Hi Freaks,


i m trying to unpack an aspr target...

The problem is, I cannot GET THE FUCKING OEP...

The Loader cause an runtime error and its the first target I cannot find the correct oep.

PeID doesnt report correct OeIP and although its a Delphi Target i cannot even get the OEP with Dede...

It might be double packed with aspack or I am just to lame.

See.ya

***.webextractor.com

There are about 5224 threads disscussing this topic.
Search the forum.

Paste the codes show what you have do some effort.

Well,

anyway i am not able to find the correct oep.

I tried icedump too..

Loader, Icedump, oepfinder, hm, searched for bytes in memory, bla bla bla...

I cannot verify a correct oep, because none of the Oep-Finders is working and with icedump cannot achieve neither...

Well maybe just a fucking multi-dip software....

I will buy the software

Gongrats Alexy

Very good support software authors

Hi there,
Don't give up.
This is actually fairly easy.This is how I did it:
I only used Softice and Icedump.
a) bpx getversion. When Sice breaks, disable bpx, do a search for the byte sequence 5B,EB,CE,61 (this is at the end of a call where Aspr builds the import table, but that's not important here). Put a bpmb xxxxxxxx x on the location you find. When Sice breaks there, disable breakpoint, and put a new one on the third ret instruction below of the location you broke at. When Sice breaks, disable breakpoint.
b) Use the tracex function in Icedump. Tracex will break 3 times at dips, then it goes into a leeeengthy loop. (You may step over it using a breakpoint). After that tracex breaks once more, and that's at the OEP.
Now, this is the latest(?) version form Alexey, so the first few bytes is actually executed while still in the high memory area. Check the value stored in ecx. That's the location for the jump instruction in the high memory area to the OEP. If you see what's stored in the ebx register, that's the number of bytes executed before the program jumps from the high memory to where you are right now. If you dump the number of bytes you see in ebx, from the instruction before the one pointed to by ecx, and upwards, you have the missing bytes you have to paste into your dumped program to make it work. Now all you have to do is to adjust the OEP.

Hope this helps..

regards,
hobgoblin

Yo:

Hob good one!

Kandinsky:

There is an easier method. Search the board for tips. This is the newest strain of ASPR started by Hob himself XXC2C8 == HINT!

Signed,
-- FoxThree

Hiya,

The latest I think is ATC.Try it out have fun

Additional information:
Look at the post salsa dump problem

What is ATC??

hobgoblin

Forget it. Found it out...

Hiya Hob:

The Infamous ATC.... You're going to have some phun indeed, Hob

Signed,
-- FoxThree

**********************************************
Hi Freaks,


i m trying to unpack an aspr target...

The problem is, I cannot GET THE FUCKING OEP...

The Loader cause an runtime error and its the first target I cannot find the correct oep.

PeID doesnt report correct OeIP and although its a Delphi Target i cannot even get the OEP with Dede...

It might be double packed with aspack or I am just to lame.
**********************************************

Hmm, what does "Freaks" supposed to mean?

I do share Kayaker sentiments few months ago now when he complained about excessive posts/threads concerning AsProtect discussing about the same thing over and over again... NO matter how well discussed the topic already is, there is always some newcomer who start a new thread again without searchign the board ...

Resigned,
crUsAdEr

Hi dudes,

well, i found a breakpoint with a search for 30,90,90,90,90,90,90,90 in winhex too...


For my case it was 0047c2c8... I thought its wrong because, in all case at this breakpoint is a call function and i was quit confused...

So i will try out the way hop describes to rip the byte and include it in the unpacked....

Thanks for everything...

See.ya

BTW.: I regged the software

Well,

i still have problems... I found the correct oep, in win98 its for me 0047c310 and in xp its 0047c2c8...

Everything worked fine, but still I get an runtime error when i try to run the unpacked version...

Please explain again, how i copy the bytes and with bytes i have to copy... Sorry, I didnt understand it...

The ebx register holds the number of bytes to copy.. In this case its 0c, but then?

Thanks in advance...

Kandinsky

-

Hi Kandinsky !!!

Maybe I'm too late with this replay , but if you still hasn't

unpacked ( or the worse, bought ) this is how I did it

Ok let see , the entry in real code is 47C2C8 but is not the OEP

the OEP is 47C2BC , why this , because you have to "rebuild"

first several bytes embedded in unpackers routine

And in your hex editor start from 47C2BC and fill it with next

sequence

55,8b,ec,83,c4,f4,53,b8,1c,c1,47,00 until you reach 47C2C8

CALL at 47C2C8 don't touch

There are three dips before OEP , bypass 1. and 3. ( dont touch

the 2 nd , it is about the key file )

Then about IAT , this is my IAT with ImpRec


There were 2 unresolved Apis ( after using plug- ins )

GetModuleHandleA (C91369)

Lock Resource (C913F4)

After dumpfixing everything should be OK but only with running

this is not the END yet because there is SIZE checking on

4747D4 , replace 'jl' on 4747D6 with jump

And at the end there is one more thing , when you try to close

the program there will be the screen about run time error

it is because some pointer checking on 403764 and just put

two nops instead jz

Ok But this is not the end with this Agony , you can not save

more then A hex extracted E-mails from the site

Try to do it by yourself , shouldn't be complicated

Regards

Soldat

PS: There is one golden rule , don't buy something you can't touch
because all the most beautiful things in life are free and intangible

This is way above me!!....Does something like above take you's all night or 10 mins??...is it hard work....sounds it

paul333

Hi Soldat,

the way you described worked...

I did everything and now i got a cracked & bought version, but at least a lot more knowledge....

Thanks for everything