Register for your free account! | Forgot your password?

Go Back   elitepvpers > Blogs > Reversing mit Tension
You last visited: Today at 07:32

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement



Hier poste ich ASM und Reversing Zeugs welches ich nicht in einem Thread packen kann, da es sich nicht lohnen würde.
Rate this Entry

ASProtect OEP - [MASM]

Posted 04/15/2014 at 00:11 by ​Tension
Updated 04/15/2014 at 00:15 by ​Tension

Da ich eigentlich vor hatte einen ASProtect-Unpacker zu schreiben und mir dann die Lust dran vergangen ist, pack ich hier mal meinen momentanen Source rein.
Was Fehlt:
  • IAT-Fixer (Obfuscated Calls)
  • Stolen Bytes
hier ist jedenfalls mein bisheriger code:
Code:
ifndef	_UNPROTECT__ASPROTECT
_UNPROTECT__ASPROTECT equ<1>

include extension.asm

.const
ASPR_EXE			equ	0
ASPR_DLL			equ	1
ASPR_SCANSIZE		equ	255

aspr_pattern_scan		proto	:DWORD, :DWORD, :DWORD, :DWORD, :DWORD

.data?
ASPR_PI					PROCESS_INFORMATION <?>
ASPR_CodeSection		dd	?
ASPR_CodeSize			dd	?
ASPR_FileHandle			dd	?

.data
;= Pattern =;
ASPR_PATTERN			db	31h, 00h, 64h, 8Fh, 05h, 00h, 00h, 00h, 00h			 ; xor dword ptr ds:[eax], eax,\ pop dword ptr fs:[0]
ASPR_PATTERN_RET		db	0FFh, 030h, 0FFh, 075h, 0F0h, 0FFh, 075h, 0ECh, 0C3h ; push dword ptr ds:[eax],\ push dword ptr ss:[ebp-10],\ push dword ptr ss:[ebp-14],\ retn
ASPR_PATTERN_ZERO		db	00h, 00h, 00h, 00h

;= Patches =;
ASPR_PATCH_INT3			db	0CCh, 90h, 90h		; int 3,\ nop,\ nop
ASPR_PATCH_BACK			db	0FFh, 75h, 0ECh 	; push dword ptr ds:[ebp-14]
ASPR_DBG_PATCH			db	0C6h, 40h, 02h, 00h	; mov byte ptr ds:[eax+2], 00

.code

aspr_dumpfile			proc	DumpName:DWORD, EntryPoint:DWORD
	LOCAL MapHandle:DWORD, MapView:DWORD, DmpFileHandle:DWORD, DmpMapHandle:DWORD, DmpMapView:DWORD, ImageBase:DWORD, ImageSize:DWORD, OEP_Addr:DWORD, SecStart:DWORD, SecSize:DWORD, Buffer:DWORD, OldProtect:DWORD, rw:DWORD
	
	pushad
	mov rw, 0
	invoke CreateFileMapping, ASPR_FileHandle, 0, PAGE_READONLY, 0, 0, 0
	.if eax == 0
		invoke GetLastError
		log _strfm('Failed to map file [0x%d]', eax)
		popad
		xor eax, eax
		ret
	.endif
	mov MapHandle, eax
	invoke MapViewOfFile, MapHandle, FILE_MAP_READ, 0, 0, 0
	.if eax == 0
		invoke GetLastError
		log _strfm('Failed to create map view [0x%X]', eax)
		popad
		xor eax, eax
		ret
	.endif
	mov MapView, eax
	mov esi, eax
	assume esi:ptr IMAGE_DOS_HEADER
	add esi, [esi].e_lfanew
	assume esi:ptr IMAGE_NT_HEADERS
	m2m ImageBase, [esi].OptionalHeader.ImageBase
	m2m ImageSize, [esi].OptionalHeader.SizeOfImage
	invoke VirtualAlloc, 0, ImageSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE
	mov Buffer, eax
	invoke VirtualProtectEx, ASPR_PI.hProcess, ImageBase, ImageSize, PAGE_EXECUTE_READWRITE, addr OldProtect
	invoke ReadProcessMemory, ASPR_PI.hProcess, ImageBase, Buffer, ImageSize, addr rw
	invoke VirtualProtectEx, ASPR_PI.hProcess, ImageBase, ImageSize, OldProtect, 0
	invoke UnmapViewOfFile, MapView
	invoke CloseHandle, MapHandle
	;Create Dump File
	mov DmpFileHandle, _call(CreateFile, DumpName, GENERIC_WRITE + GENERIC_READ, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0)
	invoke WriteFile, DmpFileHandle, Buffer, ImageSize, addr rw, 0
	log _str('Saved dump!')
	;Basic Dump done.
	;Fix Dump
	mov DmpMapHandle, _call(CreateFileMapping, DmpFileHandle, 0, PAGE_READWRITE, 0, 0, 0)
	mov DmpMapView, _call(MapViewOfFile, DmpMapHandle, FILE_MAP_ALL_ACCESS, 0, 0, 0)
	mov esi, DmpMapView
	assume esi:ptr IMAGE_DOS_HEADER
	add esi, [esi].e_lfanew
	assume esi:ptr IMAGE_NT_HEADERS
	mov edx, esi
	add edx, sizeof IMAGE_NT_HEADERS
	assume edx:ptr IMAGE_SECTION_HEADER
	;Fix EP
	mov ebx, EntryPoint
	sub ebx, ImageBase
	m2m [esi].OptionalHeader.AddressOfEntryPoint, ebx
	m2m [esi].OptionalHeader.SizeOfImage, ImageSize
	mov [esi].OptionalHeader.SizeOfHeaders, 1000h
	movzx ecx, [esi].FileHeader.NumberOfSections
	log _str('Fixing sections...')
	.while ecx > 0
		pushad
		m2m SecStart, [edx].VirtualAddress
		m2m SecSize, [edx].Misc.VirtualSize
		;Align size
		modulo SecSize, [esi].OptionalHeader.SectionAlignment
		.if eax != 0
			sub SecSize, eax
			addm SecSize, [esi].OptionalHeader.SectionAlignment
		.endif
		mov edi, MapView
		add edi, SecStart
		mov ebx, ImageBase
		add ebx, SecStart
		pinvoke ReadProcessMemory, ASPR_PI.hProcess, ebx, edi, SecSize, addr rw
		m2m [edx].VirtualAddress, SecStart
		m2m [edx].PointerToRawData, SecStart
		m2m [edx].Misc.VirtualSize, SecSize
		m2m [edx].SizeOfRawData, SecSize
		m2m [edx].Characteristics, IMAGE_SCN_MEM_WRITE
		lea eax, [edx].Name1
		log _strfm('Section "%s" fixed.', eax) 
		popad
		add edx, sizeof IMAGE_SECTION_HEADER
		dec ecx
	.endw
	log _strfm('%X',[esi].OptionalHeader.AddressOfEntryPoint)
	assume esi:ptr NOTHING
	assume edi:ptr NOTHING
	assume edx:ptr NOTHING
	invoke UnmapViewOfFile, DmpMapView
	invoke CloseHandle, DmpMapHandle
	invoke CloseHandle, DmpFileHandle
	invoke VirtualFree, Buffer, 0, MEM_DECOMMIT
	
	;invoke aspr_rebuild_imports, DumpName
	log _str('Fixed !')
	popad
	ret

aspr_dumpfile endp

aspr_get_codesection	proc
	LOCAL MapHandle:DWORD, MapView:DWORD
	pushad
	invoke CreateFileMapping, ASPR_FileHandle, 0, PAGE_READONLY,  0, 0, 0
	.if eax == 0
		invoke GetLastError
		log _strfm('Failed to map file [0x%d]', eax)
		popad
		xor eax, eax
		ret
	.endif
	mov MapHandle, eax
	invoke MapViewOfFile, MapHandle, FILE_MAP_READ, 0, 0, 0
	.if eax == 0
		invoke GetLastError
		log _strfm('Failed to create map view [0x%X]', eax)
		popad
		xor eax, eax
		ret
	.endif
	mov MapView, eax
	assume eax:ptr IMAGE_DOS_HEADER
	add eax, [eax].e_lfanew
	assume eax:ptr IMAGE_NT_HEADERS
	mov esi, eax
	add esi, sizeof IMAGE_NT_HEADERS
	assume esi:ptr IMAGE_SECTION_HEADER
	mov ebx, [esi].VirtualAddress
	add ebx, [eax].OptionalHeader.ImageBase
	mov ASPR_CodeSection, ebx
	m2m ASPR_CodeSize, [esi].Misc.VirtualSize
	assume esi:ptr NOTHING
	assume eax:ptr NOTHING
	invoke UnmapViewOfFile, MapView
	invoke CloseHandle, MapHandle
	popad
	mov eax, 1
	ret
	
aspr_get_codesection endp

aspr_pattern_scan		proc	ProcHandle:DWORD, Address:DWORD, ScanSize:DWORD, Pattern:DWORD, PatternSize:DWORD
	LOCAL found:DWORD, i:DWORD, j:DWORD, Buffer:DWORD, rw:DWORD
	pushad
	mov rw, 0
	mov i, 0
	mov j, 0
	invoke VirtualAlloc, 0, PatternSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE
	mov Buffer, eax
	invoke ReadProcessMemory, ProcHandle, Address, Buffer, ASPR_SCANSIZE, addr rw
	.if eax == 0
		invoke GetLastError
		log _strfm('Failed to read from process [0x%X]', eax)
		invoke VirtualFree, Buffer, 0, MEM_DECOMMIT
		popad
		mov eax, -1
		ret
	.endif
	mov edi, dword ptr ds:[Buffer]
	mov esi, dword ptr ds:[Pattern]
	mov ebx, ScanSize
	.while i < ebx
		pushad
		mov found, 1
		mov j, 0
		mov ecx, PatternSize
		.while j < ecx
			pushad
			mov ecx, i
			add ecx, j
			mov al, byte ptr ds:[edi+ecx]
			mov ecx, j
			mov ah, byte ptr ds:[esi+ecx]
			.if al != ah
				mov found, 0
				popad
				.break
			.endif
			popad
			inc j
		.endw
		.if found == 1
			popad
			.break
		.endif
		popad
		inc i
	.endw
	.if found == 1
		mov ebx, Address
		add i, ebx
	.else
		mov i, -1
	.endif
	invoke VirtualFree, Buffer, 0, MEM_DECOMMIT
	popad
	mov eax, i
	ret

aspr_pattern_scan endp

;Currently only supports .exe
aspr_load				proc	FileName:DWORD, LoadType:DWORD
	LOCAL DbgStatus:DWORD, tib:DWORD, pib:DWORD, dbg_i:DWORD, IsHidden:DWORD, DbgAddr:DWORD, DbgRAddr:DWORD, BP_Addr:DWORD, OldProtect:DWORD, OEP:DWORD, rw:DWORD
	LOCAL BP_Set:BYTE, BP_Reached:BYTE, PG_Hit:BYTE
	LOCAL segsel:LDT_ENTRY
	LOCAL sui:STARTUPINFO
	LOCAL dbg:DEBUG_EVENT
	LOCAL ctx:CONTEXT
	mov rw, 0
	.if LoadType == ASPR_EXE
		invoke RtlZeroMemory, addr sui, sizeof(STARTUPINFO)
		invoke RtlZeroMemory, addr ASPR_PI, sizeof(PROCESS_INFORMATION)
		invoke RtlZeroMemory, addr ctx, sizeof(CONTEXT)
		mov IsHidden, 0
		mov BP_Addr, 0
		mov PG_Hit, 0
		mov OldProtect, 0
		mov OEP, 0
		mov sui.cb, sizeof(STARTUPINFO)
		invoke GetStartupInfo, addr sui
		invoke CreateProcess, FileName, 0, 0, 0, 0, DEBUG_ONLY_THIS_PROCESS + DEBUG_PROCESS + CREATE_NO_WINDOW, 0, 0, addr sui, addr ASPR_PI
		.if eax == 0
			invoke GetLastError
			log _strfm('Failed to create process [0x%X]', eax)
			xor eax, eax
			ret
		.endif
		log _strfm('Process Created: %d', ASPR_PI.dwProcessId)
		.while 1 ; Debug Loop 
			invoke WaitForDebugEvent, addr dbg, 0FFFFFFFFh
			.if dbg.dwDebugEventCode == CREATE_PROCESS_DEBUG_EVENT
				m2m DbgStatus, DBG_EXCEPTION_NOT_HANDLED
				m2m ASPR_FileHandle, dbg.u.CreateProcessInfo.hFile
				
			.elseif dbg.dwDebugEventCode == EXCEPTION_DEBUG_EVENT
				.if dbg.u.Exception.pExceptionRecord.ExceptionCode == EXCEPTION_ACCESS_VIOLATION
					;Step 1) Catch Access violations until the last one, we will find this with pattern scanning ( We could count the Access Violation and subtract 1 but this is faster in my opinion )
					m2m DbgStatus, DBG_EXCEPTION_NOT_HANDLED
					invoke SuspendThread, ASPR_PI.hThread
					mov ctx.ContextFlags, CONTEXT_FULL
					invoke GetThreadContext, ASPR_PI.hThread, addr ctx
					;Step 2) Scan for the patterns 
					; Scan for the first pattern:
					; -
					; xor dword ptr ds:[eax], eax
					; pop dword ptr fs:[0]
					; pop eax
					; -
					invoke aspr_pattern_scan, ASPR_PI.hProcess, ctx.regEip, ASPR_SCANSIZE, addr ASPR_PATTERN, 9
					.if eax != -1
						mov ebx, ctx.regEip
						add ebx, 9 
						; Scan for the other pattern:
						; -
						; push dword ptr ds:[eax]
						; push dword ptr ss:[ebp-10]
						; push dword ptr ss:[ebp-14]
						; retn
						; -
						invoke aspr_pattern_scan, ASPR_PI.hProcess, ebx, ASPR_SCANSIZE, addr ASPR_PATTERN_RET, 9
						.if eax != -1
							add eax, 5
							mov BP_Addr, eax
							;Step 3) Set a SoftwareBreakpoint ( Int3 )
							invoke WriteProcessMemory, ASPR_PI.hProcess, BP_Addr, addr ASPR_PATCH_INT3, 3, addr rw
							.if eax == 0
								invoke GetLastError
								log _strfm('Failed to write to process [0x%X]', eax)
								xor eax, eax
								ret
							.endif
							mov BP_Set, 1
						.endif
					.endif
					invoke ResumeThread, ASPR_PI.hThread
				.elseif dbg.u.Exception.pExceptionRecord.ExceptionCode == EXCEPTION_BREAKPOINT
					m2m DbgStatus, DBG_CONTINUE
					.if IsHidden == 0
						;Just an easy patching of IsDebuggerPresent
						; -
						; movzx eax, byte ptr ds:[eax+2]
						; to
						; mov byte ptr ds:[eax+2], 00
						; -
						mov DbgAddr, 0
						mov DbgRAddr, 0
						mov ebx, _call(GetModuleHandle, _str('kernel32.dll'))
						mov ebx, _call(GetProcAddress, ebx, _str('IsDebuggerPresent'))
						add ebx, 2
						invoke ReadProcessMemory, ASPR_PI.hProcess, ebx, addr DbgAddr, 4, addr rw
						.if eax == 0
							invoke GetLastError
							log _strfm('Failed to read from process [0x%d]', eax)
							xor eax, eax
							ret
						.endif
						invoke ReadProcessMemory, ASPR_PI.hProcess, DbgAddr, addr DbgRAddr, 4, addr rw
						.if eax == 0
							invoke GetLastError
							log _strfm('Failed to read from process [0x%d]', eax)
							xor eax, eax
							ret
						.endif
						add DbgRAddr, 6
						invoke WriteProcessMemory, ASPR_PI.hProcess, DbgRAddr, addr ASPR_DBG_PATCH, 4, addr rw
						.if eax == 0
							invoke GetLastError
							log _strfm('Failed to write to process [0x%d]', eax)
							xor eax, eax
							ret
						.endif
						mov IsHidden, 1
						log _str('I am a ninja now!')
					.endif
					.if BP_Set == 1
						m2m DbgStatus, DBG_EXCEPTION_NOT_HANDLED
						invoke SuspendThread, ASPR_PI.hThread
						;Restore the bytes
						invoke WriteProcessMemory, ASPR_PI.hProcess, BP_Addr, addr ASPR_PATCH_BACK, 3, addr rw
						.if eax == 0
							invoke GetLastError
							log _strfm('Failed to write to process [0x%X]', eax)
							xor eax, eax
							ret
						.endif
						;Step 4) Protect the CodeSection
						;=> Get the code section <=;
						invoke aspr_get_codesection
						.if eax == 1
							invoke VirtualProtectEx, ASPR_PI.hProcess, ASPR_CodeSection, ASPR_CodeSize, PAGE_READWRITE + PAGE_GUARD, addr OldProtect
							mov PG_Hit, 1
							mov BP_Set, 0
						.endif
						invoke ResumeThread, ASPR_PI.hThread
					.endif
				.elseif dbg.u.Exception.pExceptionRecord.ExceptionCode == STATUS_GUARD_PAGE_VIOLATION
					m2m DbgStatus, DBG_CONTINUE
					.if PG_Hit == 1
						m2m DbgStatus, DBG_EXCEPTION_NOT_HANDLED
						;Step 5) Read the OEP from the ESP register
						invoke SuspendThread, ASPR_PI.hThread
						invoke VirtualProtectEx, ASPR_PI.hProcess, ASPR_CodeSection, ASPR_CodeSize, OldProtect, 0
						invoke GetThreadContext, ASPR_PI.hThread, addr ctx
						invoke ReadProcessMemory, ASPR_PI.hProcess, ctx.regEsp, addr OEP, 4, addr rw
						invoke aspr_dumpfile, _str('__DUMPPATH__'), OEP
						mov PG_Hit, 0
						invoke ResumeThread, ASPR_PI.hThread
					.endif
					
				.endif
			.endif
			invoke ContinueDebugEvent, ASPR_PI.dwProcessId, ASPR_PI.dwThreadId, DbgStatus
		.endw
	.endif
	ret

aspr_load endp



endif
Bei Fragen oder so bitte einfach melden

Vielleicht werde ich das Programm noch vollenden ( oder jemand anderes? ) da ich eigentlich einen Ersatz für stripper brauche da dieser auf meinem PC nicht funktioniert und DecomAS versagt sowieso bei jeder unpackme die ich darein gejagt habe.
Posted in Uncategorized
Views 920 Comments 0 Email Blog Entry
« Prev     Main     Next »
Total Comments 0

Comments

 

All times are GMT +2. The time now is 07:32.


Powered by vBulletin®
Copyright ©2000 - 2023, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2023 elitepvpers All Rights Reserved.