Main PREFIX REPNE: 00A64D07 Main LEA EBP,DWORD PTR SS:[EBP+EDI*2+5C] 00A64D0B Main JMP SHORT 00A64D0F 00A64D0F Main JMP SHORT 00A64D14 00A64D14 Main LEA EBP,DWORD PTR DS:[ESI*4+69FA7294] 00A64D1B Main JMP SHORT 00A64D1F 00A64D1F Main JMP SHORT 00A64D23 00A64D23 Main JMP SHORT 00A64D28 00A64D28 Main PUSH DWORD PTR FS:[0] 00A64D2F Main JMP SHORT 00A64D32 00A64D32 Main PUSH 14C99F1 00A64D37 Main JMP SHORT 00A64D3A 00A64D3A Main POP DWORD PTR SS:[ESP] 00A64D3E Main POP EBP Access violation when reading [014C9A20]

Well at this call we will get alert from Olly about access violation
A64D3F FF55 2F CALL DWORD PTR SS:[EBP+2F

all we are going to do is press space-bar and just nop this call we will have automatic 3 nop now continue trace after the nop and the next call will be the same prob and same solution just nop it and again trace with F8 , and again we have same prob same solution just nop it !

we will have this after the 3rd nop :

now continue to trace with F8 and u will be like this : we will make that jmp and then will be at the same prob with this line :
A64D57 66:8105 3A9A4C01>ADD WORD PTR DS:[14C9A3A],0AB25

well again same solution just nop it ! "Till when we will going to stop this ? " u must ask u'r self .. well we need to get to a simple command called : Push EBP This is one of the ways it could look like .. it also could look like : MOV DWORD PTR SS:[ESP+4],EBP same as Push EBP Well as soon as we will find one of those .. we found our Stolen bytes So lets continue .. press F8 again after the nop and we will have
A64D60 EB 01 JMP SHORT 00A64D63

after this jump we will be in this really nice code :

00A64D63 00A64D64 00A64D66 55 8BEC 81EC 0C000000 PUSH EBP MOV EBP,ESP SUB ESP,0C -- Stolen !! -- Stolen !! -- Stolen !!

00A64D6C 66:8105 4F9A4C01>ADD WORD PTR DS:[14C9A4F],0AB25 -> this line is invalid Access Violation ..

well now let continue tracing and nop that lil add word command and then we will be here after the trace :
A64D75 00A64D78 EB 01 53 JMP SHORT 00A64D78 we will jump PUSH EBX - another stolen bytes

00A64D79 66:8105 5C9A4C01>ADD WORD PTR DS:[14C9A5C],0AB25 this is invalid Access Violation .

now we will continue the trace and nop that : ADD Word and we will trace till here :
00A64D85 00A64D87 00A64D89 00A64D8C EB 02 83EC 2C 83C4 28 JMP SHORT 00A64D89 SUB ESP,2C ADD ESP,28

ok now after those two Sub and ADD we know that the Stolen Bytes are over .. If u will continue with this tracing u will see that its the same kind of code all over again and again and again . So.. what do we have ??
PUSH EBP MOV EBP,ESP SUB ESP,0C PUSH EBX

If u would look at the op codes of the command :

81EC 0C000000 SUB ESP,0C

we see that its a lot of bytes .. so we will change it from SUB command to an ADD like this :
ADD ESP, -0C

This will take only 3 Bytes !!! and not like before 6 bytes Now this is very important .. we need to reset our debugging (ctrl+F2) and retrace :
TC EIP<900000

And after the tracing we need to look where we landed .. We landed here :
00405214 -FF25 DC914300 JMP DWORD PTR DS:[4391DC]

this will jump to ASPR code :

00A51C64 55 PUSH EBP 00A51C65 8BEC MOV EBP,ESP 00A51C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00A51C6A 85C0 TEST EAX,EAX 00A51C6C 75 13 JNZ SHORT 00A51C81 00A51C6E 813D A47AA500 00>CMP DWORD PTR DS:[A57AA4],400000 ASCII "MZP"

00A51C78 75 07 JNZ SHORT 00A51C81 00A51C7A A1 A47AA500 MOV EAX,DWORD PTR DS:[A57AA4] 00A51C7F EB 06 JMP SHORT 00A51C87 00A51C81 50 PUSH EAX 00A51C82 E8 3135FFFF CALL 00A451B8 JMP to kernel32.GetModuleHandleA 00A51C87 5D POP EBP 00A51C88 C2 0400 RETN 4

if u will trace with F8 this code u will get to the last:

RET 4

This "ret 4" is not a plain "ret" this mean for us that before this Procedure was called there was a PUSH before we called this procedure . so trace after the "RET 4" And u will be here :
00405314 00405315 00405317 0040531C 00405321 00405322 00405328 0040532B 00405330 00405331 00405332 00405337 50 6A 00 E8 F8FEFFFF BA 9C704300 52 8905 B8844300 8942 04 E8 98FFFFFF 5A 58 E8 15E1FFFF C3 PUSH EAX PUSH 0 CALL ACopy.00405214 MOV EDX,ACopy.0043709C we ret to here! PUSH EDX MOV DWORD PTR DS:[4384B8],EAX MOV DWORD PTR DS:[EDX+4],EAX CALL ACopy.004052C8 POP EDX POP EAX CALL ACopy.0040344C RETN

if u will scroll a bit up u will see that there was a push to EAX value and a0 this means that the value of EAX is important to us when u will trace the command : POP EAX and execute it pleas Write down the value of EAX.. EAX= D9C .. we will need it later.. when ImpREC will fix the procedure of aspr code to an API we will need to push the right value to it .. or else it will crash after the "Ret" we will return to the main retina of the unpacked file
00436EAD 8B1D 907A4300 ACopy.004386E8 00436EB3 8B03 00436EB5 E8 FA25FFFF 00436EBA 8B0D 0C7B4300 ACopy.00438774 00436EC0 8B03 00436EC2 8B15 10374300 ACopy.00433750 00436EC8 E8 FF25FFFF 00436ECD 8B0D 707A4300 ACopy.00438750 00436ED3 8B03 00436ED5 8B15 C0274300 ACopy.00432800 MOV EBX,DWORD PTR DS:[437A90] MOV EAX,DWORD PTR DS:[EBX] CALL ACopy.004294B4 MOV ECX,DWORD PTR DS:[437B0C] MOV EAX,DWORD PTR DS:[EBX] MOV EDX,DWORD PTR DS:[433710] CALL ACopy.004294CC MOV ECX,DWORD PTR DS:[437A70] MOV EAX,DWORD PTR DS:[EBX] MOV EDX,DWORD PTR DS:[4327C0] ;

00436EDB E8 EC25FFFF 00436EE0 8B0D 047A4300 ACopy.00438764 00436EE6 8B03 00436EE8 8B15 DC324300 ACopy.0043331C 00436EEE E8 D925FFFF 00436EF3 8B0D BC7A4300 ACopy.0043876C 00436EF9 8B03 00436EFB 8B15 28354300 ACopy.00433568 00436F01 E8 C625FFFF 00436F06 8B03 00436F08 E8 4B26FFFF 00436F0D 5B 00436F0E E8 45C6FCFF

CALL ACopy.004294CC MOV ECX,DWORD PTR DS:[437A04] MOV EAX,DWORD PTR DS:[EBX] MOV EDX,DWORD PTR DS:[4332DC] CALL ACopy.004294CC MOV ECX,DWORD PTR DS:[437ABC] MOV EAX,DWORD PTR DS:[EBX] MOV EDX,DWORD PTR DS:[433528] CALL ACopy.004294CC MOV EAX,DWORD PTR DS:[EBX] CALL ACopy.00429558 POP EBX CALL ACopy.00403558

so lets try to make sense of all we got here we know that the main retina should look like this :
Code_OEP : PUSH EBP MOV EBP,ESP ADD ESP, -0C PUSH EBX CALL some_procedure PUSH PUSH CALL that

The procedure we called

EAX 0 ACopy.00405214 aspr code later will be fixed by ImpREC

---Ret Continue the main app code

We can see clearly that we cant just call the procedure without inserting a value to EAX ! because of that the stolen bytes will be like this :
PUSH EBP MOV EBP,ESP ADD ESP, -0C PUSH EBX MOV EAX , 55 8B EC 83 C4 F4 53 B8 9C 6D 43 00 1 2 3 1 5 byte byte byte byte byte

D9C

Sum of : 12(Dec) == C (Hex) stolen bytes

now its time to reinsert the stolen bytes to Dumped and ImpREC'ed fixed file open HView and go to the address that we wrote as OEP : 436EAD now u should see this :

now start tracing back by pressing with u'r left arrow until u will see many 00 00 00 like this :

so as we can see our Stolen bytes will ends at : 436EA8 (not 436EA7 !!!) so lets see where we should start writing our Stolen bytes : we have : C (Hex) stolen bytes so : 436EA8 C = 436E9C now go to : 436E9C and start writing down the stolen bytes we found :
PUSH EBP MOV EBP,ESP ADD ESP, -0C PUSH EBX MOV EAX , 55 8B EC 83 C4 F4 53 B8 9C 6D 43 00 1 2 3 1 5 byte byte byte byte byte

D9C

For the last part all we need to do is open an PE-Editor and Change the OEP of the file like this : OUR_OEP_RVA Image Base = EP 436EA8 400000 = 36EA8

Press OK and Exit .. Thats it .. We Are Done !! :D

ASPR Stolen Bytes Part II

This is the Second way of ASPR Stolen bytes that exists so .. I will just show what is done just for the Stolen Bytes and then will give only general info about the value of standard thing we need to find and found.. This time we are going to Unpack an app called : Proactive Windows Security Explorer v1.00b3(build 1225) Step #1 - Killing ASPR anti Debugging Apply the entire first tut about this part

Step #2 - Finding The OEP for Dumping Like the first tut : Press F9 and then Shift+F9 till u will be at the last one that u are able to Press F9 then set a Break Point on the Ret down then Press Shift+F9 and let it break there ..
003E3CAB 003E3CAD 003E3CB4 003E3CB5 003E3CBC 003E3CBE 003E3CC0 003E3CC5 003E3CC8 003E3CCD 003E3CD2 003E3CD5 003E3CD8 003E3CDB 003E3CDE 003E3CE0 003E3CE2 003E3CE5 003E3CE8 3100 64:8F05 00000000 58 833D BC7E3E00 00 74 14 6A 0C B9 BC7E3E00 8D45 F8 BA 04000000 E8 3ED3FFFF FF75 FC FF75 F8 8B45 F4 8338 00 74 02 FF30 FF75 F0 FF75 EC C3 XOR DWORD PTR DS:[EAX],EAX POP DWORD PTR FS:[0] POP EAX CMP DWORD PTR DS:[3E7EBC],0 JE SHORT 003E3CD2 PUSH 0C MOV ECX,3E7EBC LEA EAX,DWORD PTR SS:[EBP-8] MOV EDX,4 CALL 003E1010 PUSH DWORD PTR SS:[EBP-4] PUSH DWORD PTR SS:[EBP-8] MOV EAX,DWORD PTR SS:[EBP-C] CMP DWORD PTR DS:[EAX],0 JE SHORT 003E3CE2 PUSH DWORD PTR DS:[EAX] PUSH DWORD PTR SS:[EBP-10] PUSH DWORD PTR SS:[EBP-14] RETN -- SET BP HERE !!!

Now set a command line with pressing Alt+F1 to : TC EIP<900000 And press enter and let it trace.. the OEP after the Stolen Bytes is : 43396B (Write it down we will need it) u will be here :
0043396B 00433971 00433973 FF15 1C724500 33D2 8AD4 CALL DWORD PTR DS:[45721C] XOR EDX,EDX MOV DL,AH

00433975 0043397B 0043397D 00433983 00433989 0043398C 0043398E 00433994 00433997 0043399C

8915 A4435400 8BC8 81E1 FF000000 890D A0435400 C1E1 08 03CA 890D 9C435400 C1E8 10 A3 98435400 6A 01

MOV DWORD PTR MOV ECX,EAX AND ECX,0FF MOV DWORD PTR SHL ECX,8 ADD ECX,EDX MOV DWORD PTR SHR EAX,10 MOV DWORD PTR PUSH 1

DS:[5443A4],EDX

DS:[5443A0],ECX

DS:[54439C],ECX DS:[544398],EAX

this is a normal Call in the main procedure.. we will make our Dump of process now .. Open ProcDump/LordPE and dump fully the process . Step #3 - Fixing the Import API's Table (IAT) Open ImpREC while the app is paused at the OEP and Choose our running process .. Choose : IAT AutoSearch Now u will see that the Size if nice.. and big like it should be : 6D8 So this time we don't need to change it to : 1000 Now press Get Imports And do like the first tut : Trace Level 1 Then Plugin Asprotect 1.22 .. But this time there is none invalid Thunks like before .. so we are lucky.. Now fix the dump file .. Step #4 - Finding the Stolen bytes and re-insert them Like before We have still OllyDbg at the OEP (if not make it so) Now go to the menu and choose : View -> Run Trace This will show u all the code we traced to get to the OEP Go down with the scroll and then u will see that there is allot of this command : REP STOS BYTE PTR ES:[EDI] And again like before : lets restart our debugging by pressing Ctrl+F2 and then kill the antiDebugging and get to the place that from there we done the Trace command . but now we will not set a trace command of conditional tracing but we will put a trace for command (Ctrl+T): REP STOS BYTE PTR ES:[EDI] Now press F11 to start trace.. When we will break on this command we need to change it to : (By pressing space bar)

Jmp EDI Now we will start tracing the "jmp edi" with F8 till we will get to an access violation an we will be here :
00A75E1A EB 02 JMP SHORT 00A75E1E 00A75E1C CD 20 INT 20 00A75E1E 36:EB 02 JMP SHORT 00A75E23 ; Superfluous prefix 00A75E21 CD 20 INT 20 00A75E23 26:EB 02 JMP SHORT 00A75E28 ; Superfluous prefix 00A75E26 CD 20 INT 20 00A75E28 68 BE04336F PUSH 6F3304BE 00A75E2D 0E PUSH CS 00A75E2E 895424 04 MOV DWORD PTR SS:[ESP+4],EDX 00A75E32 66:8135 56BC4E01>XOR WORD PTR DS:[14EBC56],1BBD this is the access violation..

now we will nop all access violation we will get (space bar and : nop command like before) till we will get to a : PUSH EBP Or MOV DWORD PTR SS:[ESP+4],EBP same as Push ebp So if u traced and "nop" all access violation u should get to a "jmp short" and get here :
64:FF35 00000000 PUSH DWORD PTR FS:[0] 0E PUSH CS 896C24 04 MOV DWORD PTR SS:[ESP+4],EBP here !!! 66:8135 C9BC4E01>XOR WORD PTR DS:[14EBCC9],1BBD access violation F2: PREFIX REPNE:

Ok so .. our first stole byte was found ("Push Ebp") trace it and the nop the access violation at that :
XOR WORD PTR DS:[14EBCC9],1BBD"

Now after u will trace the command : " PREFIX

REPNE"

u will be here :

00A75EB2 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4] getting address ready for ESP so Stolen bytes can continue .. 00A75EB6 8BEC MOV EBP,ESP - Stolen 00A75EB8 6A FF PUSH -1 - Stolen 00A75EBA 68 C8C94500 PUSH 45C9C8 - Stolen 00A75EBF 68 C0744300 PUSH 4374C0 - Stolen 00A75EC4 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] - Stolen 00A75ECA EB 02 JMP SHORT 00A75ECE - jmps to more stolen bytes 00A75ECC CD 20 INT 20

00A75ECE EB 02 JMP SHORT 00A75ED2 - we jmp to here 00A75ED0 CD 20 INT 20 00A75ED2 66:812D F6BC4E01>SUB WORD PTR DS:[14EBCF6],0D03E Access violation !!!

so if u traced this code we found that there are more stolen bytes and the jmps and get stuck at another access violation :
SUB WORD PTR DS:[14EBCF6],0D03E

So now "nop" this so we can continue :

A75EDB EB 01 JMP SHORT 00A75EDE

we will jmp to here : 00A75EDE 64:FF35 00000000 PUSH DWORD PTR FS:[0] 00A75EE5 0E PUSH CS 00A75EE6 894424 04 MOV DWORD PTR SS:[ESP+4],EAX 00A75EEA 66:8135 0EBD4E01>XOR WORD PTR DS:[14EBD0E],1BBD 00A75EF3 F2: PREFIX REPNE: Superfluous prefix 00A75EF4 EB 01 JMP SHORT 00A75EF7 00A75EF6 -0F8D 64240464 JGE 64AB8360 00A75EFC 8925 00000000 MOV DWORD PTR DS:[0],ESP 00A75F02 83EC 58 SUB ESP,58 00A75F05 EB 02 JMP SHORT 00A75F09 00A75F07 CD 20 INT 20 00A75F09 EB 02 JMP SHORT 00A75F0D 00A75F0B CD 20 INT 20 00A75F0D 66:812D 31BD4E01>SUB WORD PTR DS:[14EBD31],0D03E

as u can see :
00A75EDE 00A75EE5 00A75EE6 64:FF35 00000000 PUSH DWORD PTR FS:[0] 0E PUSH CS 894424 04 MOV DWORD PTR SS:[ESP+4],EAX push eax

like at "push ebp" we have the same thing . we have 2 commands that are preparing the address we need :
00A75EDE 00A75EE5 64:FF35 00000000 PUSH DWORD PTR FS:[0] 0E PUSH CS

and then come the stolen byte :

00A75EE6 894424 04 MOV DWORD PTR SS:[ESP+4],EAX push eax

so now we have another stolen byte.. lets continue tracing and we will get to the access violation :

XOR WORD PTR DS:[14EBD0E],1BBD

Just "nop" it so we can continue .. and after the command :

PREFIX REPNE

We will be here :
00A75EF7 8D6424 04 LEA 00A75EFB 64:8925 00000000 MOV 00A75F02 83EC 58 SUB 00A75F05 EB 02 JMP 00A75F07 CD 20 INT 00A75F09 EB 02 JMP 00A75F0B CD 20 INT 00A75F0D 66:812D 31BD4E01>SUB violation !!! 00A75F16 EB 01 JMP ESP,DWORD PTR SS:[ESP+4]- setting ESP DWORD PTR FS:[0],ESP - Stolen ESP,58 - Stolen SHORT 00A75F09 20 SHORT 00A75F0D 20 WORD PTR DS:[14EBD31],0D03E access SHORT 00A75F19

the command :
00A75EF7 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]

is getting again a value for ESP so the stolen bytes can continue :
00A75EFB 00A75F02 64:8925 00000000 MOV DWORD PTR FS:[0],ESP 83EC 58 SUB ESP,58

now we have 2 more stolen bytes .. keep tracing till the access violation at command :
00A75F0D 66:812D 31BD4E01>SUB WORD PTR DS:[14EBD31],0D03E

just "nop" it so we could continue tracing

A75F16 EB 01 JMP SHORT 00A75F19

we will jmp to here :

00A75F19 00A75F20 00A75F21 00A75F25 00A75F2E 64:FF35 00000000 PUSH DWORD PTR FS:[0] getting ready 0E PUSH CS - getting ready 895C24 04 MOV DWORD PTR SS:[ESP+4],EBX Stolen 66:8135 49BD4E01>XOR WORD PTR DS:[14EBD49],1BBD -violation F2: PREFIX REPNE:

again as can see we have same code , 2 commands to set value for push and the push that is a stolen byte :
MOV DWORD PTR SS:[ESP+4],EBX

PUSH EBX

Now again we trace till access violation .. make it "nop" trace and get here :
00A75F32 00A75F36 00A75F38 00A75F3A A75F3E 8D6424 04 LEA EB 02 JMP CD 20 INT EB 02 JMP 66:812D 62BD4E01>SUB ESP,DWORD PTR SS:[ESP+4] getting ESP SHORT 00A75F3A jmps 20 SHORT 00A75F3E jmp again WORD PTR DS:[14EBD62],0D03E-violation

we will nop the access violation and continue here :

A75F47 EB 01 JMP SHORT 00A75F4A jmp

we will jump to here :

00A75F4A 00A75F51 00A75F52 00A75F56 00A75F5F 64:FF35 00000000 PUSH DWORD PTR FS:[0] getting ready 0E PUSH CS - getting ready 897424 04 MOV DWORD PTR SS:[ESP+4],ESI-Stolen 66:8135 7ABD4E01>XOR WORD PTR DS:[14EBD7A],1BBD-violation F2: PREFIX REPNE:

as u can see .. its the same.. 2 commands to get value and then a stolen byte of push :
MOV DWORD PTR SS:[ESP+4],ESI

PUSH ESI

After we will trace and nop the access violation we will get here :
00A75F63 00A75F67 00A75F69 00A75F6B 00A75F6D 8D6424 04 EB 02 CD 20 EB 02 CD 20 LEA JMP INT JMP INT ESP,DWORD PTR SS:[ESP+4] SHORT 00A75F6B 20 SHORT 00A75F6F 20

nothing is done in this code .. keep tracing and u will get to here : 00A75F7B 00A75F82 00A75F83 00A75F87 00A75F90 64:FF35 00000000 PUSH DWORD PTR FS:[0] getting ready 0E PUSH CS -getting ready 897C24 04 MOV DWORD PTR SS:[ESP+4],EDI Stolen ! 66:8135 ABBD4E01>XOR WORD PTR DS:[14EBDAB],1BBD-violation F2: PREFIX REPNE:

in this code we get more stolen byte :

MOV DWORD PTR SS:[ESP+4],EDI

PUSH EDI

Keep tracing (after "nop") and u will get here :

00A75F94 00A75F98 00A75F9B 00A75F9D 00A75F9F 00A75FA1 00A75FA3 00A75FA8 00A75FAD

8D6424 04 8965 E8 EB 02 CD 20 EB 02 CD 20 68 6B394300 68 7A5DA700 C3

LEA ESP,DWORD PTR SS:[ESP+4]getting ready MOV DWORD PTR SS:[EBP-18],ESP end JMP SHORT 00A75F9F INT 20 JMP SHORT 00A75FA3 INT 20 PUSH 43396B fake OEP PUSH 0A75D7A To return to RETN

well we see thats its all over .. it ends the stolen bytes and pushes 2 addresses :
00A75FA3 00A75FA8 68 6B394300 68 7A5DA700 PUSH 43396B fake OEP PUSH 0A75D7A To return to when ret

so our stolen bytes are :

896C24 04 MOV DWORD PTR SS:[ESP+4],EBP --- PUSH EBP 1 Byte ! (55) 8BEC MOV EBP,ESP 6A FF PUSH -1 68 C8C94500 PUSH 45C9C8 68 C0744300 PUSH 4374C0 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 894424 04 MOV DWORD PTR SS:[ESP+4],EAX --- PUSH EAX 1 byte ! (50) 64:8925 00000000 MOV DWORD PTR FS:[0],ESP 83EC 58 SUB ESP,58 895C24 04 MOV DWORD PTR SS:[ESP+4],EBX --- PUSH EBX 1 byte ! (53) 897424 04 MOV DWORD PTR SS:[ESP+4],ESI --- PUSH ESI 1 byte ! (56) 897C24 04 MOV DWORD PTR SS:[ESP+4],EDI --- PUSH EDI 1 byte ! (57)

so it would look like this :

PUSH EBP MOV EBP,ESP PUSH -1 PUSH 45C9C8 PUSH 4374C0 MOV EAX,DWORD PTR FS:[0] PUSH EAX MOV DWORD PTR FS:[0],ESP SUB ESP,58 PUSH EBX PUSH ESI PUSH EDI - 55 - 8B EC - 6A FF - 68 c8 c9 45 00 - 68 c0 74 43 00 - 64 a1 00 00 00 00 - 89 44 24 04 - 64 89 25 00 00 00 00 - 83 ec 58 - 53 - 56 - 57 -1 -2 -2 -5 -5 -6 -4 -7 -3 -1 -1 -1

so we have sum of : 38(Dec) = 26(hex) Stolen bytes so our real oep to put our stolen byte is : Fake_Oep StolenByte(hex) = 43396B -26 OEP = 433945 Open HView get to that address (OEP) and Write those in there and save Now fix the Entry Point of the file with PE-Editor to EP = Image_base OEP = 433945-400000 = 33945

Save and Thats all .. NOTE: I had to unpack many deferent targets to see this thing at the stolen bytes .. this will not allwes be like in this tut ! the "get ready" commands are changing from app to another .. So :
LEA ESP,DWORD PTR SS:[ESP+4]getting ready

And :
PUSH DWORD PTR FS:[0] getting ready PUSH CS - getting ready

Are only for this app!!! U need to find u'r self the pattern it will be used in other apps .. and trust me .. its really easy to see them .. :D Special Thanks Eternal Bliss- without u'r tut I would never learn how to unpack.. MackT Without u'r GR8 tool we would have worked allot harder .. Oleh Yuschuk tnx for the GR8 tool OllyDbg .. I hope that u will continue doing more upgrades to that tool.. #Unpacking Gods tnx for helping me when I was in the wrong way WoodMann.cjb.net all ppl at this board .. keep having fun.. And all other ppl that I probably forgot...