Changlii
August 10th, 2012, 13:28
Hello there,
I got a little issue in unpacking ASProtect 1.23 RC4 I tried to step until the return in the last excption and then break into the code section.
In my case 19 excptions. I unchecked all but the mem access violation in kernel32 in the exceptions menu of the Olly Debugging options.
Like usuall I got that code here
>> bp 0x01A93A29
>> bp code section
break here, I thinks in the asprotect code
returned at 0x01B2E41B
Well here is the interesting part, I got here. I'll also get here if I trace till EIP<900000!
2630
I think this should be the OEP
----------------------------------------------------------------------------------------------------------------------------------------------------
Additional the code after the jump
2631
Also no stolen bytes above this code
I rebuilt the IAT and Rebuild PE but the program is not running.
Gameguard is included but the module and driver will load very late so this can't be the problem.
I am trying to solve this problem since hours and this is the last way. Also used scripts like ~Hellsp@wN~'s or SHaG's.
I got a little issue in unpacking ASProtect 1.23 RC4 I tried to step until the return in the last excption and then break into the code section.
In my case 19 excptions. I unchecked all but the mem access violation in kernel32 in the exceptions menu of the Olly Debugging options.
Like usuall I got that code here
Code:
01A939EC 3100 XOR DWORD PTR DS:[EAX],EAX
01A939EE 64:8F05 0000000>POP DWORD PTR FS:[0]
01A939F5 58 POP EAX
01A939F6 833D B07EA901 0>CMP DWORD PTR DS:[1A97EB0],0
01A939FD 74 14 JE SHORT 01A93A13
01A939FF 6A 0C PUSH 0C
01A93A01 B9 B07EA901 MOV ECX,1A97EB0
01A93A06 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
01A93A09 BA 04000000 MOV EDX,4
01A93A0E E8 2DD1FFFF CALL 01A90B40
01A93A13 FF75 FC PUSH DWORD PTR SS:[EBP-4]
01A93A16 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
01A93A19 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
01A93A1C 8338 00 CMP DWORD PTR DS:[EAX],0
01A93A1F 74 02 JE SHORT 01A93A23
01A93A21 FF30 PUSH DWORD PTR DS:[EAX]
01A93A23 FF75 F0 PUSH DWORD PTR SS:[EBP-10]
01A93A26 FF75 EC PUSH DWORD PTR SS:[EBP-14]
01A93A29 C3 RETN
>> bp 0x01A93A29
>> bp code section
break here, I thinks in the asprotect code
Code:
01B2E419 61 POPAD
01B2E41A 50 PUSH EAX
01B2E41B C3 RETN
returned at 0x01B2E41B
Well here is the interesting part, I got here. I'll also get here if I trace till EIP<900000!
2630
I think this should be the OEP
----------------------------------------------------------------------------------------------------------------------------------------------------
Additional the code after the jump
2631
Also no stolen bytes above this code
I rebuilt the IAT and Rebuild PE but the program is not running.
Gameguard is included but the module and driver will load very late so this can't be the problem.
I am trying to solve this problem since hours and this is the last way. Also used scripts like ~Hellsp@wN~'s or SHaG's.