______ __ ______ __
| |.----.---.-.----.| |--.--.--.--.---.-.----.-----. |__ | |--.
| ---|| _| _ | __|| <| | | | _ | _| -__| | __| <
|______||__| |___._|____||__|__|________|___._|__| |_____| |______|__|__|
proudly presents
Proactive System Password Recovery 4.0.9
how to use:
0. Download & install Proactive System Password Recovery 4.0.9 from:
http://www.elcomsoft.com/pspr.html
1. copy pspr.exe into 'Proactive System Password Recovery' dir
(and overwrite the original one)
2. Enjoy.
To provide standalone functionality I include awprhook.dll, esil.dll, awprserv.dll
inside that zip what only makes it 88 KB bigger - but now ppa.exe will run without an
installation of Proactive System Password Recovery (PSPR).
However PSPR included an Password dictionary and help-file with isn't included.
Improvements:
The programmer left some backdoor-keyscombos to come over the limitation.
Well for this pspr.exe you don't need them anymore, but anyway it's good
to know the cheat keys. It's likly that they will be still there in the
next version and if you don't have a crack that might come in handy.
Recovered hashes
SAM database editor -> OK button unlocked
(Hold Alt+Ctrl+Shift when click on the link or the OK button to overide demo-restrictions.
Recovered hashes
Get SYSTEM privileges - > Link visible
(There are no keys to skip)
Domain cached credentials
When you rightclick on an item -> 'Change Password' appears
(Hold Shift when rightclick)
Revelation
Behind asterisks -> get HTML source in manual mode enable
(Hold Shift when drag icon on a window)
you are allowed to run more than one instance of the program
Contact: [email protected]
------------------------------------------------------------------------
Technotes
1. Get SYSTEM privileges QXdwckNoZWF0QWJvdXRNZQ//
2. get HTML source QXdwckNoZWF0RG9tYWluQ3JlZGVudGlhbHM/
3. SAM database editor QXdwckNoZWF0U2FtRWRpdG9y
4. Domain credentials QXdwckNoZWF0SHRtbFNvdXJjZQ//
5. Logo in aboutbox QXdwckNoZWF0SGFzaExpbms/
Proactive System Password Recovery (PSPR; former Advanced Windows Password Recovery)
Advanced Windows Password Recovery 3.5.1.390 WDPR-4URK-SV9Y-ETFW-QJDFE-ABKN-VFFRA
oep: IDT:
00139471 0015B000
00539471 0055B000...858
Security envelope: ASProtect SKE 2.11
ASPR Tricks:
0. Set Breakpoints at loadlibrary at the end(at Ret) and not at the beginning
or they will cause troubles. Like getting int3 when copied, detected or skipped
1. Uses GetCurrentProcessId and hardcodes PID into polymorph code it produces
The PID is stored in the thread Info block at the end of user mem (here 7FFDD000).
That's all what GetCurrentProcessId does
FS:Get 20 GetCurrentProcessId
00E50000 64:A1 18000000 MOV EAX, [FS:18]
00E50006 8B40 20 MOV EAX, [EAX+20]
The TIB (thread Info block)
7FFDD000 0012FFE0 (Pointer to SEH chain)
7FFDD004 00130000 (Top of thread's stack)
7FFDD008 0012D000 (Bottom of thread's stack)
7FFDD00C 00000000
7FFDD010 00001E00
7FFDD014 00000000
7FFDD018 7FFDD000 <- FS:18 pointer on self
7FFDD01C 00000000
7FFDD020 00000F0C <- EAX+20 = ProcessID (PID)
7FFDD024 000022E0 (Thread ID)
7FFDD028 00000000
7FFDD02C 00000000 (Pointer to Thread Local Storage)
7FFDD030 7FFDE000
7FFDD034 00000006 (Last error = ERROR_INVALID_HANDLE)
so you need to fix the PID
for example like this (if PID is 021f)
mov eax, 021f
Ret
before you can dumped the exe together with Aspr code from Mem
2. ASPR detects breakpoints on range like bpmr 401000 15b000 via
kernel32.VirtualQuery. So if you've set an bpmr to easy find the OEP
also set an breakpoint on VirtualQuery and keep an eye on retvalues
3. selfchecks inside ASPR code. avoid normal cc-breakpoint - use hardwarebpx
instead. To disable those copy original aspr-code to an other mem location
and redirect pointers to this. So it will check not check the actually code
but get's out the correct checksums
4. The come around filesself check after you've dumped it. Let it check
original instead of the real one. modify the retval of GetModuleFilename.
