Hi all
I have small prog. which is packed and I am not sure is it asprotect or else. I tried with PE identifier and response is 'asprotect 1.2 - 1.3 , but with PE-scan response is 'unknown packer'.
Fox3 OEP finder find signiture bytes 61 FF EO for asprotect 1.12 but also found sig. bytes for ASPack 2.12 but probably not part of protection ( I think).
Next I tried bpx getversion and search for 61 FF EO as Splaj wrote in tuts but no luck.
Any suggestion?

Use the address provided by OEPFinder and put a bpmb on that (bpx is also okay). ASPR uses SEH to clear DRx; so use SuperBPM or something like that to break on that bpmb.

Signed.
-- FoxThree

Hi foxtree, finally I found OEP with your tool. It's ASProtect 1.12
Nothing work either BPX, super BPM, or BPMB address X only BPR 1243BBO 1243BB0+1 R (IF EIP==1243BB0) work. After 10 min finally break at signiture bytes, and it is really OEP (push EBP...). Thanks foxtree and improve OEP finder.