First i would to tnx u all ..

your responds of my tuts .. (good or bad) has been very helpful

Well i saw many deffrent responds about my tuts...
many of the nagativ responds are correct .. i'm truly sorry about the way i write the the tuts and i will try (when i will have time) to write a new tut

For all the positive responds i would like to tnx for showing other ppl that:
u can lern from my tuts how to unpack other version of aspr and more..

all i got to say now is that i will now try to find a good target that have a good ASPR protections so i could Write a "Super Tut" that will have as many
features as i can explain so if u know a good target that have those fallowing features plz share it with me (pm me) :

1) anti debugger
2) New IAT unResolved API's
3) New Nanomites for ASPR (i heard that this is one out there) (Uradox ??)
4) ASPR modified calls to aspr (or somthing like that..)
or any other featurs u saw ..

i will try my best to do a 100% (or at least 90% ) understandable tut
so ppl won't need to ask Q like :

1) How did u do this
2) How Do i do that
3) How do i know where ......
etc..

this is for the Unpakcing Master of this MessageBoard :
For geting a good tut i will need all your help with more responds when this tut will be out .. so all of the ppl that will have more answers about other Q that ppl will have , plz try to give a full explanation ! and not just to give an general answer like i saw many times ..

i will try also to make this Thread as the main ASPR unpacking that will have all the answers to your Q about aspr..

and again tnx for all about your support (good or bad) .
best regards ,
LaBBa .

Labba

Keep up the good work and expand your knowledge but also remember to share it as well.

Catch Ya
Peterg70

Isn't that exactly what he's talking about doing, and also has been doing in the past?


Anyway, sounds like a really nice tut coming upp LaBBa, keep up the good work!

And keep in mind that the best tuts are directed at the technique of defeating a particular aspect of the protection, rather that at defeating the protection of a particular target. The target is really only the example of how the protection was used. The technique of the protection is really what you want to address.

Too many people write/read tutes for a specific program and others attempt to follow it "exactly" on some newer (or older) version of the target or a different target althogether and then complain that it didn't work, which is not suprising, if what one is looking for is a specific piece of code at location "xxxxxx." It is substantially more helpful to discuss what the protection is doing with particular techniques and somewhat generic methods of attempting to then find out where it is doing that. Then the reader has learned "what" to look for, more than where, and should gain a better understanding of what the code is attempting to do, rather than, simply, where it did it in that target.

Keep up your efforts and don't be afraid to seek help from others at "polishing" your tut if you have problems with English. Most of us are not proficient in writing more than one language and that is just the "detail" part of the tut. The important part is the knowledge of the discoveries which are revealed. Keep up your good efforts.

Regards,

:P almost finished exception rebuilder buuut i seem to think latly alexy has abadoned these and relised it can be very unstable maybe. The idea is good but what if the app is multi threading alexey
api emulation you probely looking for isnt anything to worry about, just emulates first few instructions then jumps into the function just after em.
LaBBa iv also read internal aspr tutorials that basicly are the same as yours :P so there isnt really any better tutorial out there but if someones gonna make a tutorial they need to do a better job than just say Trace till *** and set a bp on ****. As soon as a newer version comes out and all this has been totlay changed many people havnt learnt nothing and relied on that tutorial too much - and are now stuck. Maybe u should recover relocation rebuilding as well as aspr can fiddle with this too.

hi all ..

just wanted to keep u all updated about my progress..

the tut is 70%-80% done...

i added a new explaination about the stolen bytes and an "how to" find them and all there is to know about them..

the other 30%-20% is for the redirected calls...
to tell the truth.. i'm kinda stuk with this.. so if i see that i can't find a good way about how to fix it i will leave this tut open to the others leet unpackers to finish it..
i hope this won't happen , and i will finish the tut....

the only tut i have found about fixing a redircted call

was of : +Spl/\j
target : Awave Studio 7.3

thats kinda wierd that no one else has done it since then...



best regards,
LaBBa.

Please, please, please consider working with someone to make the tutorial comply with English grammar and punctuation. It's just that I read over your tutorial several times, yet still had trouble understanding it the way it evidently was intended to be understood.

Now, if you have time to answer questions I have and to better explain yourself, I might have time to help you translate the tutorial into something anybody can read.

My email address is six(underscore)black(underscore)roses(at)hotmail(dot)com, but I prefer to be contacted through MSN Messenger if possible.

This is zee-bub-zee (test name) signing in as Six Black Roses (usual alias).

The major thing,you can't cover everything in a tutorial,if ya emphasize the important parts of unpacking it is good enough.The most important thing is try to expore it yourself.

LaBBa:

There are several of us here who would be glad to help with your English composition. You should not take this as any form of criticism. We know that English is not your native language and you do a credible job writing in a "foreign" language and do it better than most of us can write some "other" language besides our own. Working with someone on how it is written will make the language clearer for others and their questions might help you clarify areas where your intent or explaination is not clear. Keep up your efforts. We appreciate it and it's much easier to understand than some of what our Musician Friend writes.

Regards,

That is precisly correct

you are both right.. when i try to explain the stolen bytes i couldn't use just one Target for explanation .. i had to do now 2-3 deffrent apps and give explenation about those .. so .. this is taking me alot of time..

but i will add an NOTE for the Readers that they should lern also how to analize them self more aspr protection .. and just not possible to know it all by reading a single tut ..

so i gess all my targets will be without redircted calls and will later make a Part tut II for that ..

LaBBa

Sounds great LaBBa, any chance we will get to see part one soon? Sounds like it has potential to be a very good tutorial anyway.

well i hope that next week i will finish it ...

its just that i have lil time to do this tut because of Uni school but i will finish it and send first the tut to ppl that i know that can tell me if its a good tut or not .. or if there is anything that need to be change or add .. then i will post this ..

Hi,

its a great TUT LaBBa. I`am trying to unpack the new version of [Name removed because of the posting of target specific code] after a lot of shift+F9 Olly will break at the following position:

012D39EE 64:8F05 00000000 POP DWORD PTR FS:[0] ; 0012FFE0
012D39F5 58 POP EAX
012D39F6 833D B07E2D01 00 CMP DWORD PTR DS:[12D7EB0],0
012D39FD 74 14 JE SHORT 012D3A13
012D39FF 6A 0C PUSH 0C
012D3A01 B9 B07E2D01 MOV ECX,12D7EB0
012D3A06 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
012D3A09 BA 04000000 MOV EDX,4
012D3A0E E8 2DD1FFFF CALL 012D0B40
012D3A13 FF75 FC PUSH DWORD PTR SS:[EBP-4]
012D3A16 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
012D3A19 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
012D3A1C 8338 00 CMP DWORD PTR DS:[EAX],0
012D3A1F 74 02 JE SHORT 012D3A23
012D3A21 FF30 PUSH DWORD PTR DS:[EAX]
012D3A23 FF75 F0 PUSH DWORD PTR SS:[EBP-10]
012D3A26 FF75 EC PUSH DWORD PTR SS:[EBP-14]
012D3A29 C3 RETN

after the step 012D39EE 64:8F05 00000000 POP DWORD PTR FS:[0] i start the first trace with:
TC EIP < 900000

after this step i was here:

004073A8 FF DB FF
004073A9 25 DB 25 ; CHAR '%'
004073AA 40 DB 40 ; CHAR '@'
004073AB 13 DB 13
004073AC 59 DB 59 ; CHAR 'Y'
004073AD 00 DB 00
004073AE 8B DB 8B
004073AF C0 DB C0
004073B0 FF DB FF
004073B1 25 DB 25 ; CHAR '%'
004073B2 3C DB 3C ; CHAR '<'
004073B3 13 DB 13
004073B4 59 DB 59 ; CHAR 'Y'
004073B5 00 DB 00
004073B6 8B DB 8B
004073B7 C0 DB C0
004073B8 FF DB FF
004073B9 25 DB 25 ; CHAR '%'
004073BA 38 DB 38 ; CHAR '8'
004073BB 13 DB 13
004073BC 59 DB 59 ; CHAR 'Y'
004073BD 00 DB 00
004073BE 8B DB 8B
004073BF C0 DB C0
004073C0 FF DB FF
004073C1 25 DB 25 ; CHAR '%'
004073C2 34 DB 34 ; CHAR '4'
004073C3 13 DB 13
004073C4 59 DB 59 ; CHAR 'Y'
004073C5 00 DB 00
004073C6 8B DB 8B
004073C7 C0 DB C0
004073C8 50 DB 50 ; CHAR 'P'
004073C9 6A DB 6A ; CHAR 'j'
004073CA 40 DB 40 ; CHAR '@'
004073CB E8 DB E8
004073CC E0 DB E0
004073CD FF DB FF
004073CE FF DB FF
004073CF FF DB FF
004073D0 C3 DB C3
004073D1 8D DB 8D
004073D2 40 DB 40 ; CHAR '@'

after this i press once F8 and i see this:

012D1C64 55 PUSH EBP
012D1C65 8BEC MOV EBP,ESP
012D1C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
012D1C6A 85C0 TEST EAX,EAX
012D1C6C 75 13 JNZ SHORT 012D1C81
012D1C6E 813D A47A2D01 00>CMP DWORD PTR DS:[12D7AA4],400000 ; ASCII "MZP"
012D1C78 75 07 JNZ SHORT 012D1C81
012D1C7A A1 A47A2D01 MOV EAX,DWORD PTR DS:[12D7AA4]
012D1C7F EB 06 JMP SHORT 012D1C87
012D1C81 50 PUSH EAX
012D1C82 E8 3135FFFF CALL 012C51B8 ; JMP to kernel32.GetModuleHandleA
012D1C87 5D POP EBP
012D1C88 C2 0400 RETN 4

and now i didnt know how to find oep and the stolen byte

Sorry for my bad english :-)

You have to read more effeciently the ASPR 1.23 LaBBa tut on [name removed because of the posting of target specific code], you have the same shame ! !

heheh .. yea i remember that... and trust me... there isn't going to be those king of explnation in the final tut..

( lol... i don't know what i was thinking to my self in that tut.. )

Hi,

Ok i'am a shame possible. I will only try to explain my problems in unpack apsprotect. Possible other people's have the same problems.
An assistance would be better than so a remark.

OK guys !

First of all, Cerb, it seem you don't read ( or cannot understand maybe) this tut from Labba, so i explain :

After your last F8, when you are here :
012D1C82 E8 3135FFFF CALL 012C51B8 ; JMP to kernel32.GetModuleHandleA
012D1C87 5D POP EBP
012D1C88 C2 0400 RETN 4

You are in the ASPR Code again, so run the trace command again you'll fall in App code at OEP (or near real OEP depending of Stolen bytes or no).



He ! Labba Why ? ? ? it's a good start ! !

Thx for the short help. I run the trace command again and now i`am at the following position:
0040747D A3 DB A3
0040747E 68 DB 68 ; CHAR 'h'
0040747F C6 DB C6
00407480 58 DB 58 ; CHAR 'X'
00407481 00 DB 00
00407482 A1 DB A1
00407483 68 DB 68 ; CHAR 'h'
00407484 C6 DB C6
00407485 58 DB 58 ; CHAR 'X'
00407486 00 DB 00
00407487 A3 DB A3
00407488 D8 DB D8
00407489 00 DB 00
0040748A 58 DB 58 ; CHAR 'X'
0040748B 00 DB 00
0040748C 33 DB 33 ; CHAR '3'
0040748D C0 DB C0
0040748E A3 DB A3
0040748F DC DB DC
00407490 00 DB 00
00407491 58 DB 58 ; CHAR 'X'

and now i dont know the next steps.

