Page 1 of 2 12 LastLast
Results 1 to 15 of 16

Thread: Aspr - Aspack double pack? :)

  1. #1
    kandinsky
    Guest

    Question Aspr - Aspack double pack? :)

    Hi Freaks,


    i m trying to unpack an aspr target...

    The problem is, I cannot GET THE FUCKING OEP...

    The Loader cause an runtime error and its the first target I cannot find the correct oep.

    PeID doesnt report correct OeIP and although its a Delphi Target i cannot even get the OEP with Dede...

    It might be double packed with aspack or I am just to lame.

    See.ya

    ***.webextractor.com
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    There are about 5224 threads disscussing this topic.
    Search the forum.

    Paste the codes show what you have do some effort.
    esther


    Reverse the code,Reverse Your Minds First

  3. #3
    kandinsky
    Guest
    Well,

    anyway i am not able to find the correct oep.

    I tried icedump too..

    Loader, Icedump, oepfinder, hm, searched for bytes in memory, bla bla bla...

    I cannot verify a correct oep, because none of the Oep-Finders is working and with icedump cannot achieve neither...

    Well maybe just a fucking multi-dip software....

    I will buy the software

    Gongrats Alexy
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    nofurs
    Guest
    Very good support software authors
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    Don't give up.

    Hi there,
    Don't give up.
    This is actually fairly easy.This is how I did it:
    I only used Softice and Icedump.
    a) bpx getversion. When Sice breaks, disable bpx, do a search for the byte sequence 5B,EB,CE,61 (this is at the end of a call where Aspr builds the import table, but that's not important here). Put a bpmb xxxxxxxx x on the location you find. When Sice breaks there, disable breakpoint, and put a new one on the third ret instruction below of the location you broke at. When Sice breaks, disable breakpoint.
    b) Use the tracex function in Icedump. Tracex will break 3 times at dips, then it goes into a leeeengthy loop. (You may step over it using a breakpoint). After that tracex breaks once more, and that's at the OEP.
    Now, this is the latest(?) version form Alexey, so the first few bytes is actually executed while still in the high memory area. Check the value stored in ecx. That's the location for the jump instruction in the high memory area to the OEP. If you see what's stored in the ebx register, that's the number of bytes executed before the program jumps from the high memory to where you are right now. If you dump the number of bytes you see in ebx, from the instruction before the one pointed to by ecx, and upwards, you have the missing bytes you have to paste into your dumped program to make it work. Now all you have to do is to adjust the OEP.

    Hope this helps..

    regards,
    hobgoblin

  6. #6
    foxthree
    Guest

    Hob beat me to it :(

    Yo:

    Hob good one!

    Kandinsky:

    There is an easier method. Search the board for tips. This is the newest strain of ASPR started by Hob himself XXC2C8 == HINT!

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    TheSearcher
    Guest
    Hiya,

    The latest I think is ATC.Try it out have fun

    Additional information:
    Look at the post salsa dump problem
    Last edited by TheSearcher; November 5th, 2002 at 17:43.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    ATC??

    What is ATC??

    hobgoblin

    Forget it. Found it out...

  9. #9
    foxthree
    Guest

    Watch out :)

    Hiya Hob:

    The Infamous ATC.... You're going to have some phun indeed, Hob

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    **********************************************
    Hi Freaks,


    i m trying to unpack an aspr target...

    The problem is, I cannot GET THE FUCKING OEP...

    The Loader cause an runtime error and its the first target I cannot find the correct oep.

    PeID doesnt report correct OeIP and although its a Delphi Target i cannot even get the OEP with Dede...

    It might be double packed with aspack or I am just to lame.
    **********************************************

    Hmm, what does "Freaks" supposed to mean?

    I do share Kayaker sentiments few months ago now when he complained about excessive posts/threads concerning AsProtect discussing about the same thing over and over again... NO matter how well discussed the topic already is, there is always some newcomer who start a new thread again without searchign the board ...

    Resigned,
    crUsAdEr

  11. #11
    kandinsky
    Guest

    Thanks

    Hi dudes,

    well, i found a breakpoint with a search for 30,90,90,90,90,90,90,90 in winhex too...


    For my case it was 0047c2c8... I thought its wrong because, in all case at this breakpoint is a call function and i was quit confused...

    So i will try out the way hop describes to rip the byte and include it in the unpacked....

    Thanks for everything...

    See.ya

    BTW.: I regged the software
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    kandinsky
    Guest

    Still problems

    Well,

    i still have problems... I found the correct oep, in win98 its for me 0047c310 and in xp its 0047c2c8...

    Everything worked fine, but still I get an runtime error when i try to run the unpacked version...

    Please explain again, how i copy the bytes and with bytes i have to copy... Sorry, I didnt understand it...

    The ebx register holds the number of bytes to copy.. In this case its 0c, but then?

    Thanks in advance...

    Kandinsky
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13

    maybe late

    -
    Last edited by Zilot; November 20th, 2002 at 11:05.

  14. #14
    Hi Kandinsky !!!

    Maybe I'm too late with this replay , but if you still hasn't

    unpacked ( or the worse, bought ) this is how I did it

    Ok let see , the entry in real code is 47C2C8 but is not the OEP

    the OEP is 47C2BC , why this , because you have to "rebuild"

    first several bytes embedded in unpackers routine

    And in your hex editor start from 47C2BC and fill it with next

    sequence

    55,8b,ec,83,c4,f4,53,b8,1c,c1,47,00 until you reach 47C2C8

    CALL at 47C2C8 don't touch

    There are three dips before OEP , bypass 1. and 3. ( dont touch

    the 2 nd , it is about the key file )

    Then about IAT , this is my IAT with ImpRec


    There were 2 unresolved Apis ( after using plug- ins )

    GetModuleHandleA (C91369)

    Lock Resource (C913F4)

    After dumpfixing everything should be OK but only with running

    this is not the END yet because there is SIZE checking on

    4747D4 , replace 'jl' on 4747D6 with jump

    And at the end there is one more thing , when you try to close

    the program there will be the screen about run time error

    it is because some pointer checking on 403764 and just put

    two nops instead jz

    Ok But this is not the end with this Agony , you can not save

    more then A hex extracted E-mails from the site

    Try to do it by yourself , shouldn't be complicated

    Regards

    Soldat

    PS: There is one golden rule , don't buy something you can't touch
    because all the most beautiful things in life are free and intangible
    Attached Files Attached Files
    Last edited by Zilot; November 20th, 2002 at 12:36.

  15. #15
    Paul333
    Guest
    This is way above me!!....Does something like above take you's all night or 10 mins??...is it hard work....sounds it

    paul333
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 1
    Last Post: June 18th, 2013, 11:59
  2. please about nsp pack
    By milad in forum OllyDbg Support Forums
    Replies: 6
    Last Post: December 28th, 2005, 07:08
  3. Debugging a XP service pack problem
    By ndoerre in forum OllyDbg Support Forums
    Replies: 2
    Last Post: October 22nd, 2005, 06:08
  4. How to detect double-dip of ASPR and locate them?
    By Solomon in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: March 19th, 2002, 14:42

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •