Hi guys

I've tried to unpack Avisplitter 1.1 (h**p://w*w.brizsoft.com) under Win98 SE; Peid and pe-scan tell me that the program is protected with Asprotect 1.2x [new strain]. I've found the Iat rva and leght (for me rva=71190 and lenght=720) and the Oep with the Tracex method (6587b or 61ec, i'm not sure) but the program has the Asprotect 1.3 iat trick explained by +SplAj here: http://www.woodmann.net/forum/showthread.php?s=&threadid=3812&perpage=15&highlight=challenge&pagenumber=2
I've cut all the crap thunks but the aspr 1.3 alpha plugin fails to resolve the redirected imports...
How can i do the job without trace manually every redirected import?? (i attach my partially solved imprec tree)
Please someone tells me if i've made a mistake

Thx to all

>Please someone tells me if i've made a mistake
First you should not upload the IT.txt.Post the post which you do not undertand.

>How can i do the job without trace manually every redirected import??
Don't think theres an easy way

Don't think you can, unless you can think of a way and write a program to do it for you.

Welcome to the world of reverse engineering ! Where hours seems like days...

it's the same issue as imagedupeless

i hadn't time to de-redirect redirected apis and to make it work on all libraries, but, you can then mostly see the correct API address in debugview's log somewhere near the end of listing ;=)

maybe if I stole some time i could tune it to work little better.

regards

Thx for the help guys!

sjit,

Just when i finished my (old) plugin, i discovered this thread..."new strain".

Yep this looks very new to me:lots of our redirected api's are now Re-redirected !And some other api's where called via cxxxxxxxx.
Okee just unpacked this target with my new aspr-resolver(plugin)
and all where resolved.

I shall look for some other targets to test it better.

Greets,

Spekk.

Just made some little modifications and tested on avi-splitter 1.2
seems all works, so hereby i attach my plugin so you can test
a little further.
(read the txt file before using...)

Ciao,


Spekk

A great thanks to SpeKKeL and _Servil_ for the plugins my iat now seems to be correct. I have a problem with the Oep, i've tried with Tracex but i think that this method fails with this Asprotect version. Any help on how i can find the Oep is really appreciate..

OEP is

OEP=465C7F without stolen bytes ( there are 11 of them )

To find OEP generally, watching stack is a good trick... works on most packer i find...

if there is a pushad then there will probably be a popad :>... or some stack correction... the value of ESP should be preserved i think :> bpm at the right place and you will find it... hope this is good enough a hint :>...

cheers
crUsAdEr

SpeKKel , _Servil_ or one

who found IAT

can you PM your IAT, I had to resolve manually about 15 APIs,

your plugins with some APIs works with some not, so I'm not

sure if I found them as well because when I start dumped I get

nag screen about limitation and when press continue trial

program crashes,registration,and button for key entering

work fine so I

don't know is it because IAT or there is some trick with size

checking or CRC, and that is why I'm asking for IAT just to

compare. I'm working on win2K

Soldat

Hajo,

Well i only tested my plugin on w98 so......
Are you talking about 1.1 or version 1.2 ?
Just trace your rebuilded prog to the place where the exception is made and compare it with the original.
I didn't encounter any checks or whatever (maybe there are..).

Spekk.

Version is 1.2

But if you say that there is no similar things (checkings) it is up to
IAT

Soldat

Soldat,

This app has no callback check. If it crushes it's caused by wrong IT or missing stolen bytes. I've fixed the plugin so it finds all calls under WinXP but fails mostly on Win98. It's caused by certain API work different on 9x and NT platform.

And the import obfuscation has changed again

Finally I did it, but without plug-ins. I patched redirect/encrypt procedure and there were no need for plug-ins (for newer). Usual 10 emulated APIs were unresolved, and older plug-ins I think by Crusader, resolved it as well
Now proggie runs Ok

Thanks to Jim

Soldat

Hi Soldat


i've tried to break at your oep=465c7f but i've failed... how did you reach it ??

Hi there,
I used tracex (I'm used WinME to crack this one), and found the OEP to be 46587B. (But after unpacking it you must set the OEP to be 465870 and add the "stolen" bytes stored in the high memory).

hobgoblin

Hi h8er !

When you started this thread there was version 1.1 of Avispliter, in the mean time it is quit and there is 1.2 version when I tried to unpack, now maybe newer, are you talking about 1.1 or 1.2 or maybe newer.

Soldat

My version is 1.1 so it was a misunderstanding