I'm having problems in finding the OEP in an asprotect packed application WITHOUT using /tracex.
I've readed a post from some guy regarding a Kayaker "essay" about unpacking G6 ftp server.
1st set a bpx on virtualalloc
then press f5 5 or 6 times
2nd set bpx on getprocaddress
then press f5 5 o 6 times, in the first time sice pops up with getprocaddress, f12 4 times and we are in the IAT loop.
the set a bpm x on a call after the loop.
now trace the OEP from there (less time to wait). Anyways /tracex is too much time for a pentium I 200 Mhz.
How can i do to reach the OEP BY HAND from that location?. I get lost and cannot reach. Aspr makes a lot of SEH's tricks.
btw, the signature trick (61,ff,e0) dont works.
Im dealing with aspr 1.2[NewStrain], as PEid 0.8 says.

Greets and thanks.

Hey r00t:

That "some guy" happens to be me . I remeber that article by Kayaker very distinctly as I learnt from that initially. BTW, look for +SplAj guru's post on finding OEP (I think) in New Strain (rebased OEP Code).

Signed,
-- FoxThree

r00t, why not use the signature byte trick?

Well most of the times if an application is protected with ASPR, it is compiled in an HLL ... author is too damn lazy to code in ASM and make his own protector!

Well then read some tut for it,I think someone must have written it...
Better even the Generic OEP Finder included with PEiD uses this trick with some other tricks...so maybe it could give you the correct OEP...

Infact I am quite startled that maybe no one mention about it...Either it dont work...or no one uses it!

Which one is it?

Hi there,
Just out of curiousity: What program are you working on?

regards,
hobgoblin

Does anyone have a URL for that essay/tute by Kayaker ?

egg:

You really need to learn how to search. It will help you find most of what you want. If you had gone to the "Search" button at the top of the Forum and entered "G6 ftp server" you would have found a thread by that title from 01-08-2002. Actually the thread has several long comment by Clandestiny, relaying information from Kayaker about asprotect.

You will find the thread here:

http://www.woodmann.net/forum/showthread.php?threadid=2482&highlight=G6+ftp+server

Learning to help yourself will make you a better reverse engineer.

Regards.

thanks for the reply, some g.., sorry foxthree .
i cannot found those post from +splaj about new strain OEP finding.
I guess new strain dont have a new form of OEP hiding, but the my main interest is some generic tip/technic to avoid those SEH's tricks and trace throught to reach by hand the OEP.

thanks and greets.

rOOt:

Let's go through the simple steps ONE MORE TIME. Go to the "Search" button. On the left side is a place to enter a topic. On the right is a place to enter a member's name. In the "right" button enter "+Splaj". When the window pops up, look down at the number 11 listing. It is of a thread titled "New/Latest ASProtect Strain." This is probably the one you want.

Now, another GOOD suggestion. Go back to the "Search" button and again type "+Splaj" in the "right" hand button. Now read and copy EVERY thread where +Splaj discusses how to attack Asprotect and/or SEH. An even BETTER suggestion would be to copy EVERY thread where he has made comments.

The easest method of saving the thread in a condensed and readable format is to open each thread, one at a time, go to the bottom of the thread and click on the "Show Printable Version".

When the window opens, click on the button on the "right" hand side of the top of the page, which says "Show all (number) posts on one page." This will give you all of the thread, especially if it is more than one page.

Then go to the File menu in your browser and click on "Save As" and give it a title. The default title always starts with "Rce messageboards Regroupment" and then the title of the Thread. I usually just remove the "Rce messageboards Regroupment" part and keep the original title of the thread for reference.

The second step is to make some form of organization for your record keeping of these threads so that you can find them again. As one example, I have a "unpacking" directory and within that directory, I have a subdirectory titled "ASPROTECT" to organize all things I've downloaded about this protection. Then it's easy to go back and review.

Since the search with "+Splaj" wont give you ALL threads about Asprotect, you could go back and do another search with "asprotect" in the "left" button. Then you will get ALL threads discussing asprotect, even if our resident unpuxing God didn't feel the need to post a reply.

Again you could save any of those threads which contain information that you deem useful and you will then have your own library of great stuff about the evolution of the tricks, and removing the tricks, in this protection over time.

The same process can be followed for other topics of interest. My own collection is approaching 10 GB and growing every day.

Regards.

JMI!
you are terrible flamer~
ONE idea for you:
Make some standart FORM for this kind Q & copy+paste.
But I think, you should OPTIMYZE CODE SIZE

Hello, r00t1

Softice for w9x already conteins Not-yet-defiated-Weapon: BPR
So use readonly-BPR for code section & enjoE.
For ASSpr, readonly-BPR will break when ASSpr checks code-section.
Disable temporary & when chacker routine will finish, enable again.
I assume, you know about so jumps in code section before OEP...


Hello, snake!

If I right understand, you are about searching OEP in dump according to compiler type.
Yes, it is old good idea & last time I always use & test it successfully.
BUT IN FACT, unpacker must ANYWAY search for OEP in debugger..