Tutorial How to unpack ASProtect 1.23 using VEH

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

MegaByte

Newbie
Full Member
May 11, 2016
37
2,323
2
A Win32 target executable was/is packed with ASProtect Identified by PEiD v0.95 as "ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov"

From reading Loaders.asprotect1.pdf by Shub-Nigurrath & ThunderPwr on making a Loader I managed to detect when the executable was unpacked in memory and ready for my hooks and patches.

There were problems just using Sleep(1000) as I wanted to hook / modify things early on before the main init method of the target executable.
Needed to get right up in there ASAP.

If you have done any manual unpacking you might have noticed a common trend for some packers to count the number of exceptions fired and handled by the application upon in ital startup.
That worked nice to identify the one I wanted but on some operating systems there was more or less exceptions DOH.

But it turns out there was a common pattern to look for on the particular exception wanted.

A PUSH 0C after the exception.

Now I Used C / C++ for this but you could use whatever language if it can do VEH (Vectored Exception Handling) in process memory space.
I did that via a DLL.
The target process is started with arguments, but in a suspended state.
The DLL is then injected and the main thread resumed.

See MSDN or google for more info on VEH. (Or check forums).
Basically your method gets fired when-ever an unhanded exception is thrown.

C++:
HANDLE hVEH;
bool isGameUnpacked  = false;
LONG WINAPI UnhandledExceptionFilter(EXCEPTION_POINTERS *pExceptionInfo)
{
    void* Eip = (void*)pExceptionInfo->ContextRecord->Eip;

    // We know the game is unpacked when the exception has a PUSH 0C after it.
    // This just seems to be the way it is for asprotect. See Tuts4You Loaders.asprotect1.pdf
    BYTE* oData = (BYTE*)Eip;
    if (isGameUnpacked == false && oData[19] == 0x6A && oData[20] == 0x0C)
    {
        // Game is unpacked in memory and memory security check is done.
        // Apply any time critical detours here eg on Init Method.
                // .............

        isGameUnpacked = true;
        return EXCEPTION_CONTINUE_SEARCH;
    }

    return EXCEPTION_CONTINUE_SEARCH;
}

In the Initialize method of the DLL.

C++:
// Registers our vectored exception handler which is going to catch the exceptions thrown.
hVEH = AddVectoredExceptionHandler(1, &UnhandledExceptionFilter);
if (hVEH == NULL)
{
    MessageBox(mainhWnd, "CLIENT::Error with Adding VEH.", "DLL ERROR", MB_OK + MB_APPLMODAL);
    return 0;
}

// Count roughly a minute if the game is not unpacked in memory by this time then something else may be wrong and more debug would be required etc...
int pCheckUnpackedCounter = 0;
while (isGameUnpacked == FALSE)
{
    if (pCheckUnpackedCounter > 60000)
    {
        // Roughly 1 minute.
        // Unable to detect unpacked game code.
        // Remove our vectored exception handler, it has done its job.
        RemoveVectoredExceptionHandler(hVEH);
        MessageBox(mainhWnd, "CLIENT::TIMEOUT 1 ENCOUNTERED.", "DEBUG", MB_OK + MB_APPLMODAL);
        ExitProcess(1);
        return 0;
    }

    Sleep(1);
    pCheckUnpackedCounter++;
}

// Remove our vectored exception handler, it has done its job.
RemoveVectoredExceptionHandler(hVEH);

// Unpacked in memory finally.
If it is of interest I used the following in my stdafx.h

C++:
#define WIN32_LEAN_AND_MEAN             // Exclude rarely-used stuff from Windows headers
#define WIN32_EXTRA_LEAN                // New, reduced-fat recipie :D
#include <windows.h>
 
Last edited by a moderator:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,074
78,998
2,371
This AsProtect unpacking tutorial was like a breath of fresh air when I read it
 
Last edited:

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,295
37,938
269
C++:
 if (isGameUnpacked == false && oData[19] == 0x6A && oData[20] == 0x0C)
    {
        // Game is unpacked in memory and memory security check is done.
        // Apply any time critical detours here eg on Init Method.
                // .............
 
        isGameUnpacked = true;
        return EXCEPTION_CONTINUE_SEARCH;
    }
Shouldn't continue search after what you want to happen is over, at this point you should just allow it to continue execution, if all its doing is pushing things for a function call immediately after. Other than that neat stuff mate
 

MegaByte

Newbie
Full Member
May 11, 2016
37
2,323
2
From memory, I had to let it continue searching because I was not the intended handler of the exception.

AddVectoredExceptionHandler( FirstHandler, VectoredHandler )

https://msdn.microsoft.com/en-us/library/windows/desktop/ms679274(v=vs.85).aspx

FirstHandler [in]
The order in which the handler should be called. If the parameter is nonzero, the handler is the first handler to be called. If the parameter is zero, the handler is the last handler to be called.
But I could be wrong :)

Cheers
 
Last edited:
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods