The Purpose of my clause is to show a writing inline a patch for popular
and powerful in Present time of protector ASProtect 2.0. Clause basically
raschitana on krjakerov an average A level since it will seem to beginners
very bulky and not clear, many trifling thingsI shall not explain J the
Patch has been written during full research of work of a protector, to explain
Work of each line of a code I shall not be, I give this opportunity to you J,
therefore questions " and Why it is necessary so to do? " To set it is not
necessary, understand J I only I show, how it Did ? I hope it will give a push
for the further studying this protector.
Well perhaps we shall begin... The Principle of work of a patch will be will
conclude in consecutive transfer Managements from a body of a protector on our
code, as a result in the end of all frauds we can To change a code of already
unpacked program. ASProtect has "multilayered" structure, i.e. a part Its code
it is unpacked in the allocated area of memory and there it is carried out.
Therefore the first stage There will be a finding of a point to an input in first
"layer" J. We load our "victim" into a debugger, we put break on VirtualAlloc,
we are thrown out approximately in such place:
00BAF4E3 6A 40 PUSH 40
00BAF4E5 68 00100000 PUSH 1000
00BAF4EA FFB5 04040000 PUSH DWORD PTR [EBP+404]
00BAF4F0 6A 00 PUSH 0
00BAF4F2 FF95 F0030000 CALL DWORD PTR [EBP+3F0]; kernel32. VirtualAlloc
00BAF4F8 8985 CC010000 MOV DWORD PTR [EBP+1CC], EAX
Memory under a code of a body Is allocated. There is one more allocation of memory,
and also unpacking Further A code in the allocated area. All this has put comes to
an end:
00BAF607 68 00000000 PUSH 0
00BAF60C C3 RETN
It is transition to a code in the allocated memory. The code to the address of
00BAF607 is modified by commands Above, namely:
First our purpose will be interception of these commands. But here we shall collide
with most gimornym perhaps J Bajty to this iie?eioiaaiu address and raskriptovyvajutsja
multilevel Self-modified kriptorom with dust J all this is necessary to Us has put
"razgrebsti" and To try to write kriptor on the basis of dekriptora. It will be necessary
for us to change commands
00BAF5D1 03C7 ADD EAX, EDI
00BAF5D3 8985 C7010000 MOV DWORD PTR [EBP+1C7], EAX
Which borrow 8 bytes. (it is wonderful, two dword'a J). We put brjak on access to the
address of 00BAF5D1 We Restart a program. Works the first brjak.
00BAF110 8B11 MOV EDX, DWORD PTR [ECX]
00BAF112 0F87 05000000 JA DropToCD.00BAF11D
00BAF118 56 PUSH ESI
00BAF119 0FBFDE MOVSX EBX, SI
00BAF11C 5E POP ESI
00BAF11D 81C2 955CCB48 ADD EDX, 48CB5C95
00BAF123 81C2 AA010A65 ADD EDX, 650A01AA
There is a code with dust Further, separate from dust, we look what registers are used for
reading Byte and their updatings. ECX to us specifies just on 00BAF5D1 we Clear a code of
dust it is received:
Displacement from the base address of ours 0
Further the cycle reduces the address on 4. We search for the subsequent blocks as, as a
result we receive such Data interesting to us:
00BAF17E FF3417 PUSH DWORD PTR [EDI+EDX]
00BAF181 59 POP ECX
00BAF185 81F1 3019EC7F XOR ECX, 7FEC1930
00BAF18B 81E9 A9895312 SUB ECX, 125389A9
00BAF196 81E9 2E4B3923 SUB ECX, 23394B2E
00BAF1A1 51 PUSH ECX
00BAF1A5 8F043A POP DWORD PTR [EDX+EDI]
Displacement from base our address-1
Well all. More blocks are not present. We shall do now kriptor, on the basis of dekriptora. Here it is necessary to be
Close very much J For the beginning we shall make dekriptor, the main thing that all worked, well and then already and
kriptor. Initial data are necessary to us. We take them at the rate of 8 bytes + ours 8 + 8. What for so-oc J
I especially algo did not dig, but next bajty is interconnected with each other ? Therefore, we allocate such:
The Allocated font specifies those bajty which we shall change (base). Well now all this
Kindly we write, I wrote on delfi, I do not know why J for convenience navena ?
var bytes:array [0..23] of byte =
($087, $014, $00D, $06C, $0FF, $0CE, $082, $0A7, $039, $093, $090, $024, $047, $059, $0C8, $0B0, $081,
$002, $0E2, $027, $085, $090, $0C8, $0B0);
procedure decr ();
asm
push eax
push ebx
push ecx
lea ebx, bytes [20]
mov ecx, 5
@loop1:
mov eax, [ebx]
add eax, 48CB5C95h
add eax, 650A01AAh
xor eax, 540B19Bh
mov [ebx], eax
sub ebx, 4
dec ecx
jnz @loop1
//////////
add ebx, 20
mov ecx, 5
@loop2:
mov eax, [ebx-3]
xor eax, 7FEC1930h
sub eax, 125389A9h
sub eax, 23394B2Eh
mov [ebx-3], eax
sub ebx, 4
dec ecx
jnz @loop2
//////////
add ebx, 20
mov ecx, 5
@loop3:
mov eax, [ebx]
add eax, 37BDD94Fh
sub eax, 3625C8DCh
sub eax, 4771BDE5h
mov [ebx], eax
sub ebx, 4
dec ecx
jnz @loop3
//////////
add ebx, 20
mov ecx, 5
@loop4:
mov eax, [ebx-1]
add eax, 1AB8DCB3h
sub eax, 5966B270h
add eax, 4DB849E9h
mov [ebx-1], eax
sub ebx, 4
dec ecx
jnz @loop4
//////////
add ebx, 20
mov ecx, 5
@loop5:
mov eax, [ebx-1]
sub eax, 7DDD7DEh
xor eax, 44EEBDBFh
4 at ALEX, 2005
xor eax, 58312C8Ch
mov [ebx-1], eax
sub ebx, 4
dec ecx
jnz @loop5
pop ecx
pop ebx
pop eax
end;
We Check work of the given code, and what we see? Works J on an output we shall receive:
00BAF5C9 89 43 08 5F 5E 8B 46 04 03 C7 89 85 C7 01 00 00
00BAF5D9 8B 55 5B 8B 85 C7 01 00
Game J Now Has gone write kriptor, all is done on the contrary:
Strangely enough, our problem works J Now to find an empty seat under our patch. Basically
It in the end of a file ? Happened at me, that the place did not suffice, it was necessary
to increase the size of a file,And accordingly to forward values in PE Header'a, well and
then accordingly to restore Former value to keep integrity of an initial file. The beginning
of a patch will be on offset 89668, RVA = 00BD2668 Now to this address we shall write for
the beginning those commands, which We "shall jam":
00BD2668 03C7 ADD EAX, EDI
00BD266A 8985 C7010000 MOV DWORD PTR [EBP+1C7], EAX
To transfer management from a body aspra, we shall be as follows:
00BAF5D1 BA 6826BD00 MOV EDX, 00BD2668
00BAF5D6 FFD2 CALL EDX
00BAF5D8 90 NOP
I have chosen Register EDX from those reasons, that it free, since following for these commands
A command:
00BAF5D9 8B55 5B MOV EDX, DWORD PTR [EBP+5B]
Now we insert into ours kriptor sequence of byte BA 68 26 BD 00 FF D2 90. Kriptuem,
We compare with initial bajtami and it turns out, that it is necessary to change such sequence
Byte: 92 30 E6 4D 3A 9B 57 13 83 we Correct this business in the program ?
00BAF5D1 92 30 E6 4D 3A 9B 57 13 83
We Start, we check, all is normal dekriptonulos J Have gone further, we pass further on
To a code, again allocation of memory under following "layer", but so wanted to me, we shall place the
A code to such address:
This code is from the base address (the address of the allocated memory of first "layer") on 0F3 Such
The structure was kept still with raneshnih versions aspra. We shall transfer management, having replaced
Commands:
I shall a little comment: EDX-contains the address of the beginning of our patch, EAX-contains the address
The beginnings allocated memories of first "layer". ADD EDX, 22 will already specify the second piece
Our patch. We shall add the changed commands and we shall continue to investigate further a code aspra ? code:
00BD268A 5B POP EBX
00BD268B 68 00800000 PUSH 8000
00BD2690 6A 00 PUSH 0
00BD2692 FFE3 JMP EBX
We Go further ? the similar code Is found still:
Now it is necessary to move further, namely to find a place where there is a check on CRC a file. Is
This place thus: we put brjak on MapViewOfFileEx. First time will work not there where it is necessary
At me J, it can be peeped, the second operation where it is necessary. It is possible to be convinced Of it:
7 at ALEX, 2005
The Code of a call of this API looks as follows:
Remains to us only patchit, but here there is one chesspiece, the code of the next site of our code will be
To be carried out neskolkoraz, it is connected by that a code to the address of 010D03D7 (sm above)
It is carried out some times, therefore it is necessary to consider and write down it in what-string variable,
Whether the code before was carried out. All this has put looks so:
The Sense is those: we restore the jammed commands, there is a cycle of search on signaturke a call Further
MapViewOfFileEx the next adapter on a trace a code of our patch ? If now Also is written
poprobyvat even to start such code (well certainly with the small amendment) when it will be caused
MapViewOfFileEx we can notice, that all code of our patch has simply disappeared J It is one more
The feature of uncle Solodovnikova which has appeared in the second version of the child to clear bajty on
To border of section J. It is necessary for us to find a place where this all business is cleared.
We put brjak on access On what-string address of our patch, we are thrown out in such place:
010A58D0 33C9 XOR ECX, ECX
010A58D2 E8 D9CEFFFF CALL 010A27B0
010A58D7 C3 RETN
And at last:
010B9FAE 8B15 F0870C01 MOV EDX, DWORD PTR [10C87F0]
8 at ALEX, 2005
010B9FB4 0302 ADD EAX, DWORD PTR [EDX]
010B9FB6 BA 00100000 MOV EDX, 1000
010B9FBB E8 10B9FEFF CALL 010A58D0
010B9FC0 EB 0A JMP SHORT 010B9FCC
Simply it is necessary that CALL 010A58D0 it was not carried out. We finish our piece of a patch:
00BD26DA 43 INC EBX
00BD26DB 813B 0302BA00 CMP DWORD PTR DS: [EBX], 00BA0203
00BD26E1 ^75 F7 JNZ SHORT DropToCD.00BD26DA
00BD26E3 66:C743 07 EB0F MOV WORD PTR DS: [EBX+7], 0FEB
00BD26E9 5B POP EBX
00BD26EA FFE3 JMP EBX
We shall restore Now CRC. Here we shall go on small cunning, namely semuliruem
Work MapViewOfFileEx. For the beginning we should restore bajty which we have changed since in
The further there is check CRC of this site:
Then we place the address of return in certain "variable" EDX-4, it is useful to us. Now itself
Emulation.. The Principle is those: we shall allocate a piece of memory in size with size EXE a file, we shall write down there all A file, we shall correct necessary bajty which we have originally changed, and as the day off
Parameter MapViewOfFileEx we shall transfer the address to allocated memory J So the size of our file
563 712 bytes or 89A00h. We shall allocate memory through VirtualAlloc which we shall borrow at
Most aspra J (the very first code with which clause has begun). To the address of 00BAF831 the address Lays
API. We finish patchik ?
00BD2708 60 PUSHAD
00BD2709 BB 009A0800 MOV EBX, 89A00
00BD270E 6A 04 PUSH 4
00BD2710 68 00100000 PUSH 1000
00BD2715 53 PUSH EBX
00BD2716 6A 00 PUSH 0
00BD2718 B8 31F8BA00 MOV EAX, DropToCD.00BAF831
00BD271D FF10 CALL DWORD PTR DS: [EAX]
We Throw data from one allocated piece of memory in ours:
It is necessary for us to restore two bajty which we have changed that it was not carried out Further
Procedure of clearing of memory where there is our patch, otherwise, will be calculated
Incorrectly CRC and the program simply will fall:
00BD2745 8945 F0 MOV DWORD PTR SS: [EBP-10], EAX
9 at ALEX, 2005
00BD2748 61 POPAD
00BD2749 8B42 FC MOV EAX, DWORD PTR DS: [EDX-4]
00BD274C 40 INC EAX
00BD274D 8138 0302BA00 CMP DWORD PTR DS: [EAX], 00BA0203
00BD2753 ^75 F7 JNZ SHORT DropToCD.00BD274C
00BD2755 66:C740 07 E810 MOV WORD PTR DS: [EAX+7], 10E8
Now we can check up, whether is correct we though did the patch, we finish it:
00BD275B FF62 FC JMP DWORD PTR DS: [EDX-4]
We liberate a program, and " about, a miracle! " It was started J Now directly propatchivaem
Already program. Protection of the program is constructed on API aspra, well to us and it is better J Is
Some ways to find these calls API, but the most good and cognitive, it to be passed on
To all code Aspra, that I also have made, here I shall not describe it, the call "necessary" api goes here:
We should be transferred all as parameter of this function the address to a line, type on whom
zaregistrirovanna also there will be happiness J BUT it is necessary to translate time for 7 days we shall tell forward, that The trial has disappeared, and at us appears mesaga, type the trial is ended also a program comes to the end. It is necessary to find This business and to correct. All this has put is checked here:
Allocated has shown a call mesagi. It is easy to guess, that it is necessary to correct conditional transition on
To 010B5487 address on unconditional and all will be good. Well, we finish our patch:
00BD275B 48 DEC EAX
00BD275C 8138 0F858C00 CMP DWORD PTR DS: [EAX], 008C850F
00BD2762 ^75 F7 JNZ SHORT DropToCD.00BD275B
00BD2764 66:C700 90E9 MOV WORD PTR DS: [EAX], 0E990
Further we should search for a code during which moment of performance the program will be already completely
Is unpacked and caused API aspr'a. poissledovav a code aspra, I have found such remarkable
A beautiful code:
010BBF5C 68 95190BC3 PUSH C30B1995
010BBF61 68 5C4A0000 PUSH 4A5C
010BBF66 68 FC740100 PUSH 174FC
010BBF6B 68 00D00200 PUSH 2D000
010BBF70 FF35 D4940C01 PUSH DWORD PTR DS: [10C94D4]
010BBF76 E8 01000000 CALL 010BBF7C
10 at ALEX, 2005
Where C30B1995 a certain constant which is various in different zaprotekchennyh programs. We shall search for it
And patchit further a code:
00BD2769 40 INC EAX
00BD276A 8138 95190BC3 CMP DWORD PTR DS: [EAX], C30B1995
00BD2770 ^75 F7 JNZ SHORT DropToCD.00BD2769
00BD2772 C640 FF BA MOV BYTE PTR DS: [EAX-1], 0BA
00BD2776 8BDA MOV EBX, EDX
00BD2778 81C3 B7000000 ADD EBX, 0B7
00BD277E 8918 MOV DWORD PTR DS: [EAX], EBX
00BD2780 66:C740 04 FFD2 MOV WORD PTR DS: [EAX+4], 0D2FF
All anything to start a program, but again we shall notice, that our all patch will get into (oh this Malt
J), and it is done 2 times in such places:
We Go further ? It is necessary to restore commands jammed, to restore bajty, which patchili
Above, that CRC it was not broke, well and to make so that the program it has already been registered:
