an oldy ASpack [Archive] - RCE Messageboard's Regroupment

LaBBa

October 6th, 2002, 02:15

i alredy once asked about :
Examine32 v4.00
that both imprec and revirgin couldn't find the AIT and fix it..

i saw the two replays of nikolatesla20 and h8er and i thoght
that "ok they done it again they can unpack all"
but after a while i had some spare time and wanted to do it
by my self ...

h8er posted this :

"dump the file oep is 1000

load examine with symbol loader

bpr 442000 442000+948 rw

0187:0045017D C1F902 SAR ECX,02
0187:00450180 F3A5 REPZ MOVSD <- you pop here
0187:00450182 8BC8 MOV ECX,EAX
0187:00450184 83E103 AND ECX,03

at 450182 d 442000 this is your it an down there's the complete iat so here dump 442000 948

IT Rva 42000 size f0
IAT Rva 420f0 size 948

fix the dump " end of h8er words

i done all of that step by step .. but still some things are not the same ,like :

1) if i do a : 'bpr 442000 442000+948 rw'
i will NOT pop here:
> 0187:00450180 F3A5 REPZ MOVSD <- you pop here

2) after the dumping and pasting it back still doesn't work...

if can some1 plz help me with that with better explnations i will
be very thankful

SpeKKeL

October 6th, 2002, 16:41

Howdy,

aspack=dump and run !

No iat pasting and so on !

Just dump the prog at it's latest ret (you know after the popad..)

Correct oep to the real oep

Bypass the simple "msgbox blabla is corrupted"

One little note:dump with lordpe, seems icedump struggles with the import-table when you use pedump)

Succes,

SpeKK.

hobgoblin

October 6th, 2002, 19:46

Hi there,
Here is some input on this kind of target. (I do it this way everytime I reverse an Aspacked program). Make the program break at entry point. Then simply trace through the code using F8/F10 until you reach this point in code:
016F:0045015F 5B POP EBX
016F:00450160 5E POP ESI
016F:00450161 59 POP ECX
016F:00450162 58 POP EAX
016F:00450163 EB08 JMP 0045016D
016F:00450165 0000 ADD [EAX],AL
016F:00450167 42 INC EDX
016F:00450168 0100 ADD [EAX],EAX
016F:0045016A 004101 ADD [ECX+01],AL
016F:0045016D 8BC8 MOV ECX,EAX
016F:0045016F 8B3E MOV EDI,[ESI]
016F:00450171 03BD22040000 ADD EDI,[EBP+00000422]
016F:00450177 8BB552010000 MOV ESI,[EBP+00000152]
016F:0045017D C1F902 SAR ECX,02
016F:00450180 F3A5 REPZ MOVSD
016F:00450182 8BC8 MOV ECX,EAX
016F:00450184 83E103 AND ECX,03
016F:00450187 F3A4 REPZ MOVSB

It doesn't take long to get here. Put a breakpoint at 450177, and run the program. When it breaks, check the values stored in edi. When you see the starting address of the IAT, check out the value stored in ecx. The IAT address can be found by using LordPe or something similar. The value in ecx is the size of the import table. (The size you listed in your post is wrong, the correct one is 1E00).Now, before you can do a dump you have to get to address 450189, after the two REPZ instructions. Then you can dump it.
Now you have a fully working IAT that you can paste into the dump.
This method can be used on all Aspack'ed programs to get a virgin IAT.
Hope this helps a bit.

hobgoblin