yorgi
August 23rd, 2009, 11:06
Hi,
I'm having troubles unpacking various versions of ASPROTECT 2.X. I believe most of the problems I speak of can be fixed when I'm able to dump memory that ASPR allocates dynamically while unpacking, and add them to the right virtual address in my dump.
e.g.
I have a target, ASPR 2.X protected, with stolen bytes. I found OEP, but instead of the normal "push ebp, ..." instructions, the VM of ASPR starts to execute trash code and the stolen bytes that are hidden in the thrash code. I believe I could "fix" this problem by just dumping this memory, instead of figuring out what bytes got stolen. This would save me a lot of time.
The big problem with this idea (from my point of view here) is that this allocated memory is at high memory address.
e.g.
When I look at the sections in my dumped file, I find info about the last section:
last section VA: 005A3000
last section size: 1000
and I know:
OEP: 003D0000
how can I get the memory 003D0000 in my dump at the right place?
I've tried dumping this memory (Dump Region->Lord PE) and then adding it as a new section(Load new section->Lord PE), but it seems PE header needs to have all sections lined up nicely after each other, so the VA of this new section would be 005A4000 (right behind the former last section), and not 003D0000 (which is necessary, because of the hardcoded calls & jumps in this dynamic allocated memory). Increasing the size of the former last section drastically wouldn't help, because SizeOfImage would become too large, and file won't get loaded by PE loader anymore (not enough memory?)
I'd really like a solution for this, because I've read posts on this forum and others, where people say they just dump the VM instead of figuring out what bytes are stolen...
Thanks In Advance,
yorgi
I'm having troubles unpacking various versions of ASPROTECT 2.X. I believe most of the problems I speak of can be fixed when I'm able to dump memory that ASPR allocates dynamically while unpacking, and add them to the right virtual address in my dump.
e.g.
I have a target, ASPR 2.X protected, with stolen bytes. I found OEP, but instead of the normal "push ebp, ..." instructions, the VM of ASPR starts to execute trash code and the stolen bytes that are hidden in the thrash code. I believe I could "fix" this problem by just dumping this memory, instead of figuring out what bytes got stolen. This would save me a lot of time.
The big problem with this idea (from my point of view here) is that this allocated memory is at high memory address.
e.g.
When I look at the sections in my dumped file, I find info about the last section:
last section VA: 005A3000
last section size: 1000
and I know:
OEP: 003D0000
how can I get the memory 003D0000 in my dump at the right place?
I've tried dumping this memory (Dump Region->Lord PE) and then adding it as a new section(Load new section->Lord PE), but it seems PE header needs to have all sections lined up nicely after each other, so the VA of this new section would be 005A4000 (right behind the former last section), and not 003D0000 (which is necessary, because of the hardcoded calls & jumps in this dynamic allocated memory). Increasing the size of the former last section drastically wouldn't help, because SizeOfImage would become too large, and file won't get loaded by PE loader anymore (not enough memory?)
I'd really like a solution for this, because I've read posts on this forum and others, where people say they just dump the VM instead of figuring out what bytes are stolen...
Thanks In Advance,
yorgi