for ex it it's "\dumped.exe" change it to "\dumped.ex1" and copy
myapp.exe -> dumped.ex1
imports make by aspr
00C7B9D0 kernel32.GetProcAddress
00C7B9D4 kernel32.LoadLibraryA
00C7B9D8 kernel32.MapViewOfFile
00C7B9DC kernel32.FindResourceA
00C7B9E0 kernel32.IsBadReadPtr
00C7B9E4 kernel32.UnmapViewOfFile
00C7B9E8 kernel32.CloseHandle
00C7B9EC kernel32.CreateFileMappingA
00C7B9F0 kernel32.CreateFileA
00C7B9F4 kernel32.IsDebuggerPresent
00C7B9F8 kernel32.GetSystemTime
00C7B9FC kernel32.VirtualAlloc
00C7BA00 kernel32.VirtualFree
00C7BA04 kernel32.GetCurrentProcessId
API-Log
Log data
...
7C801D77 CALL to LoadLibraryA from 00C778C3
FileName = "OLEAUT32.dll"
7C801D77 CALL to LoadLibraryA from 00C778C3
FileName = "OLEAUT32.dll"
7C801D77 CALL to LoadLibraryA from 00C778C3
FileName = "OLEAUT32.dll"
00C6A0F5 Access violation when writing to [00000000]
7C80994E CALL to GetCurrentProcessId from 00C6A1F9
00C6A383 Access violation when writing to [00000000]
00C6A53B Access violation when writing to [00000000]
00C6A6F1 Access violation when writing to [00000000]
00C6A7CE Access violation when writing to [00000000]
00C6C8DE Access violation when writing to [00000000]
7C801A24 CALL to CreateFileA from 00C61607
FileName = "\\.\Scsi0:"
Access = GENERIC_READ|GENERIC_WRITE
ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
pSecurity = NULL
Mode = OPEN_EXISTING
Attributes = 0
hTemplateFile = NULL
00C6CA6A Access violation when writing to [00000000]
7C80994E CALL to GetCurrentProcessId from 00C6AC2B
00C6CC28 Access violation when writing to [00000000]
00C6D03A Access violation when writing to [00000000]
00C6D50F Access violation when writing to [00000000]
00C6D6E1 Access violation when writing to [00000000]
00C6956F Access violation when writing to [00000000]
00C6AF46 Access violation when writing to [00000000]
00539471 Hardware breakpoint 4 at
***************** Deobfuscation ************
In the polymorph code creator is some hardcodeflag
something like mov dl,01 that will enable/disable
junkcode and obfuscation...
0
4 addr
8 ObjNewAdr
c
10 junk math
11 junk jmps
12
13
14 Objoldadr
18 ObjCounter
1c
1D
if 11,12,13=0 and 14=-1 then selfmod
eax+13 = 00
eax+11 = 00 -> no junk ! is normally 1
eax+12 = 00
eax+14 = dw -1
**** Finding OEP ***
bp on CreateFileA or VirtualQuery
bpr 401000 {a0000} <-BP on Range of .text section
in ollydbg open memorywindow .text, press f2..
*** rebuilding Imports ***
write a script:
1.inside Aspr-redirector-call set bp when API is resolved
write the resolved API over the aspr call and return
2. scans whole .text section for redirect API- calls (Call ea0000) and excute it
*** my OllyScript's ***
Note: Expect 'ASProtect 2.0 OEP-finder.txt' which runs well.
The others will need some manual adaption.
After I downloaded some ASProtect 2.0 i saw:
To understand a script is often hard and more timeconsuming than to
write an own one. So if you feel confused - I really advice you to write your own script.
Use the 'osc' of the commandline to run a script which is fast than
to start it all the time from the plugin/menu.
ASProtect 2.0 OEP-finder.txt >>>
// Script for OllyScript plugin by CW2K - http://ollyscript.apsvans.com
/*
* =========================================================
* ASProtect 2.0 OEP-finder script
* Author: CW2K
*
* note: ignore all exceptions and clear all breakpoints
* This script depends on API's:
* -CreateFileA(\\SCSI) - ASPR calls to get HD-Identifikation
* -VirtualQuery - ASPR calls to detect Memory Breakpoint on Range
VirtualQuery is only call if OEP-Protection is enabled
* =========================================================
*/
log "Storing CODEBASE & CODESIZE for use in 'Memory Breakpoint on Range' later"
var cbase
gmi eip, CODEBASE
mov cbase, $RESULT
var csize
gmi eip, CODESIZE
mov csize, $RESULT
//---------------------------------------------------------
log "Set one-shot BPX on end(Ret 001c) of CreateFileA (used to get HD-serial)..."
gpa "CreateFileA","kernel32.dll"
find $RESULT,#C21C00#
log $RESULT
go $RESULT
log "Setting Memory Breakpoint on Range"
log cbase
log csize
bprm cbase, csize
log "Set one-shot BPX VirtualQuery..."
gpa "VirtualQuery","kernel32.dll"
go $RESULT
// Check whether VirtualQuery or CreateFileA hit
var tmp
mov tmp,cbase
add tmp,csize
cmp eip,tmp
jb OEP-Found
// it's VirtualQuery...
log "BPX VirtualQuery Triggered! Temporary disabling bpmr to aviod detection..."
bpmc
rtr // = Run Till Return
sto // exit VirtualQuery
rtr
sto // exit ASPR bprm-detect
rtr // exit ASPR pointer init call
sto
log "Restoring Memory Breakpoint on Range"
bprm cbase, csize
run
run // for some strange reason the second run is necessary
OEP-Found:
bpmc
cmt eip, "OEP found with CW2K's ASProtect 2.0 script"
msgyn "Continue and rebuild redirected API's?"
cmp $RESULT,1
jne Norebuild
#inc "ASProtect 2.0 Rebuild.txt"
Norebuild:
msgyn "Continue and decrypt ASPR-chunk's?"
cmp $RESULT,1
jne Nodecrypt
msg "Execute code manually till filecheck to init Decryptionkey - then resume script."
pause
#inc "ASProtect 2.0 decrypt.txt"
Nodecrypt:
ret
ASProtect 2.0 Rebuild.txt >>>
// find all redirected Calls ('call EA0000')
//#log
var reladr
var bytedata
var ASPRCall
mov ASPRCall, EA0000
VAR ImportStart
mov ImportStart, 55B000
VAR ImportEnd
mov ImportEnd, 55DA00
var oldIP
mov oldIP,eip
var i
sub ASPRCall,5
GMI eip, CODEBASE
loop:
find $RESULT, #E8??????00#
cmp $RESULT,0
je done
mov reladr,ASPRCall
sub reladr,$RESULT
// log adr
// log reladr
inc $RESULT
cmp [$RESULT], reladr
je found1
continue:
jmp loop
done:
eval "Done! - {count} API's fixed."
log $RESULT
mov eip,oldIP
jmp end2
// Recover Call
found1:
mov i,$RESULT
var count
inc count
dec i
// log i
mov eip,i
//----------------------------------------
// Break into Asprotect 2.0 Advance Import redirecting proc
// map
// MainExe
// ...
// call Ea000...
// callC7xxxx ....
