Read a couple of tuts about inline patching Aspack 2.12 lately. Successfully patched all less one stubborn app.

This is what I do:

Search for the signature bytes with an hex editor. Set bpx GetProcAddress, break and trace down to the push before the ret. See the OEiP at the push, dump and fix the app. All OK. Find the place to patch, on unpacked one put a jump after popad and inject my patch bytes (eg., mov byte ptr [0053A805], 75 or mov al, 01 and ret) at the jumped location then push oep (eg., B819654200FFEO).

This method worked fine for a couple of apps, however one single Aspack 2.12 app refuses to work. I get an invalid page fault everytime. Tried many places, correctly inserted some required number of extra bytes at the end but no avail. Got the fault at the very beginning of the jumped location each and every time. What am I missing?

Thx

I would say there could be two things to look for:

1. First off, this code mov byte ptr [0053A805] - make sure this is a global variable !!! or you are screwed. If it's a dynamic pointer you will hose yourself with a GPF for sure. If you saw this value in the dump, run the original program in SI a couple of times and make sure the value stays the same ( the 0053A805). Just to be on the safe side

2. The code you inject, where is it? Pay attention to the PE header information about sections and section size. You might be ending up in BETWEEN sections for all you know if you haven't made sure. Or in a section that is not even loaded. But my bigger bet is you aren't even in a valid section, hence the GPF. Just a guess.

The other trick the seems to work better sometimes is not using a jump. Rather, your "jump" code you should just put a PUSH <address of your code> and then a RET. This ensures you don't get any screwy jump range limits or anything. It will be more reliable. You would need more room in your target at its start of course to do something like that.

Well anyway just a few ideas for you to check out.

-nt20

Hi!

You mean you put a jump after popad and inject my patch bytes in the PACKED exe?

You said Unpacked....and that's no meaning with as then you don't need an inlinepatch for the unpacked exe

Which was the program that refused to work ?

Regards

mEtAl

I mistyped. It is the "packed" one of course.

h**p://kazakov.info/medical.htm

It requires a total of 3 bytes patch. One for SICE, one for NTICE and one for registration. All are clear so, no need for posting offsets here.

Thx

Hi!

Ok Salsa, i cracked the proggie now.
I can tell u how to do if you want, if you want me to explain just send me a PM.

mEtAl

Thanks for your time and effort but I am rather interested in the inline patching part of it. If "cracked" means "inline patched" go tell us, otherwise don't coz, I've already have an unpacked, patched and discarded exe.

If you have found a remedy (patching after the unpacking routine and before pushing the OEP without getting an invalid page fault) which is different from the methods posted by me and nikolatesla20 please share it, and if you do prefer keeping the details private, OK I can PM you.

Thanks again.

Used foxthree's OEPfinder. It found the signature bytes of Aspack in memory. On the unpacked and dumped executable they are there but I can't see them on the packed one when I go to the offset given. On some packed executables sig bytes can be found with a hex editor, on some you cannot. All the tuts I read rely on this method (ie. find sig bytes on the packed one -> jump and inject your code -> return). In fact, there aren't much aspack inline patching tuts, all focus on unpacking only. Searched threads in this forum and Krobar's site and I think I had all the available.

Now the story. Failed IP on an aspacked app. Found a crack (inline patch) for another app from the same company. I studied the difference between the original and the inline patched one. Cracked one takes a long jump from .aspack section (E9xxxxxx - only xxxxxx is patched) to .rdata section, injects patch code (plain) and does not push or call OEiP but jumps back. I am puzzled. On the packed one, if the code in .aspack section is packed or encrypted how can one find a plain jump code, if not why the sig bytes are not visible?

Thx

Hi!

Yes i meant inlinepatched it

The program you have is packed with ASPack v2.11, this version is abit different then 2.12, but acually not...

And you won't find the signature bytes in version 2.11

Signature bytes:

Push 00000000 ; will push the OEP
Ret ; Will go to the OEP

I think you patch this to a JMP or so for version 2.12 and then you insert your inlinepatch where the JMP jumps to in the exe right?

ok, these bytes you won't find in the exe code of aspack 2.11.

I could write you a little tut, or else I could send you a program i coded togheter with a friend which is able to inlinepatch programs packed with ASPack.

PM me please

mEtAl

Hy mEtAl, I'm newbie and actually to study manual unpacking I to work around DVR-Studio 0.99g. With PE_Stud I have the information about the packer wich is
ASProtect 1.2x [new strain].

I need some little help from you through the OEP finding process, caould you please help me with this?

I've the major tool necessary to do it, but this is my first unpacking crack.

Thanks a lot... in advance

Byez
ThunderPwr

For the love of god...

ThunderPwr:

* Don't crosspost.

* Don't reply to messages in "unrelated" threads with stupid unrelated tut/crack requests (the definition of "related threads" is not every thread that matches your search for "Aspack OEP", even though I do have to give you at least some credit for doing some searching, contrary to so many other ).

* Don't reply to threads that are two years old, addressing users that are no longer members.

* Don't post the name of your app, espcecially not when asking questions that could lead to target related information.

* Read the FAQ, now.

Byez
ThunderPwr

I could write you a little tut, or else I could send you a program i coded togheter with a friend which is able to inlinepatch programs packed with ASPack.

is this tool available for public or just for the persons who ask you to share?? in that case i would love to try it if possible...

btw does someone knows if there's such tool for inline patching Neolite 2.x packed apps..i've hear there's a tool but never couldn't find anything about it.

Regards

Ahem?

06-12-2002, 01:53 PM
mEtAl
Guest
I could write you a little tut, ...

And cRk:

Not only is your request 2 years late, it also violates our Rules against asking for the Tools of the Trade.
You remember, where it states:

Do not ask where to get the Tools of our Trade. Do not even think about asking for them.

This Rule still applies, even after a couple of years delay, and even if it is hard to find.

Regards,

Not only is your request 2 years late, it also violates our Rules against asking for the Tools of the Trade.

i know you're always trying to the right thing and work for us but i DID search .. i was concerned this tool is private and only maybe available for the one who ask for it.even i did a huge search all around in fact there isn't any information related to such tool available
06-12-2002, 01:53 PM

i know for sure mEtal is still around .. maybe that was the reason of my reply for this OLD topic and maybeee he still be glad to share his mistery private tool

anyway i'll stop from been lazy sometimes and do my own inline patch .. manual has been always the best method!