Log in

View Full Version : about g6 and asprotect again...


backeyes
October 17th, 2002, 13:05
Sorry i'm late but i've read g6 ftp server tutorial, and i have a small question first : can you guys tell me which g6 version was it ?
Because i downloaded the last v2.1.0 build 40 and my oep is different : oep is 503A04 for me
But that's not really a problem, certainly a different build...

Anyways i read and understand all g6 tutorial but my unaspr app still doesn't work. Here's what i did :

- find oep with kayaker's way : 503A04
- dump : /dump 400000 170000 c:\dumped.exe
- made VA=RA and VS=RS, fix oep and first section in dumped.exe
- resolved all api with revirgin (i tried with imprec too) and attached iat at offset 170000. i'm going to attach my resolved iat here...

And my unaspr exe don't crash but run in background. i now there's other asprotect tricks after but don't think my problem comes from there, i certainly have another problem before that...

tell me if you want more details about something i did
Any help would be very appreciated

best regards

esther
October 17th, 2002, 16:54
Hi,
>dump : /dump 400000 170000 c:\dumped.exe

170000 should be the size of image not iat offset

oep is 503A04 =503A04-40000=?

backeyes
October 17th, 2002, 23:15
yep you're right esther but in this case size of image and and where i put my new resolved iat offset are the same
Atfter dumping i attached iat at offset 170000 with size 3000 so that my new size of image is 173000

and for oep : 503A04 - 400000 = 00103A04

I think these two things are right for me
so wtf ?

regards

backeyes
October 19th, 2002, 18:01
anyone ?

Kayaker
October 19th, 2002, 19:11
Hi

Forget the fact that it's G6 or whatever. Are you well familiar with what's been coined the Double Dip and the ways to deal with it? If not, then go back and search this to exhaustion in previous Asp threads. This should point you in the right direction.

Kayaker

backeyes
October 20th, 2002, 01:07
yeah you're right, all asprotect text i read didn't speak about Double Dip, certainly due to older asprotect version

Thanx Kayaker, i think it will point me in the right direction
Let's fire up sice now

thanx again
regards

TheSearcher
October 21st, 2002, 18:27
Hi Kayaker,
*what's been coined the Double Dip and the ways to deal with it?
I don't really understand the"Term" Do you mean double layer of encrypted code?

Regards

Kayaker
October 21st, 2002, 18:58
Hi TheSearcher,

That was Splaj's clever term for the behaviour of Asprotect to occasionally "dip" more than once into the regular program address range to run some code during unpacking from VirtualAllocated high memory.

The term is used pretty loosely, so pertinent threads will come up in a search for
Double Dip
DoubleDip
D-Dip
Dip + Asprotect
Dip + Splaj (relax, I didn't say Dip = Splaj
...

Also check just about any thread in the Unpacking forum for Asprotect + Splaj, SV, Solomon, FoxThree, Crusader, Evaluator... who'd I miss?

This thread, out of many, is probably a good start I guess.

http://www.woodmann.net/forum/showthread.php?threadid=2799&highlight=dip+Asprotect


Kayaker

TheSearcher
October 23rd, 2002, 11:09
Hi Kayaker,
I have read about it 10 times .What +Spalj describe is weird
about dipping and sources .Kinda funny anyway.New Aspr is more complicated great improvement.


Regards