Dear Community,

Today I started practicing various MUP methods for OllyDBG. However after my first tutorial (ASCrypt 0.1 by AORE) I tried replicating what they were doing. It went fine, I found what I had to find and tried dumping etc.

However when I ran the unpacked dumped program the error "The procedure entry point NtdllDefWindowProc_A could not be located in the dynamic link library USER32.dll." occured. I thought I did something wrong so this time I tried following allong with the tutorial step by step, still the same error. After this I thought it might be dll version mismatches so I tried completely reinstalling olly (this did not change anything besides that it was some other dll it crashed on, after experimenting some more it seems that the dbghelp.dll version decided in giving me a kernel32.dll or a user32.dll error).

Still, I don't seem to be able to get rid of this error.

I would appreciate it a ton if I could get some feedback on this problem.

Thanks in advance

Data:
OS Windows 7 x64 Ultimate
OllyDBG version 1.10
OllyDump version 3.00.110

does not logic says to you:
hey, lets look for NtdllDefWindowProc_A in other libraries!
??

i did search for & found this:
2b60fa43bedfe56c4b45a1ede71fb70b4827093d *UnPackMe_AsCrypt 0.1.exe

if you are playing with it, then it is ASPACK!
just little-simple crypt code is appended before aspack EIP.
so basically you should treat this as ASPACK unpacking.
proper dump should done at 46b1c2.. so on

Thanks for your feedback evaluator, it seems that I have some reading to do about manual import reconstructing

aha, so there is tutorial in flash;
then that tut shows "lame" way of unpacking.
so you will dump, where i said. search for original IAT & set. OEP should be set.
dump should be "dump-fixed" as LordPe does.

i will look more on this tut

Thanks a lot for your help evaluator

You're on x64. ImpREC doesn't handle a certain forwarding issue very well, try SuperCRacker's or TiGa's import reconstruction tool.