Page 1 of 2 12 LastLast
Results 1 to 15 of 19

Thread: Great piece of Software, Great Protection

  1. #1

    Great piece of Software, Great Protection

    Hi everybody,

    Ya, just downloaded a small program that will reveal Network and dial-up password in Win platform from rixler(dot)com. it's shareware, packed, can detect breakpoints and check checksum of program. When i put bpx on some point it will show messagebox saying PROTECTION ERROR: 1.
    I have tried my best to find the OEiP of that program but cannot. and i think it is protected and coded by NOT LAZY programmer... .
    Need small hint for manual unpacking of that program.

    Still Newbie

  2. #2
    To crash or not to crash
    Join Date
    Dec 2001
    It's just an asprotected program. Search the board for asprotect and you'll find more on finding the OEP.

  3. #3



    Seems they are using an older version of Aspr...
    Wonder if they got a discount?


  4. #4

    On a similar note...

    I didn't want to start a new thread just for a similar question, but i have been looking at an ftp client from Now it looks likes it's packed but i cant identify what with with the usual tools such as PEiD and pe-scan.

    It also has a .sig file (not sure what generates this and cant find any info on it) and when ever the prog is modified or even view in PE section editor next time i try and run it it just quits saying 'self signature check failed'

    I've managed to bpx on GetLocalTime and find where it pop's up it's nag, but without being able to get past this signature check then i'm not sure what i can actually achieve.

    Version i am working with is 1.0 build 974.39 from the forums/anouncements/daily build section.

    GetLocalTime is called at 40B1C9 and the call to the nag is at 40B1C2. (Nag is only display sometimes, randomly between 8am and 5pm monday to friday)

    I would just like some idea on what protection scheme is being used and ideas on how to start unpacking and find OEP.



  5. #5
    Manko !

    Have you tried to get rid of <evaluation copy> ?
    Seems they put money on that, Alx stayed without salary in this case. Maybe they used cracked version of Aspr

  6. #6
    Ok, i thought i would take a look at the password target also, i found OEP and unpacked, but i still haven't got past <evaluation copy> yet.

  7. #7
    Hi, Soldat!

    Nahh... I'm too lazy... when I get the urge I'll look at Chameleon clock again... still haven't cracked that old thing...


  8. #8
    to bedrock

    I would just like some idea on what protection scheme is being used and ideas on how to start unpacking and find OEP
    Ok quick tutorial about unpacking

    OEP----------> 4D39AE

    IATstart-----> 14BFF8 (IAT Rva) About that

    IATLength -> put 1000 hex and then cut invalide thunks

    there is after that check on 4A86F3, put jmp instead jz

    after that everything works

    to Manko

    Nahh... I'm too lazy...
    You lazy bum !!!!

  9. #9
    bedrock :

    Congratulations. You have adopted the correct attitude for becoming a reverse engineer. Learning how, not being given the answer is the only way to go.

    [Edit: seems bedrock deleted his post while I was writing mine. He had said he wanted to learn how to find the OEP, not have someone give it to him. That is the proper attitude for learning.]

    Assuming you are using Softice, I extract an excerpt from asterix, posted over at the exetools Board which may help with that search. The thread is here:

    The discussion is about inline patching a dll, but, generally, unpacking is unpacking. Here are his comments:
    You can not find OEP?
    Try to make something such as it.

    -It is necessary to remember value ESP on EP in DLL.
    -Then to put "bpx GetProcAddress"
    or "bpx (GetProcAddress+3)"(on especially spiteful protectors)
    and press "F5".
    -When will stop do it "bc *"

    -Then to put "bpr esp-4 esp+4"(if you in win98) or
    bpm esp-4
    bpm esp-3
    bpm esp-2
    bpm esp-1 (if you in win2k/XP).
    [End Quote]

    Check out that thread.


  10. #10
    Thanks for the encoragement JMI,

    I was re-reading my post and being only a newbie i didn't want to appear arrogant after Soldat had given me the solution to my problem. Thats why i deleted my post, but after your kind encoragement i will continue with my efforts.


  11. #11

    You were completely correct. No one is truely helped by being given the answer, at least not if they are not taught how to find it themselves. It is the teaching of how to find the answer which leads to the skills which help one become better at anything having to do with learning. The "correct answer" to the specific issue is only useful as a way to check whether one has learned how to solve the problem, on one's own. You will then know if you are getting to that same place or conclusion by applying the proper method.

    Stick with learning how. It's very much more important. It's something Soldat learned before he could give you the specific locations.


  12. #12
    Hi again,

    I have been studying some tuts about asprotect apps, they actually are quite application oriented i.e. they simply says goto address XXXXXX then look for certail pattern especially

    CALL 00******
    RET 0004

    This doesnt mean they will be equally true for all application. I want to know how i can learn about unpacking asprotected apps so that i can do it with any other apps.

    Still Newbie

  13. #13
    To crash or not to crash
    Join Date
    Dec 2001
    The smartFTP program is indeed funny protected. The loader doesn't look like any other I've seen. However, the protection it uses is lame. After you break on OEP (which you can find by breaking on getversion and looking a few bytes up) you can dump it with lordpe to get a dump. If you change the OEP then in the header the program should run. After that fixing the signature messagebox should be easy. (Ps. You might wanna patch the isdebuggerpresent call the protector uses.)

    Does anyone know which protector this is?

  14. #14

    I've found the protector

    @ Iwarez,

    I have found that the protector used is Exe32Pak V1.40 (the lastest eval version awailable from website is 1.38 which is a couple of years old.

    If you take a look at the target with a PE editor and look just at the end of the .rsrc section you will find the string saying protected with exe32pak (c) 2003 or something similar.

    I have disabled signature check fine and i found OEP using post mentioned by JMI, and placing breakpoints around esp (thanks for the link).

    My unpacked exe is working fine now, but i have continued further and i am trying to create an inline patch, as the unpacked file is over 2.5MB, but it seems to me that the place in code where it jumps to OEP is part of what is decrypted by the protector, so i cant hijack that jump and jump into my own code.
    Last edited by bedrock; April 30th, 2003 at 10:05.

  15. #15
    To crash or not to crash
    Join Date
    Dec 2001
    What's in a filesize

    If you really care about the filesize then use upx or something alike to compress it back.

Similar Threads

  1. Great News!
    By Goveynetcom in forum Blogs Forum
    Replies: 1
    Last Post: February 5th, 2010, 22:30
  2. Great article about cracking and prevention
    By krakino12 in forum Off Topic
    Replies: 3
    Last Post: June 7th, 2007, 03:38
  3. Great Links on ASM language!
    By Ajnabi in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: May 28th, 2002, 22:14
  4. Great Board - Could it be better?
    By xOptiMus in forum Mini Project Area
    Replies: 3
    Last Post: January 9th, 2001, 15:28
  5. Great Project
    By Mustapha in forum Mini Project Area
    Replies: 2
    Last Post: January 5th, 2001, 02:30


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts