ASPR 1.2 question

Hi,
I unpacked this last night without any problems except olly1.10c
kept crashing out so I had to revert back to 1.10b to unpack it successfully.
all exception were well outside the 00400000 range so I am not sure what going on with yours JMI.

I will run though it again tonight and post my notes

Best Wishes

R@dier

[JMI]

gabri3l:

Thanks for reminding me that it is ALWAYS a good idea to go back and read from the start of the thread. Had I done that, I would have discovered that you had reported Your "last exception" occurred with the routine between 00A60019-00A6005C. I had noticed then, that your code was nearly identical as that shown in the R@dier tut I described, except for the fact that his exceptions, as well as the ones I've seen in the few other ASPR targets I've tried in OllyDBG were clearly "outside" the range of the ".code" section shown in the Memory Map. R@dier's were in the range of 00D0XXXX, while, at least your last one, was in the range 00A60019-00A6005C.

Now you are confusing me by your statement that:

Exceptions:
00A10671 <-- First exception
...25 exceptions later...
00A10019 <--Last exception

There is an obvious difference between a last exception routine which starts at 00A60019 and one that starts at 00A10019 is there not?????
And my first exception was also at 00A10671. How did you lose 50000 bytes between what you first posted and today??????


In my version of the target, the Memory Map shows the .code section to begin at Address=00401000, with Size=00098000 (622592.) That suggests that any address within the range of 00401000 to 00499000 (which would include 00A60019-00A6005C and/or 00A10671 and 00A10019) where these exceptions are occurring is IN the code section shown in the Memory Map. I didn't hit any OUTSIDE that range and I have a file with the code addresses at each of the breaks on exception.

I am also running XP SP1 and I believe the same OllyDbg version R@dier just described reverting back to, although my "About" identifies it as OllyDbg v1.10(step 2), I believe that is version 1.10b.

I'm wondering if I have one of the settings wrong in Olly as I know I set several in attacking some of the other targets I finally had some time to play with, but I never got to the routine you posted in your first post, although I was watching for it.

I'm going to try your break point on 00A10053 and see if it breakes, because I'm not getting anywhere near. My last exception code is happening at:

00A111D3 58 POP EAX
00A111D4 33C0 XOR EAX,EAX
00A111D6 5A POP EDX
00A111D7 59 POP ECX
00A111D8 59 POP ECX
00A111D9 64:8910 MOV DWORD PTR FS:[EAX],EDX
00A111DC 68 0E12A100 PUSH 0A1120E
00A111E1 8D85 ACD7FFFF LEA EAX,DWORD PTR SS:[EBP-2854]
00A111E7 BA 02000000 MOV EDX,2
00A111EC E8 BF1FFFFF CALL 00A031B0
00A111F1 8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
00A111F4 E8 971FFFFF CALL 00A03190
00A111F9 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
00A111FC BA 02000000 MOV EDX,2
00A11201 E8 AA1FFFFF CALL 00A031B0
00A11206 C3 RETN

which sure doesn't look correct and leads to the error message I posted below.

R@dier:

Will be happy to see your notes and would appreciate if you would include your setting in the Debugger options--->exceptions because that may be the problem here. I will be especially interested if the phrase "well outside the 00400000 range" really means something "outside" what is listed for the .code section, such something in the 00DXXXXX or 00CXXXXX perhaps. That would be very strange, and gabri3l confirms my findings that they appear to be within the .code section.

I've just retried the program in OllyDbg and after the first exception, I can scroll up and see the routine at 00A10019 and if I put a breakpoint there, or at 00A10053 I'm not reaching it and still get to the routine I posted, which starts at 00A111D3 and ends in the error message.

One small further intersting point. When I ran PEiD on the file it said the OEP was at 47CB16 (although I never got there in the code) while gabr3il found 0047ED5F. So I'm suspecting more and more it is something in my settings.

Regards,

[britedream]

Quote:

Originally Posted by JMI

In my version of the target, the Memory Map shows the .code section to begin at Address=00401000, with Size=00098000 (622592.) That suggests that any address within the range of 00401000 to 00499000 (which would include 00A60019-00A6005C and/or 00A10671 and 00A10019) where these exceptions are occurring is IN the code section shown in the Memory Map. I didn't hit any OUTSIDE that range and I have a file with the code addresses at each of the breaks on exception.

1-The A6XXXX range willn't be in the code section range.

2- highmemory+0019 is the correct last exception, which is in my pc
=00A20019.

you can find that out by using my last updated script "asplex-2" for last exception.

Regards.

Hi,

Here are my notes.
@SvensK, I found Olly 1.10c. crashed when I tried to undo my nops
after I hit "-" then hi-lighted the nops and as soon as I right clicked olly would fall over. I tried it several times and had no luck.
so I reverted back to original. 1.10b (step 2)

If you can test it on your machine using he method in my notes it would be appreciated to see if it is just my setup thats faulty

@JMI my debugger setting are as at when I unpacked this target although some may be un-necessary all you really need is
Ignore memory access violations in KERNEL32 to be checked.
and all wil work fine

I was playing with Arma before doing this target ;p
thus the current settings


Best Wishes
R@dier

[britedream]

To Svensk:

I have problem with ollydbg 1.10c crashing, r u using windows xp.


Thanks.

@R@dier: You are right, latest olly crashes as soon as I right-click that BP'ed call.

The reason I didn't encounter this earlier is coz I went straight for the OEP and dumped there, then fixed imports with ImpRec with the aspr2 plugin.

@britedream: Yup, I use WindowsXP and as you can see my Olly 1.10c crashed as well

Edit: Btw, size of IAT is actually 674.

Hi all
@britedream, I am using winxp sp1 as well

@SvensK oops you are right it is 674 and not 678 my bad
thanks.


Best Wishes

R@dier

[JMI]

britedream and R@dier:

Man, one shouldn't try to write analysis of issues at 2:00 AM after getting very little sleep for a couple of days. Reading my last post after a few hours sleep, I wonder how I could have written "00A60019-00A6005C and/or 00A10671 and 00A10019" were within the code range of "00401000 to 00499000." Somehow, even though I typed 00A1 or 00A6, my tired brain read them as 0041 and 0046. (No excuse sir, hadn't even had anything to drink.)

That said, I've made sure my exceptions were set the same as yours, either with or without the other exceptions marked besides the "ignore" kernel32. I'd had the kernel32 box checked already. Using your "search," I easily located the two calls and BP'd on that location, continued pressing SHIFT+F9 until it broke there. Then, just for a test, I moved up in the display and put a BP on 00A10019 (recognizing, this time it was actually an "A" and not a "4" ) and went back to pressing SHIFT+F9 (without NOPing the Call you indicated) just to see if the program would break in what we all knew should have been the "last" excption. I still never reached it.

For some reason, I'm still ending up at 00A111D3 and the routine which leads to the error message, even though I'm still using exactly the same method of attack which worked perfectly on a couple of other ASPR targets. In case it was something you didn't mention, the only plugins I have installed at the moment are the command line and bar, hide debugger, and Ollydump, although, at the moment I don't see why that would make a difference. As soon as I get a chance, I'll try Britedream's new script and/or single stepping from that Call to see if I can find where it goes "wrong".

As I said before, for me the "strange" thing here is that at the moment my tracing is getting misdirected by something I haven't figured out yet. I knew what the last exception was supposed to look like and can even find it in the code. I just haven't yet been able to make my Olly get there. But, after all, trying to solve these challenges is why we do this in the first place.

Thanks for the information. It confirms there is something "strange" going on in my setup that you all are not experiencing.

Regards,

Unpacks ok here as well with Olly 1.10c.
Made a small bytechange to be able to register with any name/serial.
Lemme know if you need cracking help later on.