hi ho,

i need some hints for my first *real* unpacking task.
i followed many threads about aspr, most of them going
over my head, but i wanted to try it myself.
before today i used unpack-toolz (like caspr..) or
did it via trw (pnewsec,makepe...). Now i stumbled about
this app:

h**p://208.38.138.151/icontoany/i2asetup.exe

peid said its asprotected (v1.22x - v1.3). so i found
something to play and learn!

after reading many tutz about unpacking i started my quest
of searching the OEP. i traced till my fingers bleed.
but, i found nothing really satisfying. till the trace,
i found out, that this app is a d5 app. hrmm.. i started
dede, attached it to active process and decomplied the b*tch.
the build-in pe-editor told me the OEP would be 4B1B75.
glad about my first victory i started procdump162 to dump the process.
then i launched rv 12b9 and attached it to running app.
its give me the following message:
"image import deskriptor corrupted, enter the OEP..."!

Ha, i had the OEP! i thought...tried it and received a lot of garbage
so, that wasnt the correct one.
i begun to tace again, it tooked me many hours, and everytime i thought
i found the real OEP, i tried it out in rv...with no result.
my "best" IT.txt is attached.

so, dudes, could someone give me a clue what i did wrong?
i begin to think that my starting point may be wrong.

someone out there who takes my hand and lead me trough the
troubled streets of unpacking?

regards
vbdisease

hi,

i suggest you an easiest unpacking session for the first time.
without offence, it's only a little advice

ZaiRoN

hi zairon,

sure, its not the easiest (if its really asprotect), but

a) easy things are easy to handle with the well known toolz,like
icedump, trw-makepe, etc.

b) why not learn walking on a rocky road?

i just wanted to know if iam not totally lost...
it would be great, if someone could also take a glance at the prob.

regards
vbdisease

hmmm.

if you want to learn something, maybe you could first pack a program with asp 1.3 or something else, and the unpack it. like this you always know if you are on the right track.

hope it helps
farewell
-Ignatz

Hi there..
Read the tuts in Fravia+ page given along with Re-Virgin.
Do excatly as they say. Use Ice-Dump for dumping the app. set the range outside the unwrapping segment(the one to which the EP is initially) and let in break... You will find your missing friend.
Now use Re-Virgin to create a virgin IT..
Search this forum as to how to use trace and api emulation.. U are gonna needem.
that should be it...
regards
doGG

i will...thx, dudes!

vbdisease

ps.: i managed to unpack aspack version by "hand", as described in some tut, but still it dont work for his g$§"§! app..cant find the oep... maybe someone tried it?