Hi, cerb, follow THIS LINK (http://www.woodmann.com/forum/showthread.php?t=4958&highlight=ASPR+1.23) , D/L the zip file and read the tut, i don't want to rewrite the same thing LaBBa does ! !

Hi,

thx LOUZEW i tried it today but with no success. It´s possible the diffrent versions of the software. I use a higher version.

nice tut! solving aspr is not an easy task
I too made a tutorial on aspr, i was wondering for some feedback, i made my best to explain all the things i had to solve, the tutorial is quite long but i hope you will find it interesting you can find it at www.reteam.org in the essays section. I was planning to write an unpacker, but actually i have not much time to spend on it
Greets!
AndreaGeddon

Wow !!
AndreaGeddon u R g00d !!

Here u go ppl .. u got the "ASPR Super Tut" that we all wanted so much
this tut have it all !!!

i gess that my tut will not be needed now .. but i will still post it later on...
after i will check AndreaGeddon Stolen Byte way ...

To :AndreaGeddon
realy good work !
What took u so long to do this ?!
i hope (and i'm sure all others too ) that u will continue doing more of those for others Packers that Exist out there ..

Hi, LaBBa!

Yeah, he seems to be very good, but you're tuts are still needed since he doesn't deal with much new aspr-trouble...

Anyway, If you need another GOOD summary of the old aspr look for crusaders tutorial, or better yet he posted his commented dissassembly of aspr here once. It's worth gold for anybody that's interested.

ps. To my good friend soldat: I'm writing a letter. Been of the net for a while. ds.

/Manko

http://www.postsmile.com/img/default/0529.gif

Was wondering, had white bears eaten you ???

Pink Panthers!!!

hmm .. i read all the tut now.. and it is gr8 and all but it doesn't explain how today we can find in new versions of aspr the stolen bytes that are deleted like in the new version of the target tut 1.8.7 ..

so now i know that my tut is still needed.. i hope to finish it till this end of week ..

Hi, LabbA
I'm sure it will be very helpfull.
Your 2 first tuts gave me some ideas and with them, like a guideline, i've been able to unpack many targets.
Be sure you have here some guys (including some advanced unpackers) still waiting for your work.

And we might also point out that those who have never put themselves out there, by writing their own tuts, have very little room for criticism. Constructive comment should always be encouraged, because they help one improve their writing and analytical skills. Then you need to keep in mind the difference between the things you "understand" and the things you "write" and try to make sure that you have actually "written" the things you have learned in your adventures, and not simply passed over them because you already 'understand" then yourself. Remember you are writing for andience of different skill levels and you need to make a decision on the level of experience you want to address, and then make your discussion "speak" to that level of experience.

Regards,

This is it ..
the final tut..
i just hope that more ppl will start writing tuts in a good old : "Step by Step"

I just hope that ppl that wont appreciate this tut at least will appreciate the time it took me to write it..

Best Regard to all ,

LaBBa

Thanks LaBBa

I appreciate all you hard work that has gone into your tutes

Best Wishes

R@dier

Hello Labba,

great work!!!!!!!!!!!!!!!!!!!!!

Thanks

cerb

Hello LaBBa,

i tried the first App in your Tut, I found one difference in the OEP. My OEP is
437589
00437589 8B1D 908A4300 MOV EBX,DWORD PTR DS:[438A90] ; .004396E8
0043758F 8B03 MOV EAX,DWORD PTR DS:[EBX]
00437591 E8 1E1FFFFF CALL .004294B4
00437596 8B0D 0C8B4300 MOV ECX,DWORD PTR DS:[438B0C] ; .00439774
0043759C 8B03 MOV EAX,DWORD PTR DS:[EBX]
0043759E 8B15 10374300 MOV EDX,DWORD PTR DS:[433710] ; .00433750
004375A4 E8 231FFFFF CALL .004294CC
004375A9 8B0D 708A4300 MOV ECX,DWORD PTR DS:[438A70] ; .00439750
004375AF 8B03 MOV EAX,DWORD PTR DS:[EBX]
004375B1 8B15 C0274300 MOV EDX,DWORD PTR DS:[4327C0] ; .00432800
004375B7 E8 101FFFFF CALL .004294CC
004375BC 8B0D 048A4300 MOV ECX,DWORD PTR DS:[438A04] ; .00439764
004375C2 8B03 MOV EAX,DWORD PTR DS:[EBX]
004375C4 8B15 DC324300 MOV EDX,DWORD PTR DS:[4332DC] ; .0043331C
004375CA E8 FD1EFFFF CALL .004294CC
004375CF 8B0D BC8A4300 MOV ECX,DWORD PTR DS:[438ABC] ; .0043976C
004375D5 8B03 MOV EAX,DWORD PTR DS:[EBX]
004375D7 8B15 28354300 MOV EDX,DWORD PTR DS:[433528] ; .00433568
004375DD E8 EA1EFFFF CALL .004294CC
004375E2 8B03 MOV EAX,DWORD PTR DS:[EBX]
004375E4 E8 6F1FFFFF CALL .00429558
004375E9 5B POP EBX
004375EA E8 69BFFCFF CALL .00403558

Is the problem I use win2k? or is another Problem?

Thx for you help

cerb

Thanx LaBBa,

Your tut is very clear. But when I app it I have a trouble :

At Step #4 : Finding Stolen Bytes and re-insert them :

when I choose Debug ==> Set Condition ===> click Ok ===> I press F11 =============> but not happen ??????

Could you tell me why .

Thank you very much.

I love your tuts

Hi Moonbaby,

press ctrl+F11 for Trace into.

Best Regards
cerb

well if u are talking about the first app :
00436EAD MOV EBX,DWORD PTR DS:[437A90] ; - this is the Fake OEP
00436EB3 MOV EAX,DWORD PTR DS:[EBX]

but as u say .. u used Win2K ... i Used WinXP (look at tools for this tut)
but the Wierd thing is .. i don't thik there should be any deffrents between the address .. and the more wierd thing is .. that u have got to the same code.. ???

So .. i don't realy know how thats happend.. but we got to the same code..

i don't have Win2K to test is my self.. sorry..

Check u'r steps again.. i think that u didn't done somthing right .. because i know that many ppl had no probs with it ..

first off all, Labba thanx for all the great work and efford you put into this protector.

i have a small question though...
following your tut i arrive at setting breakpoint at IsDebuggerPresent. Olly however doesnt allow me. gives message: Unable to set breakpoint.
Any idea how to solve? thanx in advance!!

Are you using Windows 9X/ME? In that case you cannot directly breakpoint APIs Olly, it only works on Windows 2000/XP.

Thanx for the reply.

That'll be the problem i guess. at this moment i'm running win98se. Any alternative idea how to solve this problem perhaps?

its not prob of win98se [hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/isdebuggerpresent.asp] but i think you are on some place where Olly dont know these command cause it isnt yet in the import list of some code section i sometimes have these problem or you just wrote isdebuggerpresent like "isdebuggerpresent"? dont forget large and small letters, so write "IsDebuggerPresent". After all you can for lazy guys also search for Auto IsDebuggerPresent plugin by SV and hide it permantly.

All that complicated isdebugger.. stuff at the start labba :P
Just CTRL+G and enter IsDebuggerPresent

know your

yea i know that Ura .. i just wanted that other ppl will know how to set BP no only at that kind of approch .. but i forgote to put this also .. tnx for reminding us..

hi britedream
i saw many posts by u about u finding with easy way the Stolen bytes .. can u show us (expanded explnation if u can .. ) about u'r mathod of finding the Stolen bytes ?

did you saw his post @extools, LaBBa?



and it's working very good!

Hi, LaBBa
First of all, thank you for writing this tut !, you know i'd appreciated the last ones.

Following you approach (the first App), i meet the same thing that cerb.
I'm under Win XP SP1 and found that :

My OEP without stolen bytes is 437589

00437589 8B1D 908A4300 MOV EBX,DWORD PTR DS:[438A90] ; ACopy.004396E8
0043758F 8B03 MOV EAX,DWORD PTR DS:[EBX]

Well, not very important, let's go. Fixing IAT, some difference too but done now.
THE MOST IMPORTAT PROBLEM IS :

Finding Stolen Bytes (step #4), i have some difference in Addresses again (not important), but After the REP STOS BYTE PTR ES:[EDI], replaced by JMP EDI, tracing with F8, all is OK untill :

PUSH ECX
PUSH EAX
CALL 00A63C0B
POPAD

After that it's different, I have a JMP and then all is different, a few lines after, a CALL drive me out of memory and nothing else displayed under OLLY, the only way, restarting with CTRL+F2 !

i know this problem, you have to nop this call. it isn't neccessary for finding stolen bytes. then you can go on with searching them.

Hmm.. but where ? when ? what i will see at the memory break point ?
thats was i saied earlyer about not full explanation .. and just throwing an answer without realy explaining to all ppl .. even i didn't understand this answer.. -> (yes this is a smile now a cry)

ok .. now that u goted to that call .. look down left of Olly Screen and it will say somthing like : "..Access Violation..."
this is what i mean ... when u get to an "..Access Violation..."
just nop it and continue tracing again and agian till u will get to a line that is : PUSH EBP or simulate that..
("MOV DWORD PTR SS:[ESP+4],EBP – same as Push EBP"
there its starts its stolen bytes.. and from there its all the same.. (i gess)

i hope this will clear the thing...
you execute the first push, follow ESP-Value in dump, set a hardware-breakpoint, on access > dword. Press F9. you will stop at a pushad-command (Hardware-Breakpoint)
execute this pushad, follow ESP-Value again and set again a hardware breakpoint, on access > dword. now skip all the exeptions as normal and set @the last exception breakpoint (F2) @the ret. now press F9 and you are at the beginning of stolen bytes (i think you stop at the same place as you with the trace till this command "REP STOS BYTE PTR ES:[EDI]". but the difference: aspr hasn't executed this code before like with your trace, it executes it now. this means there is no exception or access violation like your method.

thanks markus for the clarifications
to dear labba, :
I am glad that you saw my only post as too many, that means , you must have read it many times ( just teasing), if you have a point that you don't understand,please state it I will be more than happy to clarify it, I only mentioned
the setting of two breakpoints, and my feeling that anyone lacks the knowledge
of setting a breakpoint ,shouldn't try to unpack asprotect in the first place.

regards.
p.s.
it was to my surprise that you didn't post where you have read my explanation, you would have gotten the reply much sooner.

Hi, guys
Many thank's for the time you took helping us.

LaBBa, i've now unpacked the first App. and it run fine, thank's to MaRKuS-DJM and britedream for their explanation. I still have 1 or 2 questions :

1 - Searching for stolen bytes, tracing with F8 etc..., how did you determine when solen bytes are OVER ? ? ? it's not so easy ! ! !

2 - I've tried to apply this method to an other Asprotected target (PEID give me the same asprotect ver), but it's really different (i think). Is there many packing methods with the same Asprotect version ? ? if you are interested i can give you the App name !

Britedream, tried your method, OK too but a little more explanations will help those ppl who are dealing with Aspr from a short time ! (thank's even though, it's a good thing to know many methods !).

LaBBa, i'll try your second App now ! and again many thank's for your effort, i know it's not so easy to write a tut that anybody can understand, especially if our mother's languages are different !

i unpack many asprotect prog, i found that the stolen bytes for the prog is depend on the type of compiler you use. So just make it easy:

case 1:
38 bytes:

0066B131 55 PUSH EBP
0066B132 8BEC MOV EBP,ESP
0066B134 6A FF PUSH -1
0066B136 68 C0716C00 PUSH .006C71C0
0066B13B 68 D8B96600 PUSH .0066B9D8
0066B140 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0066B146 50 PUSH EAX
0066B147 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
0066B14E 83EC 58 SUB ESP,58
0066B151 53 PUSH EBX
0066B152 56 PUSH ESI
0066B153 57 PUSH EDI
0066B154 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP

so you just only to find the real value of 2 push command in
0066B136 68 C0716C00 PUSH xxxxx
0066B13B 68 D8B96600 PUSH xxxxx

case 2:
11 bytes:

005008BC <Module> $ 55 PUSH EBP
005008BD . 8BEC MOV EBP,ESP
005008BF . B8 5C055000 MOV EAX,dumped_1.0050055C
005008C4 . 83C4 F4 ADD ESP,-0C

just need to know the EAX value

case 3:
22 bytes:

0057B0F8 <Module> $ 55 PUSH EBP
0057B0F9 . 8BEC MOV EBP,ESP
0057B0FB . 83EC 18 SUB ESP,18
0057B0FE . 53 PUSH EBX
0057B0FF . 56 PUSH ESI
0057B100 . 57 PUSH EDI
0057B101 . 33C0 XOR EAX,EAX
0057B103 . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0057B106 . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
0057B109 . B8 78A95700 MOV EAX,a.0057A978

just need to know the EAX value

case 4:
16 bytes:

004FF904 <Module>/$ 55 PUSH EBP
004FF905 |. 8BEC MOV EBP,ESP
004FF907 |. 83EC 14 SUB ESP,14
004FF90A |. 33C0 XOR EAX,EAX
004FF90C |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
004FF90F |. B8 54F34F00 MOV EAX,dumped_1.004FF354

just need to know the EAX value

case 5:
8 bytes:

005B8F74 <Module>/$ 55 PUSH EBP
005B8F75 |. 8BEC MOV EBP,ESP
005B8F77 |. B9 06000000 MOV ECX,6

just need to know the ECX value

case 6:
12 bytes:

004B38C0 > $ 55 PUSH EBP
004B38C1 . 8BEC MOV EBP,ESP
004B38C3 . 83C4 F4 ADD ESP,-0C
004B38C6 . 53 PUSH EBX
004B38C7 . B8 58334B00 MOV EAX,dumped_.004B3358

just need to know the EAX value

case 7:
00553710 00 DB 00
00553711 00 DB 00
00553712 00 DB 00
00553713 00 DB 00
00553714 00 DB 00
00553715 >/$ 55 PUSH EBP
00553716 |. 8BEC MOV EBP,ESP
00553718 |. 51 PUSH ECX
00553719 |. 52 PUSH EDX
0055371A |. 53 PUSH EBX
0055371B |. 50 PUSH EAX
0055371C |. 6A 00 PUSH 0
0055371E |. 53 PUSH EBX
0055371F |. B8 A0305500 MOV EAX,.005530A0

need the EAX value. It's the special case, i just see it only one time.

case 8:
25 bytes:

005BC558 55 PUSH EBP
005BC559 8BEC MOV EBP,ESP
005BC55B 83C4 E4 ADD ESP,-1C
005BC55E 53 PUSH EBX
005BC55F 56 PUSH ESI
005BC560 57 PUSH EDI
005BC561 33C0 XOR EAX,EAX
005BC563 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
005BC566 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
005BC569 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
005BC56C B8 68BE5B00 MOV EAX,005BBE68

just need the EAX value.

----------------------------------------------------------
So, if the stolen bytes case is just need an EAX or ECX value. It's easy for us to find this value.
If the stolen bytes is case 1: you must use the conditional breakpoint
on the command:
PUSH EBP
MOV EBP,ESP
PUSH -1

and ctrl-f11 until you find these stolen bytes, and at that point, you will see two push command below with the value you need

----------------------------------------------------------
about finding the real OEP, you can use the techique of Ricardo, it more easier than the step labba has done (opps sorry )

i personally don't see any knowledge with your comments Computer_angel.. we want the good theory then to go and practice. what exactly we have to do with the info. you gave? how to know the compiler used? how to get the stolen bytes? you haven't answer at all . also there are some other delphi app which the OEP start dosen't begin with 558BEC..... which case we have then?

Regards

Hi all ..
i just finished to review all the posts here ..
and i'm glad to see that most ppl got there answers.. and most of aspr problem are now clear..

so i think that we have done all we can about this protection.. and its now time to move on to another protection..

i just hope i will have more spare time to do this kind of "Super Threads"..
that most of all kind of Q will be in 1 Thread ..
(like i saw at Xtream protector.. )

so ppl please remember .. when u got an answer to a Q please try to explain as much as u can about the prob (where ? when? how? why?)

what will be my next Protection tut ?

well .. i even don't know.. i'm thinking about somthing more hard like FlexLM or HASP things..

i havn't found, not even 1 tut about those for advance newbies ..
only the ones in this board and at CrackZ page that are both for advanced ppl that already know how to deal with those kind of protection..

so i'm thinking those kind should be next..

and even if i won't do it.. i hope that some one will do it..

again tnx all ..

Best regards ,
LaBBa.

hi, im having problems on the last section on step#2, after you dump the file with proc dump, you press f8 and you say it should bring me to the fake oep, but it isn't taking me to the same place you are after RETN, i get this:

00437589 8B DB 8B
0043758A 1D DB 1D
0043758B 90 NOP
0043758C 8A DB 8A
0043758D 43 DB 43 ; CHAR 'C'
0043758E 00 DB 00
0043758F 8B DB 8B
00437590 03 DB 03
00437591 E8 DB E8
00437592 1E DB 1E
00437593 1F DB 1F
00437594 FF DB FF
00437595 FF DB FF
00437596 8B DB 8B
00437597 0D DB 0D
00437598 0C8B4300 DD .00438B0C
0043759C 8B DB 8B
0043759D 03 DB 03
0043759E 8B DB 8B
0043759F 15 DB 15
004375A0 10374300 DD
.00433710 ; ASCII "P7C"
004375A4 E8 DB E8
004375A5 23 DB 23 ; CHAR '#'
004375A6 1F DB 1F
004375A7 FF DB FF
004375A8 FF DB FF
004375A9 8B DB 8B
004375AA 0D DB 0D
004375AB 708A4300 DD .00438A70
004375AF 8B DB 8B
004375B0 03 DB 03
004375B1 8B DB 8B
004375B2 15 DB 15
004375B3 C0274300 DD .004327C0
004375B7 E8 DB E8
004375B8 10 DB 10
004375B9 1F DB 1F
004375BA FF DB FF

and if i press ctrl + a it does nothing

This is the fake OEP of the version you are now dealing with.
I also had this version as did a few others, if you read some of the posts in this thread you will see.

use the tut as a method for dealing with the problem,
the steps are the same just some of the adresses will be different.

Best Wishes

R@dier

I´m having the same trouble, and I AM noping at every stop, just as the tut sayz?
Otherwise everything works like charm, but this seems a little strange.
Anyway, I will try again tomorrow
And Thanx for the great tut! I´m actually in a bit over my head here, but with a little luck...

Hi Asmodeus and Init,

the fake ope = 00437589 is right. At this step click the right button in the code section -> Analysis > Remove Analysis and you should now see the code.

Best regards
cerb

OK, Asmodeus i can help you !

The problem is the last call before you stay with a blank window under olly and the only thing to do is a CTRL+F2, you don't have any access violation message, but this call has to be NOPed.
So, restart Olly (CTRL+F2), and do all the job until the line just above this call, then NOP it and follow the tut. (Except this Call, all is clear in the tut !).

Hi and thanks for your answers!
I will try this as soon as I can!
Louzew, you must be right. It´s logical that it must be the instruction "last-before" that is throwing me into "No-whereland"! If I nop this, everything should probably work well.
Actually, my target is a slightly newer build than the one in the tut, but this far everything seems the same, just some of the actual adresses are different. But all the instructions are matching, so I think this will work well in the end.
thanx again!

Hi, LaBBa
First of all, many thank's for this nice tut and the help you gave me (and all other).
Following your tuts, i've now unpacked these 2 Apps. I've been able to apply your method to an other app too.

But now, i'm dealing with some other apps, trying to see if your methods work too, I choose some Elcomsoft Apps (All their apps seem to be packed with Asprotect, different versions and differents methods).

The 1 St one i worked on was APDFPRP ( Advanced PDF password recovery pro) and it was a little bit different, i've now fully unpacked this target but it was hard, i've finished it with help from DGrojo help (hard to translate Spanish for me) and i expect to write a little English tut for this type of protection (hope i can do it).

The second one is AOXPPRP (Advanced Office Password Recovery Pro), seem very easy in a first approch but i'm not able to find how to resolve the prob, I've found an oep to 401000 and no stolen bytes but the app crash !

( oh, yes, i've resolved some other apps from Elcomsoft like Advance Registry Tracer and Advanced Disk Catalog)

Can you take a look to their apps (Aoxpprp particulary) and tell me if i'm an idiot or if it'e really different ? ?

You can find their site at http://www.elcomsoft.com

Many thank's LaBBa ! !

AOXPPRP well i checked only this app realy quickly..
its realy look like its going to be easy but .. some of the resource after unpacking the app became to have an access violation ..

well .. yea its differnt .. like i saied in my unpacking tut..

i can't explain the fixing of redirected calls

and it could be an version with nanomites (Uradox told me they are some out there..)

i don't have time to look at this to make sure witch one is it .. sorry..
but only 1 thing .. u may have done wrong the fixing of the IAT because my app doesn't crashes after the unpacking.. only lame messagebox that can be bypass and then it runs ok (with some errors in the resource..)

again... sorry i don't have much time to look into it..
i will be happy if u will continue and update us all about what u will find..

Best regards ,
LaBBa

OK, thank's
I can understand you are busy, i'm in this state the most of the time.
Your response is good enough for now, i know i've done something wrong resolving IAT.
I'll try again in a few days !

[Post contents deleted by JMI for violation of the rule prohibiting posting "target specifically identified code."]


Best regards
cerb

yea.. but now press on the dialog to register and see what will happend .. an access voilation..

hi LaBBa,

i didnt get a acces voilation

cerb

cerb:

I have deleted the contents of your previous post because you have several times violated our rule against posting code from a specifically identified target. If you want to post code, make sure that you do NOT specifically identify the target (do NOT state its name) and that you REMOVE the name of the target from all portions of the code you do post. If you want to discuss a specifically identified target, do so ONLY by PM or private email.

Regards,

JMI, I have a question - how can I write a tutorial without referring to any specific target?....along with that, all the tutorials on fravia's site refer to specific files. Are tutorials allowed to do such or what is the best option?

I have no problems with the board rules, I can understand removing links but why so strict in target specifics. Of course we don't want to hold anyone's hand thru a reversing session, but even to show a general reverse there almost has to be a target...otherwise the one going thru the tutorial won't even know how to begin. So how do I balance these ideas?

-nt20

nikolatesla20:

You have raised a good question and I'll attempt to make a distinction between the contents of tutorials and the active posts here on the Forum.

Generally, whenever a tutorial is written the author is discussing the methods and techniques used by a particular version of some specific software and that may appear to be a conflict with the rule against the posting of target specific code on the Forum, but actually is not. Generally, by the time that any tutorial gets even moderate distribution and consideration, the software vendors get wind of the publication and, particularly with regard to protection software, makes greater or lesser changes in their protection scheme and/or software to attempt to avoid the described methods of defeating their protection. In that sense one could argue that we are actually helping the protectionist actually improve their products and increase their revenue, by selling newer versions of their software to anyone who may not be entitled to free updates.

However, the general purpose of this Forum is the study of and analysis of the reverse engineering techniques, not the distribution of means and methods of the free use of commercial software. I believe you will find in the vast majority of the tutorials found on the +Fravia archive that the tutorials are for analysis purposes and study and they contain the direct statement that if one intends to continue using the specific product, one should actually purchase it.

