Log in

View Full Version : ASPR \ ASprotect 1.23 Tut !


LaBBa
August 18th, 2003, 03:49
Hi all !!

as i told u all .. when i will fix my tut about the new ASPR i will publish it .. well here we go ... i found what was wrong with
my unpacked file why it crashed ..

so Read the "Read Me First " and then enjoy another
"Step-By-Step" tut about ASPR

evaluator
August 18th, 2003, 08:05
LaBBa,

sorry, but this tutor shows:
1. yet you know very little about PE-structure.(it is not so hard)
2. you not read our disscussions about Asspr.

also I can step by step explane, why is your tut not informative..

but, can you explane: why so hard you want to write tutor?

***
"Tutor or Stupor - this is the Qvaschion!"
W. LaBBa. Shakespeare

LaBBa
August 18th, 2003, 09:23
Well i'm sorry about my Lame Ass Tut ...
but to be True .. i'm the only one that did somthing so other ppl could lern .. so u can't tell me that it's not good enough .. because no one else done anything like so ..
If u don't like it Don't use it ..
If u know better teach us including me ..
i konw that i'm still lame in the hole PE thing ..
but i do my best to share all i know with others by
Writing tuts..

Well i just share what i have lern about unpacking this app

if more ppl like evaluator want to respond about this tut and
to add or Reject some things about it plz do ! so we all could lern

evaluator : tnx for beeing honest and comment about my knolage about PE file .. i hope to make it better when i will have time ..

LaBBa
August 18th, 2003, 14:15
hmm.. BTW ..

"2. you not read our disscussions about Asspr. "

witch one ? i try to read all i can about Unpacking not only aspr
it u can show me exacly what u mean .. i think i have missed somthing..

Shoob
August 18th, 2003, 15:41
I think this tut is good for nothing anyway this thread is maybe meant where all is complained in details. After all nothing great changed between 1.2 as evaluator said.. I remember they were also some (maybe) deleted posts where this new bla gets discussed. Use search button.. At least make it looked like im not just a flame asshole i will give you some tips to future tuts. Btw i see you are half knewn on unpacking asprotect. If its true dont put your fingers on a tut please (e.g "so it could be or LockResource or FreeResource".

1.) Write about New Techniqs (Dont compress other informations)

2.) Use Pictures (almost important to higher the Understanding for novice's)

3.) Use sometimes other type styles e.g Bold, Cursiv.

4.) Use paragraphs, Stood offs

5.) Update your tut thread, dont make new

http://www.woodmann.net/forum/showthread.php?threadid=4936

dELTA
August 18th, 2003, 16:53
Ok, some people around here really need to tone down the arrogant and condescending comments and flames right now!

If someone writes a tut, it is completely ok to give constructive criticism about it, but for christ sakes will everyone drop the "I'm a leeto and you suck" attitude (irrespective of throwing in a few constructive details at the end of the post or not)!?!

Anyone who wants is more than welcome to write a tutorial and post it for others to read. There's always someone who will gain knowledge from it, even though there might already exist more advanced tutorials about it somewhere (if the tutorial writer greatly exaggerates his knowledge and skills about the topic, a scolding might of course be suitable, but that's another story and mostly not the case). When writing such a tutorial, the author should indeed be prepared for constructive criticism, and handle such gracefully (just like LaBBa does in this case) without starting any flamewars , but no one has the right to disrespect the tutorial writer just because they think they already know everything that's in the tutorial, and that they are better and more l33t!

Even though some of you might not mean any harm (yes, I'm talking to you eval), this kind of behavior still produces an overall bad atmosphere on the board, and it discourages people from contributing with their knowledge because they are afraid that some self-proclaimed leeto will flame them.

So if you'd like more threads where things are "explained in detail" rather than "complained in details" (and also fancy keeping your board accounts for that sake), stop this kind of behavior immediately, it will not be tolerated!


dELTA

esther
August 18th, 2003, 23:27
Hi LaBBa,

The only thing I would like to coment is brushup your english
keep up the good work



>I think this tut is good for nothing anyway this thread is maybe meant where all is complained in details

You should write a tutorial and shared your knowlege

LaBBa
August 19th, 2003, 08:13
Well just wanted to repond on all the reponds ..

1) i will never Write a tut with pictures !! i hate it .. i like plain txt

2) i know that my english is need of impovment..(nothing i can Do)

3) i'm know that many Exprianced Crackers/Unpackers realy don't
like "Step-By-Step" tuts .. but for some ppl it does needed

4) i just hope that more ppl will wirte a Step-by-step tuts so not
only an expriance Cracker/Unpacker could lern but also a
newbie could lern .. (like the ArmaDillo Tuts...)

well i gess its time to move on a lil .. so i will start working on
somthing else but ASPR .. done that for a long time now.. but i will now will look for another nice Packer/Encrypter to lern and yes to explain about..

Any REQ ?

evaluator
August 19th, 2003, 16:15
LaBBa,
I disagree with you.
You not collected enough knowledge about asspr & now want jump
to another protector.

I want recommend you to collect more general knowledge about PE,
then re-arrange & update your approach about asspr..

..you decide..


PS.
I uploaded for you unpacked EXE,
but you nothing tell me..

LaBBa
August 19th, 2003, 19:35
well i didn't say i was going to leave and not lern or keep updated with new aspr versions i just say that no more need of aspr tut for now and i will now try to do the same for some other Packer..

Btw.. i didn't needed that Unpacked file u gave me because if u have read my tut (the not full) u would have just told me that i dumped the file at the wrong place ... the new tut is just fixing that .. but tnx anyway..

evaluator
August 20th, 2003, 07:02
yop, my fault..

Ok, for you I remember some clue asspr target, which more interesting
uses asspr futures.
Find "ArtIcons Pro" latest build & write tut about.
However, asspr version here is not latest, but anyway.

LaBBa
August 20th, 2003, 20:30
well i downloaded the latest version but didn't had much time to look at ...

The Stolen bytes are not beeing eares ... (don't know why)
the Dump is crashing becuase of a call checking of ASPR

hope to have more time and find out more about it..

Manko
August 21st, 2003, 01:51
Hi!

As eval said, this is an earlier version of aspr.
At that time, he didn't use to erase stolen bytes.

/Manko

evaluator
August 21st, 2003, 03:04
also I did search for asspred & found interesting one:
"G-Lock EasyMail Professional".

this have kiddie asspr.dll with error reporting to Email.

bugs@aspack.com
168.144.78.112
From: some@user.com
To: support@aspack.com
BCC: vitaliy@aspack.com
Subject: Application error
Sender: some@user.com

I can't say how newest is this, but quite new is.

britedream
August 21st, 2003, 07:16
Thanks, its very nice software you came up with, but as far as
unpacking,it it is exactly the same as systemcleaner.

britedream

koderz
August 21st, 2003, 19:03
Hi all, im new to the forums Ok well, due to an update I tried applying the same techniques to the new version [Target deleted]. Everything works as planned except I am confused on what to do with the stolen bytes on this update. Heres a look at what the new version looks like:

0057825B 0000 ADD BYTE PTR DS:[EAX],AL
0057825D E6 54 OUT 54,AL ; I/O command
0057825F 0074F7 54 ADD BYTE PTR DS:[EDI+ESI*8+54],DH
00578263 0044F7 54 ADD BYTE PTR DS:[EDI+ESI*8+54],AL
00578267 006450 53 ADD BYTE PTR DS:[EAX+EDX*2+53],AH
0057826B 003450 ADD BYTE PTR DS:[EAX+EDX*2],DH
0057826E 53 PUSH EBX
0057826F 009C3A 53006C3A ADD BYTE PTR DS:[EDX+EDI+3A6C0053],BL
00578276 53 PUSH EBX
00578277 0018 ADD BYTE PTR DS:[EAX],BL
00578279 3A53 00 CMP DL,BYTE PTR DS:[EBX]
0057827C E8 395300FC CALL FC57D5BA
00578281 6C INS BYTE PTR ES:[EDI],DX ; I/O command
00578282 57 PUSH EDI
00578283 00A0 6C5700C0 ADD BYTE PTR DS:[EAX+C000576C],AH
00578289 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O command
0057828A 57 PUSH EDI
0057828B 0090 6F570054 ADD BYTE PTR DS:[EAX+5400576F],DL
00578291 74 57 JE SHORT xxx.005782EA
00578293 002474 ADD BYTE PTR SS:[ESP+ESI*2],AH
00578296 57 PUSH EDI
00578297 0000 ADD BYTE PTR DS:[EAX],AL
00578299 0000 ADD BYTE PTR DS:[EAX],AL
0057829B 0010 ADD BYTE PTR DS:[EAX],DL
0057829D 7B 57 JPO SHORT xxx.005782F6
0057829F 0000 ADD BYTE PTR DS:[EAX],AL
005782A1 0000 ADD BYTE PTR DS:[EAX],AL
005782A3 0000 ADD BYTE PTR DS:[EAX],AL
005782A5 0000 ADD BYTE PTR DS:[EAX],AL
005782A7 0000 ADD BYTE PTR DS:[EAX],AL
005782A9 0000 ADD BYTE PTR DS:[EAX],AL
005782AB E8 ACF1E8FF CALL xxx.0040745C
005782B0 FF15 3C385800 CALL DWORD PTR DS:[58383C] ; xxx.00577498
005782B6 E8 09CBE8FF CALL xxx.00404DC4
005782BB 90 NOP

I am not exactly sure where to start counting the bytes and where to end? Any clarification on this would be great. Btw, I broke on 005782B0 when i came into this section.

Thanks

LaBBa
August 21st, 2003, 19:44
hi

well i saw u'r Q and i will try to answer as well as i can ..

if u used my way of finding the OEP then after u done
TC EIP<900000

u should be here :

00407398 -FF25 40A35800 JMP DWORD PTR DS:[58A340]
0040739E 8BC0 MOV EAX,EAX

then trace one time with F8 u will get back to packer code :

01031C64 55 PUSH EBP
01031C65 8BEC MOV EBP,ESP
01031C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
01031C6A 85C0 TEST EAX,EAX
01031C6C 75 13 JNZ SHORT 01031C81
01031C6E 813D A47A0301 00>CMP DWORD PTR DS:[1037AA4],400000 ; ASCII "MZP"

well set again the trace command (alt+f1) and when Olly will Break u should be here :

0040746D A3 68565800 MOV DWORD PTR DS:[585668],EAX ; 00400000
00407472 A1 68565800 MOV EAX,DWORD PTR DS:[585668]
00407477 A3 D8905700 MOV DWORD PTR DS:[5790D8],EAX
0040747C 33C0 XOR EAX,EAX
0040747E A3 DC905700 MOV DWORD PTR DS:[5790DC],EAX
00407483 33C0 XOR EAX,EAX
00407485 A3 E0905700 MOV DWORD PTR DS:[5790E0],EAX
0040748A E8 C1FFFFFF CALL 00407450
0040748F BA D4905700 MOV EDX,005790D4
00407494 8BC3 MOV EAX,EBX
00407496 E8 61D7FFFF CALL 00404BFC
0040749B 5B POP EBX
0040749C C3 RETN

here u should make the Dump of the Process..

continue trace till u will be at :
00407494 8BC3 MOV EAX,EBX

this value u will need for the Stolen Bytes for EAX value
in this case : EAX = 00577B38

if u will trace (with 8) after the RET u should be here :

005782B0 FF15 3C385800 CALL DWORD PTR DS:[58383C] ; 00577ACC
005782B6 E8 09CBE8FF CALL 00404DC4
005782BB 90 NOP

now scroll up a lil and u will see all of this :

0057829D 7B 57 JPO SHORT 005782F6
0057829F 0000 ADD BYTE PTR DS:[EAX],AL
005782A1 0000 ADD BYTE PTR DS:[EAX],AL
005782A3 0000 ADD BYTE PTR DS:[EAX],AL
005782A5 0000 ADD BYTE PTR DS:[EAX],AL
005782A7 0000 ADD BYTE PTR DS:[EAX],AL
005782A9 0000 ADD BYTE PTR DS:[EAX],AL
005782AB E8 ACF1E8FF CALL 0040745C
005782B0 FF15 3C385800 CALL DWORD PTR DS:[58383C] ; 00577ACC
005782B6 E8 09CBE8FF CALL 00404DC4
005782BB 90 NOP

Well.. all of this :
0057829F 0000 ADD BYTE PTR DS:[EAX],AL
005782A1 0000 ADD BYTE PTR DS:[EAX],AL
005782A3 0000 ADD BYTE PTR DS:[EAX],AL
005782A5 0000 ADD BYTE PTR DS:[EAX],AL
005782A7 0000 ADD BYTE PTR DS:[EAX],AL
005782A9 0000 ADD BYTE PTR DS:[EAX],AL

is the stolen byte From address : 005782A0
this means that u have 11 stolen bytes :

PUSH EBP
MOV ESP,EBP
ADD ESP, -010
MOV EAX , 00577B38

that is in byte :
55,8B,EC,83,C4,F0,B8,38,7B,57,00

Write those over all of those "00" with an HexEditor
then fix the OEP to : 1782A0 with Pe-Editor
(thats because 5782A0-ImageBase =5782A0-400000 )

Fix the IAT with ImpRec and thats all .. it will work just fine..
well.. it does for me ..

Regards , LaBBa.

(PS - i just Share what i know.. nothing more nothing less)

Computer_Angel
August 22nd, 2003, 02:18
I try to unpack the [Target deleted]
after trace using your technique i land here

00577DA8 74715700 DD 00577174
00577DAC 0000 ADD BYTE PTR DS:[EAX],AL
00577DAE 0000 ADD BYTE PTR DS:[EAX],AL
00577DB0 24 76 AND AL,76
00577DB2 57 PUSH EDI
00577DB3 0000 ADD BYTE PTR DS:[EAX],AL
00577DB5 0000 ADD BYTE PTR DS:[EAX],AL
00577DB7 0000 ADD BYTE PTR DS:[EAX],AL
00577DB9 0000 ADD BYTE PTR DS:[EAX],AL
00577DBB 0000 ADD BYTE PTR DS:[EAX],AL
00577DBD 0000 ADD BYTE PTR DS:[EAX],AL
00577DBF E8 98F6E8FF CALL 0040745C
00577DC4 FF15 3C285800 CALL DWORD PTR DS:[58283C] ; 005771E8
00577DCA E8 F5CFE8FF CALL 00404DC4
00577DCF 90 NOP
00577DD0 00 DB 00
00577DD1 00 DB 00
00577DD2 00 DB 00
00577DD3 00 DB 00
00577DD4 00 DB 00
00577DD5 00 DB 00
00577DD6 00 DB 00
00577DD7 00 DB 00
00577DD8 00 DB 00
00577DD9 00 DB 00
00577DDA 00 DB 00

I figure out the oep is 577DB4 (the stolen byte for EAX is 57764C)
so I use the hview to edit the unpack file:
Push ebp
mov ebp,esp
add esp,-10
mov eax,0057764c

and use the pe editor to change my current oep of dumped file to 577db4-400000=177db4
(I allready fix the unpack file using Imprec).
Now I run the unpack file, it run and nothing happen :-D
Can you tell me why it not succcessfull

LaBBa
August 22nd, 2003, 04:55
Well if u Dumped the file where u should (look real good where u should Dump the file) and fix like u said ... u probobly have fixed not fully the IAT ... i know that because that have happend to me
so look closer at the IAT u might have Cut 1 more wrong thunk or somthing like that..

i will attach the IAT file tree of ImpRec of the last version on thire app : 4.92c

NO MORE IAT!!!

esther
August 22nd, 2003, 05:53
how many times got ppl to tell you no full iats can be upload here!!!!!!

LaBBa
August 22nd, 2003, 09:17
Sorry forgoted..

camcorder
September 29th, 2003, 08:21
First of all thanks for such a tutorial, it's really one of the best recent tutorials i ever seen. However it lacks in some cases. First of all, it does not include *full* version of aspr 1.23 .. is it demo ? registered ? rc ? beta... I swear i even saw beta 31 of that lame aspr. Secondly, it's not generic. Even though I use the same tools as you do, i didn't get same jump points you got. For example :

After that trace 'tc eip<900000' thing, I'm on :
004065D1 . A3 68E65A00 MOV DWORD PTR DS:[5AE668],EAX

i trace w/ f8 and on
004065F8 . 8BC3 MOV EAX,EBX
i got the dump w/ lordpe .. i even tried OllyDump .. but same things happened.
and I keep tracing .. on
00406600 . C3 RETN
i press f8 last time and i'm on :
0059BC11 ? A1 DCD45A00 MOV EAX,DWORD PTR DS:[5AD4DC]
, however u said in your tut that i should have landed on :
00564BEC FF15 A4D15600 CALL DWORD PTR DS:[56D1A4]

or something like that .. but it's definitely not a call. Besided, when i look 'lil upward' all i can see it some db blah , db blah ... lines.. despite my usin analyse option.

And the tool i'm looking for is also packed w/ aspr 1.23 demo ..

Some other thing. I didn't care that jump after ret, and keep getting IAT ... your fixing iat explaination is really vague.. even though i fix all the iats and the list said 'valid' i couldn't make it run. Windows gave "Send error" messages. Can u plz explain how did u fix those unresolved entries ? i did write something in tut, but how do you trace ? where do you tace ? how did u know those apis are the ones we need ? i think they need better explanation.

But whatever it is, it's a great step , and really thanks for that contribution. I'll be waiting for your answer on list.

Billy[23]
September 29th, 2003, 19:46
I also have a question for you LaBBa, its a great tutorial iam just wondering about this part:

(BTW iam using [a different version]) <-- No idea if i can put real name

i get to:

Code:

004075D1 |. A3 68665800 MOV DWORD PTR DS:[586668],EAX ; XXX.00400000
004075D6 |. A1 68665800 MOV EAX,DWORD PTR DS:[586668]
004075DB |. A3 D8A05700 MOV DWORD PTR DS:[57A0D8],EAX
004075E0 |. 33C0 XOR EAX,EAX
004075E2 |. A3 DCA05700 MOV DWORD PTR DS:[57A0DC],EAX
004075E7 |. 33C0 XOR EAX,EAX
004075E9 |. A3 E0A05700 MOV DWORD PTR DS:[57A0E0],EAX
004075EE |. E8 C1FFFFFF CALL XXX.004075B4
004075F3 |. BA D4A05700 MOV EDX,XXX.0057A0D4
004075F8 |. 8BC3 MOV EAX,EBX
004075FA |. E8 61D7FFFF CALL XXX.00404D60
004075FF |. 5B POP EBX
00407600 \. C3 RETN


Now you say F8 over it, and F8 onto the Return and i should see

CALL
CALL DWORD PTR DS:[X]
CALL
NOP

actually i See

Code:

00579D10 . E8 ABD8E8FF CALL XXX.004075C0
00579D15 . 33C0 XOR EAX,EAX ;EIP Here
00579D17 . 55 PUSH EBP
00579D18 . 68 769D5700 PUSH XXX.00579D76


Any Ideas mate(s) ?

Billy[23]
September 30th, 2003, 11:08
Nevermind that last post, ill leave it as a refernce just incase somebody has the same problem, its fine because i downloaded the v4.91d and it just the same so continue with the tut now i work on fixing the IAT.

You Say, Start IMpREC and choose the Process, now at this time should we be still PAUSED in olly or should it be a active process ?

Also u mention to click on IAT AutoSearch, and then change RVA to 1000, i did this and iam left with 2 Thunks

One of 46 Dec, and 1 of 3 Dec, oviously this isn't correct, because they are all pointing to CreatFileA, and SetPointer when i Disam them, any ideas ?

Thnx as Always

-Billy

LaBBa
September 30th, 2003, 12:55
hi all i'm happy that u are doing this target of ASPR .. but if i will answer u
u will never lern ...

so plz do try it more and more like i did.. i didn't had it easy too.. but i continued till i made it...

about the last tut i made.. just 1 thing that billy said ...

after we dumped the file and got the OEP we need to EXIT the app and Olly
now run the app normaly and let it load and then open ImpRec and fix the rest

i'm not going to do ASPR till it will have more new featurs ..

i think that all that in this board and other tuts and my own tuts have inought info to let u unpack ASPR in 2-3 min .. and i realy do mean it .. its too easy..

best regards , LaBBa.

Shoob
September 30th, 2003, 18:10
hrm im not going to understand what you are trying to tell us Labba writing your half-an-tutorial playing the big guy was one thing but keeping no recalls to questions from newbies behind an other. One thing is you are able to unpack it in 2 min but you have no time to help some people on your own tut for 2 min? Thats what making me sick.

LaBBa
October 1st, 2003, 12:48
i'm realy SAD that u realy think that .. but if u will ask those two ppl
( Billy and camcorder ) u would have know that i did help them as i could maybe not on this board.. but in PM or at the mIRC ..

so plz don't rush to conclusions..

i love to help other ppl to lern .. but as u know (if u know) somtimes when u try so hard to crack an app u forget to do the lil things .. and instad of finding the error u have made u go to the easy solotion .. post here a Q and wait for an answer ..

in our case all the answer are already given .. and ppl missed that .. when reading tuts etc.. when i forgoted to add a instraction in the tut and i know it important i did post it..

so plz .. calm down with the : "Make me Seek" thingy and get a lil perspective about this..

if i only could have told u how many ppl asking me the same Q many times at the mIRC and i DO answer all of them as best as i can \ know .. i would be amazed ...

so i hope u wond be so Hard on me the next time....

best regards , LaBBa .

britedream
October 2nd, 2003, 11:15
To Billy
for the code you wrote above ,I will not be able to help u, I don't follow
the tut u refer to, however, I will give u the info I have the [target deleted]running on
as follow:
oep= 579d00
stolen bytes:
push ebp
mov ebp,esp
add esp,-14
xor eax,eax
mov dword ptr ss:[ebp-14],eax
mov eax,00579590

IatRVA=18b230 iatsize~a10
make sure that u correct imporTrec finding at 18b540 to read FreeResource

this is will help u to unpack the prog.

Billy[23]
October 2nd, 2003, 12:18
britedream i finally got it !!! Thanks thats what confused me that IAT part, i guess he ment change the Size to 1000, not the RVA, anyways i kept getting crashes then i Read that part bout the Free Resources Thank you very much and thanks to all , now i just gota learn to dump it at windows98 seen as the dump here at xp dont work there

Thnx Again.

britedream
October 2nd, 2003, 12:32
The info I gave u is running on xp .

Billy[23]
October 9th, 2003, 11:09
Just got back from working out of state and tried it , works great i even manged to fiddle with some of the api's and get it working at windows 9x also.

Very many thanks to all especialy britedream for explaining that last part

MEPHiST0
November 10th, 2003, 05:44
I must say..
People you need to rape labba's tute for what it can teach you about aspr.. Labba, i think your tutorial is excellent! keep up the good werk.. ;p

LOUZEW
December 23rd, 2003, 18:06
Hi, LaBBa
I have to say that you've done a good tutorial on this Aspr version, it's really helpfull for some guys.
Used your approch on an other App (target name deleted), some differences but unpacking done !

Please, don't ear sad comment at topof this thread and write again tuts if you like, i'm sure a lot of members like that !

Thank's again LaBBa

klumpi
May 20th, 2004, 17:27
actually i See

Code:

00579D10 . E8 ABD8E8FF CALL XXX.004075C0
00579D15 . 33C0 XOR EAX,EAX ;EIP Here
00579D17 . 55 PUSH EBP
00579D18 . 68 769D5700 PUSH XXX.00579D76



What did i do wrong ?

greetings klumpi

jingjang
May 29th, 2004, 06:08
00564BE9 . 40 INC EAX
00564BEA ? 56 PUSH ESI
00564BEB . 0000 ADD BYTE PTR DS:[EAX],AL
00564BED . 0000 ADD BYTE PTR DS:[EAX],AL
00564BEF . 00BC44 5600000>ADD BYTE PTR SS:[ESP+EAX*2+56],BH
00564BF6 ? 0000 ADD BYTE PTR DS:[EAX],AL
00564BF8 ? 0000 ADD BYTE PTR DS:[EAX],AL
00564BFA ? 0000 ADD BYTE PTR DS:[EAX],AL
00564BFC ? 0000 ADD BYTE PTR DS:[EAX],AL
00564BFE ? 00E8 ADD AL,CH
00564C00 ? 3827 CMP BYTE PTR DS:[EDI],AH
00564C02 ? EA FFFF15A4 D1>JMP FAR 56D1:A415FFFF ; Far jump

This is where im stuck in ur tutorial..the address are diffrent tho..in your tutorial u said ther real OEP is 00564BDC. how do you get this? im really new at this so can u guide me step by step as ur tutorial does except for this part.

U say say that this part will tell us too..
0040734D ? A3 68E65600 MOV DWORD PTR DS:[56E668],EAX ; .00400000

How does it relate im really confused at this part. :hmm:

%UNDEFINED%
May 29th, 2004, 07:35
Run the prog SHIFT+F9 through the exceptions, counting them.

When the prog loads, restart it.

Goto the last exception, the one before the prog loads.

Open the memory window,

http://d-jester1.tripod.com/image.gif

Select the code section, usually the second section.

Right Click->Set Break on Access

Then press SHIFT+F9

Boom Your at the OEP

Thats how you find the OEP, read LaBBa's tut's for finding the stolen bytes.

klumpi
May 29th, 2004, 08:41
Quote:
[Originally Posted by jingjang]00564BE9 . 40 INC EAX
00564BEA ? 56 PUSH ESI
00564BEB . 0000 ADD BYTE PTR DS:[EAX],AL
00564BED . 0000 ADD BYTE PTR DS:[EAX],AL
00564BEF . 00BC44 5600000>ADD BYTE PTR SS:[ESP+EAX*2+56],BH
00564BF6 ? 0000 ADD BYTE PTR DS:[EAX],AL
00564BF8 ? 0000 ADD BYTE PTR DS:[EAX],AL
00564BFA ? 0000 ADD BYTE PTR DS:[EAX],AL
00564BFC ? 0000 ADD BYTE PTR DS:[EAX],AL
00564BFE ? 00E8 ADD AL,CH
00564C00 ? 3827 CMP BYTE PTR DS:[EDI],AH
00564C02 ? EA FFFF15A4 D1>JMP FAR 56D1:A415FFFF ; Far jump



the 00 Code above the BP - thats the stolen Bytes (now i understand this)
but attention ! the 00 from 00564BDB is not the OEP

00564BD8 A4 <- from here
00564BD9 44
00564BDA 56
00564BDB 00 -> to here its a Adress from other code
00564BDC 00 <- here is the OEP

Now, you must find the stolen Bytes and paste this in the empty code.

greetz Klumpi

jingjang
May 29th, 2004, 09:58
Quote:
[Originally Posted by %UNDEFINED%]Run the prog SHIFT+F9 through the exceptions, counting them.


Then press SHIFT+F9

Boom Your at the OEP

Thats how you find the OEP, read LaBBa's tut's for finding the stolen bytes.


I tried as u said...then Boom i was here :

77F8E110 . 66:393E CMP WORD PTR DS:[ESI],DI
77F8E113 . 0F84 D2020000 JE ntdll.77F8E3EB
77F8E119 . EB 12 JMP SHORT ntdll.77F8E12D
77F8E11B > E8 D8B8FCFF CALL ntdll.RtlAcquirePebLock
77F8E120 . C645 E7 01 MOV BYTE PTR SS:[EBP-19],1
77F8E124 . 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10]
77F8E127 . 8B70 48 MOV ESI,DWORD PTR DS:[EAX+48]
77F8E12A . 8975 D8 MOV DWORD PTR SS:[EBP-28],ESI
77F8E12D > 803D 784AFC77 >CMP BYTE PTR DS:[77FC4A78],0
77F8E134 . 74 7C JE SHORT ntdll.77F8E1B2


JMI
May 29th, 2004, 12:36
jingjang:

The major problem you seem to be having is with understanding written English. Look at these two sentences:

"Run the prog SHIFT+F9 through the exceptions, counting them.
Then press SHIFT+F9
Boom Your at the OEP
Thats how you find the OEP, read LaBBa's tut's for finding the stolen bytes. "

and

"Run the prog SHIFT+F9 through the exceptions, counting them.
When the prog loads, restart it.
Goto the last exception, the one before the prog loads.
Open the memory window,
Select the code section, usually the second section.
Right Click->Set Break on Access
Then press SHIFT+F9
Boom Your at the OEP"

What you said you did is not what you were told to do. Did you count the exceptions and then, after restarting the program, if the program had 25 exceptions (as an example) did you count 24 SHIFT+F9s and then

Open the memory window,
Select the code section, usually the second section.
Right Click->Set Break on Access
Then press SHIFT+F9
Boom Your at the OEP???

If not it will NOT work. It also may not work if you are using a program which has a different version of the protector than LaBBa was talking about.

Regards,

jingjang
May 30th, 2004, 06:14
yes i think its difrent version or someting coz...the adress is abit diffrent. i tried Labba's way step by step and runing the tc command...it worked but the address is slightly diffrent.

By the way...i tried Labba's tutorial on another progrrame (prog X). When i used ImpRec, and click the IAT autosearch button it says 'Nothing usefull found on this OEP'

I tried imprec on various other ASPR progs. and click IAT search button it works like a charm. Only this prog X it doesnt work and give me the error msg.
So i tried using AHTeam Tool just for checking on the programme X, it seem to analyze it..i leave it for 3 hours + still the same. Runs perfect also on other protected prog wif ASPR only with this prog X it seems to have problem.
Double check and it says it is protected by ASPR 1.23 :hmm: