Thread: Aika SEA ASProtect manual unpacking

• file name: AIKASM.exe
• packer: ASProtect 1.23 RC4
• tools:
  
  -OllyDbg with OllyDump, aadp4olly plugins
  -Import REConstructor @ ImpREC
  -LordPE
• this tutorial was derived from site
• credit: +Neffarion

i. setting up OllyDbg

ii. setting up aadp4olly plugin

1a.

-open OllyDbg and load AIKASM.exe

-click 'No' to skip analyzing compressed code

1b.

-press [Shift]+[F9] 16 times until you reach the code shown in the picture below

Spoiler

*[Shift]+[F9] x-times is what a reverse engineers call 'exception counting trick'
*load the program into OllyDbg
*n = count how many times [Shift]+[F9] is pressed untill the program freely runs
*restart the program in OllyDbg
*x = n-1
**this is just an additional information, this is not one of the steps in the tutorial

-toggle a Breakpoint (BP) on the first RETN at [0x2E43A29 ] and click 'Yes' in the warning box

1c.

-press [Shift]+[F9] once more to break on the BP

1d.

-press [Alt]+[M] to bring up the 'Memory map' window

-right click on AIKASM-code line and select 'Set memory breakpoint on access'

1e.

-press [F9] and take note of the address where the run command landed, it is the 'Entry Point(EP)'

1f.

-scroll up the code a bit until you see a recurrences of a single instruction such as shown below

-press [Ctrl]+[A] to analyze the codes

2a.

-restart AIKASM.exe in OllyDbg or you can press [Ctrl]+[F2]

-click 'No' to skip analyzing compressed code

2b.

-repeat the steps from 1b until 1d

2c.

-press [Ctrl]+[T] to bring up the 'Set Condition' dialog and configure it as shown below

-click 'OK'

-press [Ctrl]+[F11]

2d.

-go to 'View' and select 'Run trace'

-right click anywhere within the 'Run trace' window and select 'Highlight register' and select 'EBP'

-scroll down to the bottom of the 'Run trace' window until a highlighted 'EBP=[0x12FFC0]' is seen

-take note of the address prior to the highlighted EBP register, it is the beginning of the stolen bytes

2e.

-write down the instructions from [0x2E5620D] to [0x2E5626C], leave out all the 'JMP SHORTs' and red-marked instructions

0x2E5620D PUSH EBP

0x2E5620E MOV EBP,ESP

0x2E56210 PUSH -1

0x2E56212 PUSH 624710

0x2E56217 PUSH 5EF718

0x2E5621C MOV EAX,DWORD PTR FS:[0]

0x2E5622F PUSH EAX

0x2E56230 MOV DWORD PTR FS:[0], ESP

0x2E56237 SUB ESP, 58

0x2E56247 PUSH EBX

0x2E56255 PUSH ESI

0x2E56263 PUSH EDI

0x2E56264 MOV DWORD PTR SS:[EBP-18], ESP

-observe the instructions in the above figure and you will notice that the stolen bytes stopped before a 'PUSH (EP)'

-(credit to fennes for verifying the correct stolen bytes)

3a.

-restart AIKASM.exe in OllyDbg or you can press [Ctrl]+[F2]

-click 'No' to skip analyzing compressed code

-repeat the steps from 1b until 1f

-right click on the start of the CodeCave/OEP [0x5EE833] and select 'New origin here'

3b.

-go to 'Plugins' and select 'OllyDump' and select 'Dump debugged process'

-configure the 'OllyDump' dialog as shown in the picture below

-make certain that the 'Modify:' field is correct:

= [EP - BaseAddress]

= [0x5EE833] - [0x400000]

= [0x1EE833]

-click 'Dump'

3c.

-while 'OllyDbg' is still open, launch 'ImportREC'

-select 'AIKASM.exe' process from the drop down list

3d.

-change the 'OEP' field to the one calculated previously

-click 'IAT AutoSearch' and click 'OK' in the next dialog

3f.

-change the 'Size' field to [0x1000] and click 'Get Imports'

3g.

-click 'Show Invalid'

-right click on any of the highlighted invalid function and select 'Trace Level1(Disasm)'

3h.

-click 'Show Invalid'

-right click on any of the highlighted invalid function and select 'Plugin Tracers' and select 'ASProtect 1.23 rc4'

3i.

-click 'Show Invalid'

-right click on any of the highlighted invalid function and select 'Delete thunk(s)'

3j.

-click 'Fix Dump'

-select 'dump.exe' and click 'Open'

-a new file named 'dump_.exe' should now be created in the AikaSEA folder

-close 'ImpREC'

4a.

-close 'AIKASM.exe' process in 'OllyDbg' and open 'dump_.exe'

4b.

-select the entire instructions from [0x5EE833] to [0x5EE857] which is the codeCave, right click on any of it and select 'Assemble'

-replace the whole instructions with the copied instructions previously in step 2e

before replacements



after replacements

4c.

-press [Ctrl]+[A]

-right click anywhere within the 'CPU' window and select 'Copy to executable' and select 'All modifications'

-click 'Copy All' in the next dialog

-close the newly popped up window by clicking the 'X' icon at the top right corner

-click 'Yes' to save the modified file to disk

-in the 'Save file as' window, select 'dump_.exe' and click 'Save'

-click 'Yes' to overwrite files

5a.

-open 'LordPE' and click 'Rebuild PE'

-select 'dump_.exe' and click 'Open'

-click 'OK' in 'LordPE' window

have fun..