// Call C76xxx
// Call Checksum
// Call 00C76255; getimportadr
go 00C76255 // Fix Offset!!!
// Show actual/found API start offset
//log eax
// find Offset in original IAT
var impadr
mov impadr,ImportStart
loop1:
cmp [impadr],eax
je found
add impadr,4
cmp impadr,ImportEnd
jb loop1
imp_not_found:
log "imp_not_found"
pause
found:
// show found IAT Entry adress
//log impadr
//skip memchunk-part & get current call offset
//find eip, #8B45F8#
//mov eip, $RESULT
mov eip, 00C762B7
//8B45 F8 MOV EAX, [EBP-8]
//83E8 04 SUB EAX, 4
//8B55 F0 MOV EDX, [EBP-10]
//8910 MOV [EAX], EDX
//8B45 0C MOV EAX, [EBP+C]
//find eip, #8B450C#
//go $RESULT
go 00C762C2
var retvar
log edx
mov retvar,edx
// Fix import Call (edx: CALL [i])
mov [edx],#FF15#
add edx,2
mov [edx],impadr
go retvar
mov $RESULT,i
jmp continue
end2:
ret
ASProtect 2.0 decrypt.txt >>>
// find & decrypt all crypted codepart ('call 004FF370')
/*
Example codesnipped
FF35 808C4000 PUSH [DWORD 408C80]
5A POP EDX
68 808C4000 PUSH 00408C80 <-Start of data
5A POP EDX
68 318D4000 PUSH 00408D31 <-End of data
58 POP EAX
8955 F4 MOV [EBP-C], EDX
2BC2 SUB EAX, EDX
8945 FC MOV [EBP-4], EAX
8B4D FC MOV ECX, [EBP-4]
51 PUSH ECX
8B55 F4 MOV EDX, [EBP-C]
52 PUSH EDX
B9 50125A00 MOV ECX, 005A1250 <- Decryptionkey - comes from filechecksumproc
E8 05670F00 CALL <004FF370>
8945 F0 MOV [EBP-10], EAX
837D F0 00 CMP [DWORD EBP-10], 0
7D 05 JGE SHORT 00408C79
E9 C3000000 JMP 00408D3C ;Skip enc data
B8 808C4000 MOV EAX, 00408C80 ;useless data start
EB 0B JMP SHORT 00408C8B
13FF ADC EDI, EDI
2A66 9E SUB AH, [ESI-62]
883D 99ACBFFF MOV [FFBFAC99], BH
2E:90 NOP ;useless data end
04 D2 ADD AL, 0D2 ;encrypted data...
51 PUSH ECX
*/
//#log
var reladr
var bytedata
var ASPRCall
mov ASPRCall, 004FF370
var oldIP
mov oldIP,eip
GMI eip, CODEBASE
sub ASPRCall,5
loop:
//B9 50125A00 MOV ECX, 005A1250
find $RESULT, #B950125A00E8#
cmp $RESULT,0
je done
add $RESULT,5
mov reladr,ASPRCall
sub reladr,$RESULT
inc $RESULT
cmp [$RESULT], reladr
je found1
continue:
// sub $RESULT,5
jmp loop
done:
eval "Done! - {count} chunks fixed."
log $RESULT
mov eip,oldIP
jmp eof1
//------------------------
// Recover Call
found1:
var i
mov i,$RESULT
var count
inc count
var start
mov start,i
sub start,40
// FF35 0AD64100 PUSH [DWORD 41D60A]
find start, #FF35??????005a#
mov start,$RESULT
mov eip,start
var ende
mov ende, i
add ende, 4
// execute
sto
sto
sto
sto
var pre
mov pre,edx
sto
sto
var post
mov post,eax
go ende
var fixed
mov fixed,ende
log fixed
sub ende,start
fill start, ende, 90
mov [start],#33c040#
sub pre,7
fill pre, 12, 90
sub post,7
fill post, 12, 90
mov $RESULT,i
jmp continue
eof1: