Hier poste ich ASM und Reversing Zeugs welches ich nicht in einem Thread packen kann, da es sich nicht lohnen würde.
ASProtect OEP - [MASM]
Da ich eigentlich vor hatte einen ASProtect-Unpacker zu schreiben und mir dann die Lust dran vergangen ist, pack ich hier mal meinen momentanen Source rein.
Was Fehlt:
Bei Fragen oder so bitte einfach melden 
Vielleicht werde ich das Programm noch vollenden ( oder jemand anderes? ) da ich eigentlich einen Ersatz für stripper brauche da dieser auf meinem PC nicht funktioniert und DecomAS versagt sowieso bei jeder unpackme die ich darein gejagt habe.
Was Fehlt:
- IAT-Fixer (Obfuscated Calls)
- Stolen Bytes
Code:
ifndef _UNPROTECT__ASPROTECT
_UNPROTECT__ASPROTECT equ<1>
include extension.asm
.const
ASPR_EXE equ 0
ASPR_DLL equ 1
ASPR_SCANSIZE equ 255
aspr_pattern_scan proto :DWORD, :DWORD, :DWORD, :DWORD, :DWORD
.data?
ASPR_PI PROCESS_INFORMATION <?>
ASPR_CodeSection dd ?
ASPR_CodeSize dd ?
ASPR_FileHandle dd ?
.data
;= Pattern =;
ASPR_PATTERN db 31h, 00h, 64h, 8Fh, 05h, 00h, 00h, 00h, 00h ; xor dword ptr ds:[eax], eax,\ pop dword ptr fs:[0]
ASPR_PATTERN_RET db 0FFh, 030h, 0FFh, 075h, 0F0h, 0FFh, 075h, 0ECh, 0C3h ; push dword ptr ds:[eax],\ push dword ptr ss:[ebp-10],\ push dword ptr ss:[ebp-14],\ retn
ASPR_PATTERN_ZERO db 00h, 00h, 00h, 00h
;= Patches =;
ASPR_PATCH_INT3 db 0CCh, 90h, 90h ; int 3,\ nop,\ nop
ASPR_PATCH_BACK db 0FFh, 75h, 0ECh ; push dword ptr ds:[ebp-14]
ASPR_DBG_PATCH db 0C6h, 40h, 02h, 00h ; mov byte ptr ds:[eax+2], 00
.code
aspr_dumpfile proc DumpName:DWORD, EntryPoint:DWORD
LOCAL MapHandle:DWORD, MapView:DWORD, DmpFileHandle:DWORD, DmpMapHandle:DWORD, DmpMapView:DWORD, ImageBase:DWORD, ImageSize:DWORD, OEP_Addr:DWORD, SecStart:DWORD, SecSize:DWORD, Buffer:DWORD, OldProtect:DWORD, rw:DWORD
pushad
mov rw, 0
invoke CreateFileMapping, ASPR_FileHandle, 0, PAGE_READONLY, 0, 0, 0
.if eax == 0
invoke GetLastError
log _strfm('Failed to map file [0x%d]', eax)
popad
xor eax, eax
ret
.endif
mov MapHandle, eax
invoke MapViewOfFile, MapHandle, FILE_MAP_READ, 0, 0, 0
.if eax == 0
invoke GetLastError
log _strfm('Failed to create map view [0x%X]', eax)
popad
xor eax, eax
ret
.endif
mov MapView, eax
mov esi, eax
assume esi:ptr IMAGE_DOS_HEADER
add esi, [esi].e_lfanew
assume esi:ptr IMAGE_NT_HEADERS
m2m ImageBase, [esi].OptionalHeader.ImageBase
m2m ImageSize, [esi].OptionalHeader.SizeOfImage
invoke VirtualAlloc, 0, ImageSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE
mov Buffer, eax
invoke VirtualProtectEx, ASPR_PI.hProcess, ImageBase, ImageSize, PAGE_EXECUTE_READWRITE, addr OldProtect
invoke ReadProcessMemory, ASPR_PI.hProcess, ImageBase, Buffer, ImageSize, addr rw
invoke VirtualProtectEx, ASPR_PI.hProcess, ImageBase, ImageSize, OldProtect, 0
invoke UnmapViewOfFile, MapView
invoke CloseHandle, MapHandle
;Create Dump File
mov DmpFileHandle, _call(CreateFile, DumpName, GENERIC_WRITE + GENERIC_READ, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0)
invoke WriteFile, DmpFileHandle, Buffer, ImageSize, addr rw, 0
log _str('Saved dump!')
;Basic Dump done.
;Fix Dump
mov DmpMapHandle, _call(CreateFileMapping, DmpFileHandle, 0, PAGE_READWRITE, 0, 0, 0)
mov DmpMapView, _call(MapViewOfFile, DmpMapHandle, FILE_MAP_ALL_ACCESS, 0, 0, 0)
mov esi, DmpMapView
assume esi:ptr IMAGE_DOS_HEADER
add esi, [esi].e_lfanew
assume esi:ptr IMAGE_NT_HEADERS
mov edx, esi
add edx, sizeof IMAGE_NT_HEADERS
assume edx:ptr IMAGE_SECTION_HEADER
;Fix EP
mov ebx, EntryPoint
sub ebx, ImageBase
m2m [esi].OptionalHeader.AddressOfEntryPoint, ebx
m2m [esi].OptionalHeader.SizeOfImage, ImageSize
mov [esi].OptionalHeader.SizeOfHeaders, 1000h
movzx ecx, [esi].FileHeader.NumberOfSections
log _str('Fixing sections...')
.while ecx > 0
pushad
m2m SecStart, [edx].VirtualAddress
m2m SecSize, [edx].Misc.VirtualSize
;Align size
modulo SecSize, [esi].OptionalHeader.SectionAlignment
.if eax != 0
sub SecSize, eax
addm SecSize, [esi].OptionalHeader.SectionAlignment
.endif
mov edi, MapView
add edi, SecStart
mov ebx, ImageBase
add ebx, SecStart
pinvoke ReadProcessMemory, ASPR_PI.hProcess, ebx, edi, SecSize, addr rw
m2m [edx].VirtualAddress, SecStart
m2m [edx].PointerToRawData, SecStart
m2m [edx].Misc.VirtualSize, SecSize
m2m [edx].SizeOfRawData, SecSize
m2m [edx].Characteristics, IMAGE_SCN_MEM_WRITE
lea eax, [edx].Name1
log _strfm('Section "%s" fixed.', eax)
popad
add edx, sizeof IMAGE_SECTION_HEADER
dec ecx
.endw
log _strfm('%X',[esi].OptionalHeader.AddressOfEntryPoint)
assume esi:ptr NOTHING
assume edi:ptr NOTHING
assume edx:ptr NOTHING
invoke UnmapViewOfFile, DmpMapView
invoke CloseHandle, DmpMapHandle
invoke CloseHandle, DmpFileHandle
invoke VirtualFree, Buffer, 0, MEM_DECOMMIT
;invoke aspr_rebuild_imports, DumpName
log _str('Fixed !')
popad
ret
aspr_dumpfile endp
aspr_get_codesection proc
LOCAL MapHandle:DWORD, MapView:DWORD
pushad
invoke CreateFileMapping, ASPR_FileHandle, 0, PAGE_READONLY, 0, 0, 0
.if eax == 0
invoke GetLastError
log _strfm('Failed to map file [0x%d]', eax)
popad
xor eax, eax
ret
.endif
mov MapHandle, eax
invoke MapViewOfFile, MapHandle, FILE_MAP_READ, 0, 0, 0
.if eax == 0
invoke GetLastError
log _strfm('Failed to create map view [0x%X]', eax)
popad
xor eax, eax
ret
.endif
mov MapView, eax
assume eax:ptr IMAGE_DOS_HEADER
add eax, [eax].e_lfanew
assume eax:ptr IMAGE_NT_HEADERS
mov esi, eax
add esi, sizeof IMAGE_NT_HEADERS
assume esi:ptr IMAGE_SECTION_HEADER
mov ebx, [esi].VirtualAddress
add ebx, [eax].OptionalHeader.ImageBase
mov ASPR_CodeSection, ebx
m2m ASPR_CodeSize, [esi].Misc.VirtualSize
assume esi:ptr NOTHING
assume eax:ptr NOTHING
invoke UnmapViewOfFile, MapView
invoke CloseHandle, MapHandle
popad
mov eax, 1
ret
aspr_get_codesection endp
aspr_pattern_scan proc ProcHandle:DWORD, Address:DWORD, ScanSize:DWORD, Pattern:DWORD, PatternSize:DWORD
LOCAL found:DWORD, i:DWORD, j:DWORD, Buffer:DWORD, rw:DWORD
pushad
mov rw, 0
mov i, 0
mov j, 0
invoke VirtualAlloc, 0, PatternSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE
mov Buffer, eax
invoke ReadProcessMemory, ProcHandle, Address, Buffer, ASPR_SCANSIZE, addr rw
.if eax == 0
invoke GetLastError
log _strfm('Failed to read from process [0x%X]', eax)
invoke VirtualFree, Buffer, 0, MEM_DECOMMIT
popad
mov eax, -1
ret
.endif
mov edi, dword ptr ds:[Buffer]
mov esi, dword ptr ds:[Pattern]
mov ebx, ScanSize
.while i < ebx
pushad
mov found, 1
mov j, 0
mov ecx, PatternSize
.while j < ecx
pushad
mov ecx, i
add ecx, j
mov al, byte ptr ds:[edi+ecx]
mov ecx, j
mov ah, byte ptr ds:[esi+ecx]
.if al != ah
mov found, 0
popad
.break
.endif
popad
inc j
.endw
.if found == 1
popad
.break
.endif
popad
inc i
.endw
.if found == 1
mov ebx, Address
add i, ebx
.else
mov i, -1
.endif
invoke VirtualFree, Buffer, 0, MEM_DECOMMIT
popad
mov eax, i
ret
aspr_pattern_scan endp
;Currently only supports .exe
aspr_load proc FileName:DWORD, LoadType:DWORD
LOCAL DbgStatus:DWORD, tib:DWORD, pib:DWORD, dbg_i:DWORD, IsHidden:DWORD, DbgAddr:DWORD, DbgRAddr:DWORD, BP_Addr:DWORD, OldProtect:DWORD, OEP:DWORD, rw:DWORD
LOCAL BP_Set:BYTE, BP_Reached:BYTE, PG_Hit:BYTE
LOCAL segsel:LDT_ENTRY
LOCAL sui:STARTUPINFO
LOCAL dbg:DEBUG_EVENT
LOCAL ctx:CONTEXT
mov rw, 0
.if LoadType == ASPR_EXE
invoke RtlZeroMemory, addr sui, sizeof(STARTUPINFO)
invoke RtlZeroMemory, addr ASPR_PI, sizeof(PROCESS_INFORMATION)
invoke RtlZeroMemory, addr ctx, sizeof(CONTEXT)
mov IsHidden, 0
mov BP_Addr, 0
mov PG_Hit, 0
mov OldProtect, 0
mov OEP, 0
mov sui.cb, sizeof(STARTUPINFO)
invoke GetStartupInfo, addr sui
invoke CreateProcess, FileName, 0, 0, 0, 0, DEBUG_ONLY_THIS_PROCESS + DEBUG_PROCESS + CREATE_NO_WINDOW, 0, 0, addr sui, addr ASPR_PI
.if eax == 0
invoke GetLastError
log _strfm('Failed to create process [0x%X]', eax)
xor eax, eax
ret
.endif
log _strfm('Process Created: %d', ASPR_PI.dwProcessId)
.while 1 ; Debug Loop
invoke WaitForDebugEvent, addr dbg, 0FFFFFFFFh
.if dbg.dwDebugEventCode == CREATE_PROCESS_DEBUG_EVENT
m2m DbgStatus, DBG_EXCEPTION_NOT_HANDLED
m2m ASPR_FileHandle, dbg.u.CreateProcessInfo.hFile
.elseif dbg.dwDebugEventCode == EXCEPTION_DEBUG_EVENT
.if dbg.u.Exception.pExceptionRecord.ExceptionCode == EXCEPTION_ACCESS_VIOLATION
;Step 1) Catch Access violations until the last one, we will find this with pattern scanning ( We could count the Access Violation and subtract 1 but this is faster in my opinion )
m2m DbgStatus, DBG_EXCEPTION_NOT_HANDLED
invoke SuspendThread, ASPR_PI.hThread
mov ctx.ContextFlags, CONTEXT_FULL
invoke GetThreadContext, ASPR_PI.hThread, addr ctx
;Step 2) Scan for the patterns
; Scan for the first pattern:
; -
; xor dword ptr ds:[eax], eax
; pop dword ptr fs:[0]
; pop eax
; -
invoke aspr_pattern_scan, ASPR_PI.hProcess, ctx.regEip, ASPR_SCANSIZE, addr ASPR_PATTERN, 9
.if eax != -1
mov ebx, ctx.regEip
add ebx, 9
; Scan for the other pattern:
; -
; push dword ptr ds:[eax]
; push dword ptr ss:[ebp-10]
; push dword ptr ss:[ebp-14]
; retn
; -
invoke aspr_pattern_scan, ASPR_PI.hProcess, ebx, ASPR_SCANSIZE, addr ASPR_PATTERN_RET, 9
.if eax != -1
add eax, 5
mov BP_Addr, eax
;Step 3) Set a SoftwareBreakpoint ( Int3 )
invoke WriteProcessMemory, ASPR_PI.hProcess, BP_Addr, addr ASPR_PATCH_INT3, 3, addr rw
.if eax == 0
invoke GetLastError
log _strfm('Failed to write to process [0x%X]', eax)
xor eax, eax
ret
.endif
mov BP_Set, 1
.endif
.endif
invoke ResumeThread, ASPR_PI.hThread
.elseif dbg.u.Exception.pExceptionRecord.ExceptionCode == EXCEPTION_BREAKPOINT
m2m DbgStatus, DBG_CONTINUE
.if IsHidden == 0
;Just an easy patching of IsDebuggerPresent
; -
; movzx eax, byte ptr ds:[eax+2]
; to
; mov byte ptr ds:[eax+2], 00
; -
mov DbgAddr, 0
mov DbgRAddr, 0
mov ebx, _call(GetModuleHandle, _str('kernel32.dll'))
mov ebx, _call(GetProcAddress, ebx, _str('IsDebuggerPresent'))
add ebx, 2
invoke ReadProcessMemory, ASPR_PI.hProcess, ebx, addr DbgAddr, 4, addr rw
.if eax == 0
invoke GetLastError
log _strfm('Failed to read from process [0x%d]', eax)
xor eax, eax
ret
.endif
invoke ReadProcessMemory, ASPR_PI.hProcess, DbgAddr, addr DbgRAddr, 4, addr rw
.if eax == 0
invoke GetLastError
log _strfm('Failed to read from process [0x%d]', eax)
xor eax, eax
ret
.endif
add DbgRAddr, 6
invoke WriteProcessMemory, ASPR_PI.hProcess, DbgRAddr, addr ASPR_DBG_PATCH, 4, addr rw
.if eax == 0
invoke GetLastError
log _strfm('Failed to write to process [0x%d]', eax)
xor eax, eax
ret
.endif
mov IsHidden, 1
log _str('I am a ninja now!')
.endif
.if BP_Set == 1
m2m DbgStatus, DBG_EXCEPTION_NOT_HANDLED
invoke SuspendThread, ASPR_PI.hThread
;Restore the bytes
invoke WriteProcessMemory, ASPR_PI.hProcess, BP_Addr, addr ASPR_PATCH_BACK, 3, addr rw
.if eax == 0
invoke GetLastError
log _strfm('Failed to write to process [0x%X]', eax)
xor eax, eax
ret
.endif
;Step 4) Protect the CodeSection
;=> Get the code section <=;
invoke aspr_get_codesection
.if eax == 1
invoke VirtualProtectEx, ASPR_PI.hProcess, ASPR_CodeSection, ASPR_CodeSize, PAGE_READWRITE + PAGE_GUARD, addr OldProtect
mov PG_Hit, 1
mov BP_Set, 0
.endif
invoke ResumeThread, ASPR_PI.hThread
.endif
.elseif dbg.u.Exception.pExceptionRecord.ExceptionCode == STATUS_GUARD_PAGE_VIOLATION
m2m DbgStatus, DBG_CONTINUE
.if PG_Hit == 1
m2m DbgStatus, DBG_EXCEPTION_NOT_HANDLED
;Step 5) Read the OEP from the ESP register
invoke SuspendThread, ASPR_PI.hThread
invoke VirtualProtectEx, ASPR_PI.hProcess, ASPR_CodeSection, ASPR_CodeSize, OldProtect, 0
invoke GetThreadContext, ASPR_PI.hThread, addr ctx
invoke ReadProcessMemory, ASPR_PI.hProcess, ctx.regEsp, addr OEP, 4, addr rw
invoke aspr_dumpfile, _str('__DUMPPATH__'), OEP
mov PG_Hit, 0
invoke ResumeThread, ASPR_PI.hThread
.endif
.endif
.endif
invoke ContinueDebugEvent, ASPR_PI.dwProcessId, ASPR_PI.dwThreadId, DbgStatus
.endw
.endif
ret
aspr_load endp
endif
Vielleicht werde ich das Programm noch vollenden ( oder jemand anderes? ) da ich eigentlich einen Ersatz für stripper brauche da dieser auf meinem PC nicht funktioniert und DecomAS versagt sowieso bei jeder unpackme die ich darein gejagt habe.
Total Comments 0
