Log in

View Full Version : After unpacking aspr it doesn't run ?!


Nio-shai
October 27th, 2001, 14:46
hi all

yes ASPR again...

i have unpacked a ASPR prog and after i try to run it it just live on the ststem but doesn't run ..
i have found the OEP: 48fa10 and dump it and fix the sizes and then used Revigin and ImpREC an both progs automaticly found and fixed all invalid sections ( nothing for me to do...) then fixed the dumped file and tryed to run it . all i got was a prog that live in my system but the prog doesn't shows it self it invisabled...

is there a new trick in ASPR ?? because i check at UnpackingGods and talked to CAS and he told to try the new version of CASPR v1.1000 and it gave the same resolt ...

plz help me and others to lern....

esther
October 27th, 2001, 23:00
Hiya,
Did you change back the original codes
ebfe
to
558b

kp_
October 29th, 2001, 10:23
I have the same problem.

I found a prog packed with aspr (fi sais it's aspr 1.2), but none of the unpackers succeed in unpacking it. So i dumped it, found the OEP, then found the import table in mem (because in this case RV failed to give the correct address). Then revirgin reconstructed and pasted it, i fixed the section characteristics, run it, and no gpf, no error msg, everything else runs like before but the unpacked prog isn't doing anything.

What's the problem? Esther, could you explain what did you wanted to say in your previous post?

Anyway, there are some strange(?) entries in the import table. Some of them have 0000 address and there are 3 imports from kernel32.dll without name, they have only ordinals (23,24,25).
I checked kernel32.dll but it doesn't contain entries with these ordinals. What are these? (some different version of kernel32.dll?)

kp

Js
October 29th, 2001, 18:13
Hiya,
Would be better if you said what app it is causing you the problem.
kp_, "because the import table revirgin gave me from the OEP was crap", don't you think if would be more respectful to the author of this great tool if you re-phrased that to maybe "in this case RV failed to give the correct address"?. Bad attitude==no help.
regards

kp_
October 29th, 2001, 19:26
Hi!

I didn't want to speak evil about revirgin. (and sorry for my really bad english, I can't feel the differences between the meaning of two synonymes - now I chose a bad word) I know it's great and a _really_ useful tool - that's why I use it. And I've seen several cases when it found the correct table. Now it didn't and I know I can't always expect that revirgin finds it. Sorry Tsehp if I insulted you with my prev post. I have an idea how much work you had with it and how much knowledge is behind it. I respect your work. I would be happy if I would ever be able to create such a gorgeous prog like revirgin. And sorry Js if I wrote something that made you such furious.

I regret I caused indignation with my really first post
Next time I'll check the dictionary before typing a word.

Bye,
kp

H3Xenoic
October 30th, 2001, 02:42
Hi

How did you get the OEP ? are you SURE its correct ! Some aspr targets have a dummy start that sets a few variables as an anti-dump trick.

The IAT final few missing API should be traced again 'manually' in SI with a 'U xxxxxxxx' where xxxxxxxx is the memory of aspr code call given by RV. You should see what you need

If you try RV with Win2K it can 'emulate' these missing API without
crash. Under Win98 'emulate' seems to fail (last 1.2 beta4)

Anyways there are LOTS of previous threads on unpacking aspr
just search

H3Xenoic

kp_
October 30th, 2001, 08:26
Hi H3Xenoic!

Thank you very much for your reply.
I used ReVirgin's tracer to get the OEP. I'm not sure if this is the _real_ OEP, maybe I was mislead by a dummy start like you mentioned. I will post a code snippet If i get home,it looks like a normal entry point for me but I can never know, I'm not that experienced (far not experienced )
btw how can I be sure about it? Is there any database of the code found at the entrypoints for different compilers? - I don't want to rip it out from a file info program...
Maybe it's a bad entrypoint and this misled ReVirgin when tried to get the import table from the OEP (sorry again for my first post +Tsehp and Js). I think the import table I found manually is correct and will try under win2k to trace them.
I tried to get the entrypoint as read in r!sc's tutorials (bpx GetVersion or GetModuleHandleA or GetCommandLineA), I only found a "good-looking" entrypoint with ModuleHandle but that wasn't the one. I tried tracing and found the entrypoint I mentioned but seems that one isn't good either. (maybe I should have traced further - I will try). Is the a third method? An "ultimate" method I don't know about?

Maybe I misunderstood you but I mentioned entries with 0000 address. I don't think U 0 will give me anything useful. I know the metod you told, but what should I do with these? (or maybe I found a fake table?) Or are they unused entries?
And ReVirgin does this too when tracing an entry isn't it? Or do I know it wrong?
And yes, ReVirgin. Is there any documentation on how it is working eg. what method it is using to get the good entries, how does it fix the missing apis, etc... I read the doc in the package and read the essays I found about it but I'm interested in this more deeply and would need some more. - If possible of course.

Well I think it's enough of questions.
Thanks in advance to anyone who answers.

Bye,
kp

ps. sorry for my lameness and bad english..

H3Xenoic
October 31st, 2001, 02:46
Hi

Here is the old splaj tut on RV v. ASPR on Awave studio 7.3. It shows a good approach.

Of course maybe the programmer included his own anti dump tricks like size check and crc etc etc.
This you have to find yourself, or name the target you have trouble with and probably the tricks are known already

Note:-
Newer RV can 'emulate' those API cluster and also fix that dummy code 'ret004' with 'LockResource'.
(The original thread is still alive but any attachments from the old MB (ultrabord) are missing)

H3Xenoic
October 31st, 2001, 02:47
attachment :-

kp_
October 31st, 2001, 06:41
Hi H3Xenoic!

Thanks for your help again. Now I'm going to dig myself into my prog again, and hope this time i'll have luck. I don't name my target advisedly because I don't want anyone to solve this problem for me. I wouldn't learn anything from it then...

Best regards,
kp

Nio-shai
November 1st, 2001, 11:47
tnx u guys ....

i founded that there was a function that done a check if the packer is there a simple jge to jmp and that's all....

btw : CASPR 1.1000 done the gr8 unpacking....

H3Xenoic
November 5th, 2001, 01:51
kp_

did you rebuilt CommView 3.1 aspr target succesfully yet ?

kp_
November 5th, 2001, 04:21
Hi H3Xenoic!

I didn't name it but you are right (3.0 btw, but I'm suprised anyway ) No, I didn't succeed yet since I didn't have enough time (and because I'm lame). Did you? If yes, then please don't tell me the right OEP just say yes

Best regards,
kp

H3Xenoic
November 5th, 2001, 04:40
cv 2.4/2.5/2.6/3.0/3.1 yes


actually I am on the update link of all aspr protected sw from Elcom, Tamo, G-lock etc etc so immediately rebuilt the latest releases when I get news

I can manually make an IAT with notepad cos i know these exe so well

If you want help with CV3.0/3.1 I can tell you there is a size check and a CRC/HASH calculation on the code so any changes mean *crash*

If you want further *clues* then just ask.

+SplAj
November 8th, 2001, 02:21
hi newbs

I made a draft 'arrogant bastard version' unpacking tutorial. Could someone try it and give some feed-back to me, don't be shy

I can then fine tune it into a 'technical reference' tutorial on aspr unpacking

it's attached :-

esther
November 8th, 2001, 07:49
Quote:
Originally posted by +SplAj
hi newbs

I made a draft 'arrogant bastard version' unpacking tutorial. Could someone try it and give some feed-back to me, don't be shy

I can then fine tune it into a 'technical reference' tutorial on aspr unpacking

it's attached :-


Hi SplaJ,
Your 'arrogant bastard version' unpacking tutorial is
excellent especially the Last Words
I got a request,about the tute on Flashfxp.I did ask someone to send to me but he's more *arrognant* than you,he didn't replied my mail .Could you upload it here please :PPPP

Thanks

best regards
ignorant esther