Results 1 to 8 of 8

Thread: Cant unpack ASPACK, even Aspack fails...

  1. #1

    Cant unpack ASPACK, even Aspack fails...

    Hi all, greetz,

    Recently i have downloaded one program DELETED for windows v2.3 from Download Site Removed.

    PEiD shows this program is packed with Aspack 2.1 and while viewing sections it has pec as well as aspack section. (Is it packed using two packer or what ).

    I tried to manually unpack it and found its OEP at 42E9B8 (is it true). I dump it and using imprec i click on get import. Imprec says: "original iat rva found at 362a5 in section RVA:36000 Size: 5000"

    Even after that dumped app. doesnt work. I tried with ASPACK Die, but application crashed. And one interesting thing is that when unpacked with ASPACKDIE, peditor shows it is not a valid PE file. .

    Can someone help me with this? i will be learning new things from this discussion.

    Dipesh
    DONT UPLOAD ON EXETOOLS :boo: :boo: ... Upload anywhere else so that everyone can download it... :yay:

  2. #2
    Hey Dipesh:

    No download links to commercial software allowed and no target specific code may be posted if you identify a target.

    That aside, it is not unheard of for a software vendor to use both a packer and a protector. Here's another possibly shocking thought:

    Sometimes the protection system actually is programed to, gasp, LIE about what method was actually used. Oh the shame of it. They would actually attempt to decieve we honest crackers.

    The identifier programs are fairly good, but sometimes the protectors write their programs to try to fool them into thinking some other protector has been used.

    I know it is not the easy solution, but if you really want to learn things useful, you need to be studying manual unpacking which means searching for information and reading alot. Have you already reviewed threads here on "Aspack"? It would be a good term for a search.

    Using "aspack sections" I got 13 threads which may have some information for your issue. When I used just "aspack" I got 103 threads, several of which have titles which should be of interest to your issue.

    You may also need to review information on what makes a valid PE Header and what happens when protectors mess with that information. There is always something more to study and it is through study that most learning occurs.

    You should do some of these things first and then ask a more specific question then "Can someone help me on this."

    Regards,
    JMI

  3. #3
    Quote Originally Posted by JMI
    Sometimes the protection system actually is programed to, gasp, LIE about what method was actually used
    Hi JMI,
    Actually I have learned about aspack manually unpacking and i think i can unpack any aspacked program . But my question is that how to defeat the protection system that lie about what method was actually use. I extensively rely on PE identifier program to know which packer was used to pack that program. How to defeat the spoofing of protection scheme.

    dipesh
    DONT UPLOAD ON EXETOOLS :boo: :boo: ... Upload anywhere else so that everyone can download it... :yay:

  4. #4
    Panemuckl
    Guest
    Tried it myself... AsPackDie and manual unpacking fails.

    Have an eye on the Import section. It seems to me as if there's
    a fake import section to fool ImpRec (original: 2832 imported functions, unpacked/imprec shows less)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    ryan
    Guest
    Quote Originally Posted by dipeshrestha
    But my question is that how to defeat the protection system that lie about what method was actually use. I extensively rely on PE identifier program to know which packer was used to pack that program. How to defeat the spoofing of protection scheme.
    You should not rely on PE identifier program at all. Just keep practising on targets that you know FOR SURE is from one particular packer. Over time, your "zen" will tell you what a new target is packed with.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Registered User cRk's Avatar
    Join Date
    Apr 2003
    Location
    out of hell
    Posts
    152
    i tried this one before.. has encrypted parts of the code.. also some Imports calls are encrypted... it has a crc check.. after the exe has been modified it won't decrypt parts pf the code needed to run fine.. that's the reason why crash ..you most defeat crc check after unpacking it ... crc check has anti-loader tricks as well .... you can check this by just modifing a byte in memory with a loader or just modifing the last Aspack section where the 000 data is ... write anything there ... and you'll note what i mean .. if program runs... later it will quit with an Exitprocess call which is also encrypted.

    Regards

  7. #7
    MiKoRiZa
    Guest
    Hi! I also tried tu unpack this app (version 3.6) but with no sucess. Did u managed tu unpack it, or do you have some information how to find correct IAT and rebuild dump? TNX
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    MiKoRiZa:

    Obviously YOU also did not read the FAQ about Target references and paid no attention to the fact that this is a two year old Thread. NOT a good start for you. This Thread is now closed.

    Regards,
    JMI

Similar Threads

  1. ASPACK problems with DLL (relocations?)
    By friedo in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: November 2nd, 2004, 11:10
  2. Aspack 2.12? Maybe...
    By HellSoul in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: September 5th, 2004, 16:25
  3. Coding ASPACK dumper
    By canuckcracker in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: August 3rd, 2004, 10:25
  4. how to unpack Dll file for Aspack 2.12 ?
    By kernel5 in forum Malware Analysis and Unpacking Forum
    Replies: 29
    Last Post: March 14th, 2002, 17:23
  5. WinSniffer 1.3 [ASPACK???]
    By foxthree in forum Malware Analysis and Unpacking Forum
    Replies: 20
    Last Post: February 21st, 2002, 07:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •