View Full Version : Aspr - Aspack double pack? :)
kandinsky
November 5th, 2002, 12:46
Hi Freaks,
i m trying to unpack an aspr target...
The problem is, I cannot GET THE FUCKING OEP...
The Loader cause an runtime error and its the first target I cannot find the correct oep.
PeID doesnt report correct OeIP and although its a Delphi Target i cannot even get the OEP with Dede...
It might be double packed with aspack or I am just to lame.
See.ya
***.webextractor.com
esther
November 5th, 2002, 12:58
There are about 5224 threads disscussing this topic.
Search the forum.
Paste the codes show what you have do some effort.
kandinsky
November 5th, 2002, 14:33
Well,
anyway i am not able to find the correct oep.
I tried icedump too..
Loader, Icedump, oepfinder, hm, searched for bytes in memory, bla bla bla...
I cannot verify a correct oep, because none of the Oep-Finders is working and with icedump cannot achieve neither...
Well maybe just a fucking multi-dip software....
I will buy the software
Gongrats Alexy
nofurs
November 5th, 2002, 14:39
Very good support software authors

hobgoblin
November 5th, 2002, 16:43
Hi there,
Don't give up.
This is actually fairly easy.This is how I did it:
I only used Softice and Icedump.
a) bpx getversion. When Sice breaks, disable bpx, do a search for the byte sequence 5B,EB,CE,61 (this is at the end of a call where Aspr builds the import table, but that's not important here). Put a bpmb xxxxxxxx x on the location you find. When Sice breaks there, disable breakpoint, and put a new one on the third ret instruction below of the location you broke at. When Sice breaks, disable breakpoint.
b) Use the tracex function in Icedump. Tracex will break 3 times at dips, then it goes into a leeeengthy loop. (You may step over it using a breakpoint). After that tracex breaks once more, and that's at the OEP.
Now, this is the latest(?) version form Alexey, so the first few bytes is actually executed while still in the high memory area. Check the value stored in ecx. That's the location for the jump instruction in the high memory area to the OEP. If you see what's stored in the ebx register, that's the number of bytes executed before the program jumps from the high memory to where you are right now. If you dump the number of bytes you see in ebx, from the instruction before the one pointed to by ecx, and upwards, you have the missing bytes you have to paste into your dumped program to make it work. Now all you have to do is to adjust the OEP.
Hope this helps..
regards,
hobgoblin
foxthree
November 5th, 2002, 16:47
Yo:
Hob good one!
Kandinsky:
There is an easier method. Search the board for tips. This is the newest strain of ASPR started by Hob himself

XXC2C8 == HINT!
Signed,
-- FoxThree
TheSearcher
November 5th, 2002, 17:19
Hiya,
The latest I think is ATC.Try it out have fun
Additional information:
Look at the post salsa dump problem
hobgoblin
November 5th, 2002, 18:35
What is ATC??
hobgoblin
Forget it. Found it out...

foxthree
November 5th, 2002, 18:48
Hiya Hob:
The Infamous ATC.... You're going to have some phun indeed, Hob
Signed,
-- FoxThree
crUsAdEr
November 5th, 2002, 20:39
**********************************************
Hi Freaks,
i m trying to unpack an aspr target...
The problem is, I cannot GET THE FUCKING OEP...
The Loader cause an runtime error and its the first target I cannot find the correct oep.
PeID doesnt report correct OeIP and although its a Delphi Target i cannot even get the OEP with Dede...
It might be double packed with aspack or I am just to lame.
**********************************************
Hmm, what does "Freaks" supposed to mean?
I do share Kayaker sentiments few months ago now when he complained about excessive posts/threads concerning AsProtect discussing about the same thing over and over again... NO matter how well discussed the topic already is, there is always some newcomer who start a new thread again without searchign the board

...
Resigned,
crUsAdEr
kandinsky
November 6th, 2002, 11:39
Hi dudes,
well, i found a breakpoint with a search for 30,90,90,90,90,90,90,90 in winhex too...
For my case it was 0047c2c8... I thought its wrong because, in all case at this breakpoint is a call function and i was quit confused...
So i will try out the way hop describes to rip the byte and include it in the unpacked....
Thanks for everything...
See.ya
BTW.: I regged the software

kandinsky
November 6th, 2002, 13:23
Well,
i still have problems... I found the correct oep, in win98 its for me 0047c310 and in xp its 0047c2c8...
Everything worked fine, but still I get an runtime error when i try to run the unpacked version...
Please explain again, how i copy the bytes and with bytes i have to copy... Sorry, I didnt understand it...
The ebx register holds the number of bytes to copy.. In this case its 0c, but then?
Thanks in advance...
Kandinsky
Zilot
November 20th, 2002, 10:34
-
Zilot
November 20th, 2002, 10:55
Hi Kandinsky !!!
Maybe I'm too late with this replay , but if you still hasn't
unpacked ( or the worse, bought ) this is how I did it
Ok let see , the entry in real code is 47C2C8 but is not the OEP
the OEP is 47C2BC , why this , because you have to "rebuild"
first several bytes embedded in unpackers routine
And in your hex editor start from 47C2BC and fill it with next
sequence
55,8b,ec,83,c4,f4,53,b8,1c,c1,47,00 until you reach 47C2C8
CALL at 47C2C8 don't touch
There are three dips before OEP , bypass 1. and 3. ( dont touch
the 2 nd , it is about the key file )
Then about IAT , this is my IAT with ImpRec
There were 2 unresolved Apis ( after using plug- ins )
GetModuleHandleA (C91369)
Lock Resource (C913F4)
After dumpfixing everything should be OK but only with running
this is not the END yet because there is SIZE checking on
4747D4 , replace 'jl' on 4747D6 with jump
And at the end there is one more thing , when you try to close
the program there will be the screen about run time error
it is because some pointer checking on 403764 and just put
two nops instead jz
Ok But this is not the end with this Agony , you can not save
more then A hex extracted E-mails from the site
Try to do it by yourself , shouldn't be complicated
Regards
Soldat
PS: There is one golden rule , don't buy something you can't touch
because all the most beautiful things in life are free and intangible
Paul333
November 20th, 2002, 22:09
This is way above me!!....Does something like above take you's all night or 10 mins??...is it hard work....sounds it
paul333
kandinsky
November 28th, 2002, 03:27
Hi Soldat,
the way you described worked...
I did everything and now i got a cracked & bought version, but at least a lot more knowledge....
Thanks for everything
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.