i am using Asprotect Debugger v1b, stripper 2.03 and Import REConstructor v1.4.2+ to unpack a file packed with (ASProtect 1.23 RC4 Registered -> Alexey Solodovnikov)

1st i started Asprotect Debugger v1b and run the target.exe in it it ask for the following message which i Ok'ed everyone

DO you wish to resolve/clean IAT?Yes
Undipped condition.(Dump?)Wish to some dips?Yes
Erase dip: 423A1C?Yes
Erase dip: 423A0C?Yes
Erase dip: 423A2C?Yes

after these message the program loads and debugger said application paused! twice and then

2nd.I fired up the Import REConstructor v1.4.2+ and choose the target.exe them click on IAT Autosearch,then get imports and then Imported Functions where all valid and then i click on fix dump and choose the dump.exe file which i created by stripper 2.03 and Import REConstructor v1.4.2+ said succesfully created dump_.exe
i was joyed that the exe is unpacked but on starting the dump_.exe file it did nothing on Win XP and in Win98 it prompt the following error

linked to missing export KERNEL32.DLL:RestoreLastError.

is it fine if i give the program name and link which i am unpacking?

here is some images of the exe in IR,debugger to see the detailed info
it will show a directory with images
http://www.geocities.com/thematrixzone2002/asp/

thanks

I remember that when I was doing some target I replaced this function with SetLastError. This program is working good till now

I searched then (when I was doing this target) for some info on RestoreLastError and found almost nothing. Like on MS site stands: "RestoreLastError is an enigma. It's code is identical to SetLastError. It's unclear to me why it was made into a separate API."

Hi!

You should use the info given by asprdbgr in ImpREC:

IAT start: 57313c (RVA 17313c)
...
Length: 1060

When you autosearched it found too little... RVA=173358 Length=200.
Not good!

Hope this fixes it!

/Manko

Thematrix !!

This program is terrible easy to be unpacked. There are no stolen bytes, and you needn't stripper at all to unpack it. OEP is inside low memory code. There is no OEP ripping.

Manko's debugger will resolve all APIs, you'll have only 2 invalid entries, and that's because Manko failed to include case with 77xxxxxx addresses where 77xxxxxx is not valid API address.

But if you still can't find solution mail me, will send you unpacked/fixed version.

actually i confused as this is my first unpacking of exe(to learn unpacking by heart) before it i use tools to unpack files

1st i did the way diz as it was the easy but that give me this error
DUMP_ caused an invalid page fault in
module KERNEL32.DLL at 0197:bff7b9a6.
Registers:
EAX=00000000 CS=0197 EIP=bff7b9a6 EFLGS=00000246
EBX=00000100 SS=019f ESP=0083fd84 EBP=0083fdb0
ECX=00000000 DS=019f ESI=0056d0c8 FS=48a7
EDX=005317a0 ES=019f EDI=00555000 GS=0000
Bytes at CS:EIP:
ff 76 04 e8 13 89 ff ff 5e c2 04 00 56 8b 74 24
Stack dump:
00000002 005312ec 0056d0c8 0083fe28 00531418 0083fdb0 00555000 00000002 00000100 81792b4c 00000000 0083fdc8 00535ab7 00555066 005312a4 0053142c

here is the image of it
http://www.geocities.com/thematrixzone2002/dz

then i tried the manko way
that also did not solve my problem
here is the info
http://www.geocities.com/thematrixzone2002/asp2/manko/

Zilot i tries stripper to unpack but it prompted unable to pack(no files unpacked)

Hi, thematrix!

Actually my way would have been:

when you reach this:

Dip from pre-OEP: XXXXXX (Reached from: XXXXXX)

Don't push OK to let it run, but let it stay paused.
Now dump with LordPE and then rebuild with ImpREC.
It found some invalid adresses.
Those you could just erase, but just for you I have corrected the misstake in my app and now it erases those too.

Follow the link in my sig!

/Manko

thanks Manko i will give it a try

thanks manko for modifying the yur cool debugger
its working perfectly win win xp but in win 98 i have to change the function name from RestoreLastError to SetLastError thanks to
diz
thanks all guys who helped me with unpacking my first unpacking proceudre