For long I was waiting for a new version of the well renowned unpacker for this "super protector" (!), but no hope.

I developed a habit of taking a look at the sections of every new executable before running it for the first time. I use Get Type for this purpose. For newbies like me, seeing the "sections" part empty had the same effect of hitting a huge concrete block at high speed. Soon afterwards, I got the same response everytime; "...Failed!...by an unknown version of ASpack/ASprotect."

I was sick and tired of getting this response after the unpacking attempt for new versions of almost every popular s/w title, and at that very time I decided to handle it MANUALLY. It took considerable reading, time and effort to completely de-asprotect an app (and, restoring imports was the most toilsome task).

Now, I am trying to find some solid references that will guide in finding the OEP. Here is the question, and I am not sure about the answers;

Q: "OEP is the last stop of -tracex after which a hit of F12 starts the program."

a) Naturally
b) No, it was just a coincidence
c) Maybe, but not everytime
d) ?

Any comments?

Thanks.

Hi

In this world DON'T ever wait for someone to make a specific tool just for you. The CASPR series is probably finished for those afraid to roll up their sleeves and delve into the codewoods.

If you search this MB you will find a *lot* of infos about manually unpacking ASprotect.

Back to your Q
The answer is d) .......

Now your specific OEiP problem can be addressed several ways. Here are some suggestions to QED :-


1) In Win98/ME use Icedump to /tracex 401000 <last but 1 section addy> and wait upto 1 hour. You are at a point in the original exe. STOP. This MAY be the real OEiP or a pre-entry to InitializeCriticalSections. So your code does a RET into hyperspace......

2) Manually trace the Int2E after setting 'bpx getmodulefilename' and pressing 21 times with F5 and then manually trace to the POPAD / JMP EAX another 15mins.....tricky for newbies.

3) Set a BPX GetVersion. Press F5 until you are in *real* code range. Then search for 61 FF E0 (POPAD JMP EAX) in SI type S 401000 L FFFFFFFF 61 FF E0. The memory address found is the last aspr code before real exe hand over. Close target, Restart it with BPX GetVersion still enabled. When pop'd into SI, BC* <ret>
BPR <memory_address_of_61FFE0> <same+3> rw if EIP==<memory_address_of_61FFE0> <ret>
Press F5 and wait upto 5 mins. You are at POPAD. Press F8 twice until at OEiP.

4) Same as above but use a memory editor like 'WinHex' to search for the 61 FF E0 first. Saves a few minutes.

Now, as i mentioned in 1) just be aware that *sometimes* API InitializeCriticalSection has been pre-called BEFORE OEiP and you get a crash. So there is some more work to do......use a Disassembler and note all such calls.... . In this case use 1) /tracex usually finds this trick, and then 3) to manually trace the POPAD to get to real OEiP and fix your dumped exe accordingly.

Give that a go and tell us more of your adventures into the codewoods of ASPR.....


Spl/\j

>>In this world DON'T ever wait for someone to make a specific tool just for you. The CASPR series is probably finished for those afraid to roll up their sleeves and delve into the codewoods.

Yes. I've already taken my lesson. And it's only after that I decided to do it manually.

>>If you search this MB you will find a *lot* of infos about manually unpacking ASprotect.

Only this MB? I've forgotten the exact number tuts and other resources that I've archived just for this purpose.


>>Give that a go and tell us more of your adventures into the codewoods of ASPR.....

For the first time in my rather short reversing life I am not frightened delving into the "codewoods" even if my attempts sometimes do "a RET into the hyperspace" . This asprotect thing was about to cause a "mental illness" and I'm strictly following my doctor's advice: 5-10 deprotections a day. That's the only medication available.

Well, the number reached 5 now (all thoroughly sterilized, perfectly running). I will give your advices a go.

Thanks a lot and happy deprotecting for all.

Great news,

Method 3) works wonderfully. Killed another 3 which are
randomly picked from my pool of asprotected apps.

So far so good. My temperature is slowly returning to normal. Hope to recover in a couple of years or two!

Thanks again.

Spl/\j, could u explain a bit further about the pre-loading "InitialiseCriticalSection" first before original OEP?

I have used tracex to find the jmp eax and follow it... but my asProtect dump crashes shortly it calls "InitialiseCriticalSection" and "EnterCriticalSection"????

Just a hitn on what is going on will do,
Thanx

He he.......

You know the Yanks (ooops Americans , sorry Woodmann) have a very good rule at cocktail parties, NO DOUBLE-DIPPING your snack in the dish.......cos you dip, take a bite, dip again, spread bugs.......Euros don't care, dip whatever you like in there

Alexey made a *naughty* version of ASprotect that did exactly that. Double dipped into original code, set some variables/workspace (usually with InitializeCriticalSection) then returned to aspr code, did its unpacking stuff and later JMP EAX to OEiP.

The result is that you followed to JMP EAX as OEiP, BUT when code needs to work with reserved space, BOOM. cos it's not reserved. The code that does has not been called. So you have to do some head scratching. The easiest thing to do in Win98/ME is with IceDUMP. Just let it /Tracex 401000 500000 (whatever) and note down any regular code entries , follow it to the RET back to aspr. Keep doing that until you get to JMP EAX as OEiP.

In WinNT/2K/XP you have to rip yer hair out .........and get disassembling........

Now, I have *never* seen more than 1 dip before OEiP. Easy to change the code to call 'initialize' code and return to OEiP.

I'll find more example for U ?, I must have one somewhere I think the first time this was put on the MB was Chamelon Clock. Tsehp documented nicely the way round.

found it :-

http://www.woodmann.net/forum/showthread.php?threadid=1473&highlight=Chameleon+Clock

Thanks to Kayaker as well on that one. Thats when I learned my lesson for using WinNT4 to unpack !

Spl/\j

Thanks Spl/\j for ur prompt reply..

Now i understand wat is going on, so that means i have to inject to code before OEP some where in my dumped files?

ANd i have 1 more question, when i do dumping, i realise that i can dump without the usual "jmp OEP", just simply let the prog run, fire up Procdump and and dump process.. the same process can be done with winHex... but almost all tutorial i have read does the "jmp eip" before dumping... doesit serve any purpose i am not aware of?

Thanx

P.S : By the way, i cant follow the link to Chameloen clock u gave me.. it's dead for some reason :<

Hi

Just think about OEiP. Is there room to change code to 'call setstuff' and RET ? or just JMP to a new section, like the end of exe where new IAT is, call relevant code and JMP back.

eg Fake OEiP is 456789, real OEiP is 401000

at 401000 change code from
PUSH EBP
blah

to

CALL 456789

If there is no room do it at the end of exe......or in spare section with lots of 0000000 padding.

Dumping
======

Just think. What has occurred if you let proggy run ???? It has set it's variables and workspace etc etc already. Maybe re-settiing the OEiP and re-constructing the IAT will make target work..... BUT what if program CHECKS flags for variables already set (most do).... he uses the existing data if flag set...... and thats been 'stored' (hard coded) in ur late dump !!!

Result, the proggy won't run so good, maybe fux yer memory and cause exception, accessing memory that it's not reserved etc

RULE #1 :- DUMP at OEiP
==================

A simple analogy :-

You go to a restaurant (a real one with wine and real food- not MacShites) and ask the beauty waitress for the menu. You choose your meal. A fine steak, medium rare, flambed at your side with Shrimp+mushroom+whisky and brandy sauce. A fine French red wine to wash it down. That's the OEiP way.

Now go into same reataurant, sit at a table thats being used and eat whats there already. Thats the other way.....no finesse, no style


BTW do a search for Chameleon Clock ..... see Tsehp thread from a year ago.

Spl/\j

EDIT----Found D-D target :-

h**p://www.chemtable.com/files/regon.zip

Thank you for ur reply...

You are really helpful :>... Yep my dump is running :>... when i practise with Notepad it seems to run fine anytime i dump it with Procdump.. but u r rite that I must dump most prog at OEP!!!

And yep.. found the link...
Thanx