hi all

i have tried again and again so many time to unpack
this new version of ASPR but no luck all the time it crashes

so i made this tut about the new aspr ..

this tut is yet not fully working so if anyone else wishes to
finish this tut and fix my errors..

yei, LaBBa!

Why you wrote this TRAGEDIE-tut?
ASS just waits for this, & then he will say:
"look here, what a stangest pucker i wrote.."

Ok, I will look at this..wait..

I just tried for DLD it, but it not exists!

seems, ASS sad:"why i make so bad puker, Labba very tired.."

hehe ... it's just i wroted this when i was tierd..
sorry about the bad english at this stupid tut..

i think there is somthing wrong at my dump still havn't got it yet..

no probs!

Lets wait for new release & together unpuk newest ..

have u took a look yet about the tut ?

i look only, but i not play with OLLY, so for me there is nothing

What kind of SADIST you use to be................

lol eval, ur engl is so weird that it takes dictionary to decode it
/me ment in a good way

seriously, if you can't decode my iNgLich
just re_ask me.

Don't worry LaBBa, we will..we will..

well all that i have found out more about the Crashes of the App
is this :

00402262 . 83C0 03 ADD EAX,3
00402265 > C1F8 02 SAR EAX,2
00402268 . 8B15 24E65600 MOV EDX,DWORD PTR DS:[56E624]
0040226E . 8B5482 F4 MOV EDX,DWORD PTR DS:[EDX+EAX*4-C]
00402272 . 85D2 TEST EDX,EDX
00402274 . 74 79 JE SHORT Dump_.004022EF
00402276 . 8BF2 MOV ESI,EDX
00402278 . 8BC6 MOV EAX,ESI

at : MOV EDX,DWORD PTR DS:[EDX+EAX*4-C]
with an error of Read Access Violation
and ther is more of those
some with an Error of Write Access Violation..

at the Packed file at Olly u can see that

DWORD PTR DS:[EDX+EAX*4-C] = 00000000

and at the unpacked file u can see that :

DWORD PTR DS:[EDX+EAX*4-C] = ?????????

realy wierd ! all other places are like that ..

well at ASPR Stripper i saw it doing somtimes those lines at some other unpacked apps : i.e :

ApiEntry RVA :0001e984 *esp = (00a738fd, 00a63861, 0012ffe0)
ApiEntry RVA :000181dc *esp = (00a739f1, 00000010, 00000010)
ApiEntry RVA :000012cc *esp = (00a73b2f, 004012c8, 0012ffe0)

what those lines are for ??? i think this could help to solve this thing...

why u double post onto exetools?

Anyway, sounds like the app is verifying registration status or something like that using structure from asprotect. Since asprotect is no more, structure is invalid, hence the read access violations.

well i post there because some other ppl over there could help too ...

about u'r answer abuot ASPR .. is there a way to fix that so it will work ?

Man please use

PUSH EBP
MOV EBP,ESP
ADD ESP,-10
PUSH EBX
MOV EAX, XXXXXXX

this structure thx you see oep ist 5C7F40 please use it and work with real structures thx.

OK, I DLD now setup.exe size 1080445 byte.
Is it, LaBBa?

hemm!

I'm little curious.
ass_dll's code now less then previous dll(uploaded by me).
it not conteins INT68 check.

Now I more debug this dll & found some crazy things,
like grand checking VMM space for service instructions
(this check is also in previous dll)...

Or ASS became crazy doing such shameless tricks,
Or this is experimental one.

So my opinion is:
Lets dedicate this strange SystemCleaner to ASS's experimental studio
& don't trush time on it.

Better find wellknown software,
which regularly uses updated ASSpr & reverse it..

later I will look more for LaBBa

yah, LaBBa, I look at it.
In DATA section(2nd) ASSpr puts pointer to ass_dll in memory.
then many times checks it.
then this pointer changes to point text "Unregistered Version"
for "About" dialog.

so you need somewhere in free space write "xregistered Version"
& correct that pointer.

tnx evaluator ...
can u add this part of fixing to the text file ? so we could all have a nice tut about F**king ASPR ?

seems my exe is newer then you have.
redownload it. then I will upload for you my unpacked.
so you can then compare & write new tup.

that would be great !! tnx..

i already done this quite time ago, check your PM.

Hi Labba
Please, recheck your IT, I have unpacked and it is running ,
except minor error on closing which can be corrected .
Britedream

Hi LaBBa !
now I have it runnig correctly.

well .. thats weird..
can u tell me all the info ?

RVA , IT , Size etc... ??

Here some of the info:

IatRVA=17221c
IATSIZE=1000
the actual size is slightly less than 1000

britedream