This goes to the issue of why we had to enforce the end of people posting IAT's and such. We are not interested in making this a place where one comes to find the specific code which could be pasted into someone else’s dump which would make a specific piece of software available for use without compensation to its author. If we permitted the posting of specific code with which one could "convert" a specific piece of software, software vendors would, and do attack our sever hosts, complaining we are distributing "crackz" and "Warez" and that is not were want to be happening here.

We want people to come here to learn how reverse code engineering works and the methods and techniques one uses to study and determine how various systems and components of operating systems attempt to do or attempt to prevent the doing of various things. It is the mental challenge of figuring out what is happening and how to defeat it that sustains those of us who have been at this for an extended period of time. While this may give those who study these techniques the ability to do things which may be argued by others to be infringing on their intellectual property rights, we do not advocate that they use them in such a manner or for such a purpose.

Therefore, a tutorial which merely described how to remove the protection of target x would not have very high value in the sense of "reverse engineering." However, a tutorial that simply uses a target as the basis for analysis of what a protection system is attempting to do is of much interest, not because it provides a solution for that specific piece of software, but because it provides a basis of analysis of a methodology of what one can do to attempt to protect software and what one can do to attempt to defeat those efforts.

In this sense, the specific software is essentially irrelevant, except it is the “vehicle” through which the analysis is presented. The object is hoped not to be the "solution" of that piece of software, but the analysis of whatever new technique is being discussed.

So if one posts here code which say do step one, two, and three and you will have a working version of software WWW, we can anticipate attack on our ability to maintain this Forum on the net. Therefore, we can not allow someone to post code for what is identified as software WWW and identify exactly where software WWW may be patched to make a ‘working” version.

So the difference is between a “generic” discussion, which maybe discusses stolen bytes or anti-debugger methods and might even include code which does not identify a specific target and one which is ‘specific” to those issues in software WWW. In the former circumstance one may know how to reverse a protection, but they, themselves, have to go out and find a specific piece of software which uses that technique and reverse it themselves. Then what they decide to do with it is their problem, and not ours. I hope I have made the distinction more clear. As I stated in the post above, one can always post code which doesn't specifically identify a target and exchange more detailed information with those who feel the need to attempt to follow along by PM and/or private email.

Regards,

Well I think specify a target when posting in the forum does not really affect anything.We are not god we can't guess what the target is and its "hard" to help them even they post specific codes here.Of coz reversers here ONLY HELP them to analysis certain areas but not to help them to crack the hole.

My 2 cents

Regards

Thank you for the clarification JMI. I agree with you completely on the fact that we want to preserve this place, and to post target specifics turns it more into a "warez" type forum. I tend to think that this would also lower the quality of the community as well, since those coming here would only want the quick crack. Thank you for helping me re-realize that

I still want to construct a tutorial on my latest project, however, which believe it or not, isn't about unpacking, but it's about attacking a VST instrument. It would be about unpacking, but this particular target wasn't packed. I got into the project simply because I wanted to know if I could find and remove the offensive code and how do I even find how to get to it, so I have come up with some cool info on how to get into these programs (VST plug-ins for audio apps) which can be used as a generic method of attack. But I'm still unsure how to really "publish" it....I'm also sure there are others out there that may have heavy experience in this realm already, but I haven't seen any real info on them and just thought it was a cool little project. (Remember Radium? where are they?...).

Anyway this discussion turns the theme of this thread in another direction. I should probably post in a new thread about any further concerns.

-nt20

To repeat an old phrase, "I know where you're coming from." I got into reversing when trying to learn how to remove pace copy protection from earily Mac music programs. I simply started in with MacNosy and began taking the progams apart without knowing anything about what I was doing or what to be looking for. That lead to reading about assembly language programming and learning how to prevent the protection from blowing up the debugger. That taught me that if you can prevent them from removing the functionality of the debugger, with enough patience, you can eventually solve almost any reversing problem. You would not believe how many hours I would trace code in single step mode before learning more about what was going on. The general rule was simple: "if the code was going to run, the code had to decrypt itself" and if you could watch it long enough, you could eventually see that happen.

Eventually I learned not only what they were doing, but how to circumvent what they had done. I wasn't interested in distributing cracks to software protected by their system, I was a legitimate purchaser of all of it. It was simply the challenge of learning how to understand what they had done and how to work around it and then waiting for the next version and refusing to let the damn machine get the better of me.

Eventually I even discussed some of the programs shortcomings, like using the same phrase to start their hash of the code sections (good old BEEFABAD) with company representatives at one of the local MacWorld Conventions. Boy were they surprised I could tell them in detail how their program worked and what its weaknesses were. Then I waited for them to fix it again, and started again taking it apart.

Then I began moving into the windows world and had to start back at square one. There is always more to learn and read and that helps keep the mind active and gives one something to focus on besides the issues of real life. The only problem is that real life, as opposed to school life, leaves so little time for such hobbies and so many other responsibilities. But the mental challenge remains. Who's going to win tonight, the person in front of the machine or the person behind the software. It would all be just much less interesting, if they didn't also work hard to try to stay ahead of all of you.

And the games go on.

Regards,

Hi JMI,

no problem with the rules. Whe anyone would the code snippset should privte message me to get it.

best regards
cerb

Hi, JMI, Nikolatesla, cerb, esther and all other
I agree totally with these rules, if somebody want to write about specific target code, we can do that by PM or mail!
Cerb, thank's for your help, but what you wrote (and JMI delete) was not necessary, this was well know since LaBBa write his Super tut ! (and a little bit early).
I've done the job now, it was a mistake resolving IAT. Like said our friend LaBBa, unpacking this target is now done, but there is some trouble with resources (a msgbox about resource decryption error, and all displayed strings are quotes with "%".
I'll try to find something on later, cause i'm now busy on an other job !

Thank's to you ALL !

Hmm.. somtimes i don't know if ppl realy read the posts or just comes here and write what ever they want ..

LOUZEW.. if u will read some thread back u will see that this is exactly what i wrote about this ..
about the IAT rebuilding .. nothing has changed..... please recheck u'r self.. and pleas read early posts that are here ..



i don't understand ..



hmm.. so please share with us the info about your way .. i did share already what i have found .. so be kind and share the info u found with us ..

Best regards ,
LaBBa

Well...that resource has to be loaded at some point in time, why not try loading the actual resource in question and trying to dump the program again while it's loaded? Then find the resource code and re-paste the particular resource back into the original file..

-nt20

Yea.. i know it .. but didn't had time to look if this is realy the problem or not...

i just unpacked it and rebuild and i saw it runing and thats it ..
i hope that some one else will show us all how it should be done
"Step by Step" ..

Hi!

I don't know why, but I couldn't get to their page, so I'll just speculate...

I think cerb got it right, and his steps are "necessary". (I guess there are numerous ways to get it done, but his way was probably the simplest and adequately effective.
I am guessing that what he did, was to dump it after the resources had been decrypted, and set the new EP directly after the decrypting routine. This place probably is the REAL "OEP" before the added crypting and aspr and decrypting...
Also, I am guessing that if you dump it at what WE THINK is the OEP it will decrypt wrong when aspr is not there...

Just speculation, but it might be true...

Furthermore, to LABBA:

About LOUZEW; I don't think he meant there was anything wrong with your method of fixing IAT, rather he didn't apply your theory correctly, and that is what he is saying, plus he's accknowledging that you mentioned he might have got it wrong.

bla, bla... Hope I guessed correctly!

/Manko

Hi,

I tried this proggy and managed to unpack it successfully,
there was a problem with the way imprec had identified some of the imports,
I ended up correcting it by hand when I saw a couple of the imports had the same name.

all seems to be working fine.

Regards

R@dier

PM me if you need a working Iat (hope thats not against the rules hehehe)

This could possibly be another feature in aspr that redirects *delphi* resources.. Basicly aspr handles some of them and the real pointers are redirected and thus when u unpack access violations occuring. However iv only ever seen this once in a target, mind you i dont really look at aspr anymore. Solution is simular to the dead exception handeling emulation idea, inject some code to scan for these redirected pointers read table and patch new.
But it may not be it because i think when its protected it does every possible resource it can redirect. who knows :P i dun even know what app u guys talking bout i check here bout once a week if that

elcomsoft isn't delphi app. so far i know isn't them Microsoft Visual C++ 6 ?

Regards

sorry :P i didnt really pay any attention to whatever target you guys are looking at, only skimmed through
/me slaps himself around with a large trout

Hi, Crk
only for infos :

Elcomsoft release many apps, some are Delphi ones (like ART), some other are MSVC++, BC++(AOXPPRP), Watcom C/C++ (APDFPRP) etc..

You're right Manko, i'm not blaming LaBBa, he done a good job with his Super tut ! I'm only reporting here what i've done and confirming LaBBa tips on AOXPPRP resources !
I think he had trouble with my posts, due to my bad English.
Sorry !

Hi guys

I need a little help with LaBBa aspr tut and a weird proggie

After tracing for stolen bytes i.e. REP STOS BYTE PTR ES:[EDI]

I end up at an address which holds ADD EAX,EDX, POPS the fake EP address then jumps thru rubbish - eventually arriving at CALL DWORD PTR SS:[EBP+1C] which is an access violation

The next instruction is a JMP 6A48C2FD which obviously does not exist

So I set a new origin on the next JMP just below and then come across this

55 PUSH EBP
8BEC MOV EBP,ESP
83EC 14 SUB ESP,14
33C0 XOR EAX,EAX
8945 EC MOV DWORD PTR SS:[EBP-14],EAX

But nowhere can I find the next instruction which should be MOV EAX, BLAH

I would really appreciate some help on this coz i've been thru it time and time again with no success

/hobferret

Well dud.. u need to read again how to find the EAX value... i don't think u understand it at all ..

the eax value u get :

00A51C64 55 PUSH EBP - > here look at the EAX value
00A51C65 8BEC MOV EBP,ESP
00A51C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00A51C6A 85C0 TEST EAX,EAX
00A51C6C 75 13 JNZ SHORT 00A51C81
00A51C6E 813D A47AA500 00>CMP DWORD PTR
DS:[A57AA4],400000 ; ASCII "MZP"
00A51C78 75 07 JNZ SHORT 00A51C81
00A51C7A A1 A47AA500 MOV EAX,DWORD PTR DS:[A57AA4]
00A51C7F EB 06 JMP SHORT 00A51C87
00A51C81 50 PUSH EAX
00A51C82 E8 3135FFFF CALL
00A451B8 ; JMP to kernel32.GetModuleHandleA
00A51C87 5D POP EBP
00A51C88 C2 0400 RETN 4

or when before u dump at this code :

0040531C BA 9C704300 MOV EDX,.0043709C
00405321 52 PUSH EDX
00405322 8905 B8844300 MOV DWORD PTR DS:[4384B8],EAX
00405328 8942 04 MOV DWORD PTR DS:[EDX+4],EAX
0040532B E8 98FFFFFF CALL .004052C8
00405330 5A POP EDX
00405331 58 POP EAX - > after the pop the value of eax will show...
00405332 E8 15E1FFFF CALL .0040344C
00405337 C3 RETN

please.. read more carefuly... and post those kind of Q at the same Tread and dont open a new one... i hope that admins of this board will move this to where it should be...

[Edit by JMI: Threads merged, as they appear to belong together, as LaBBa suggested.]

Regards ,
LaBBa.

Hi all ..

I saw some post about my bad way of fixing IAT with imprec...

well i know why they probably say that... Imprec have somtimes a problem that it fixes 2 times the same api..

all i got to say is ... i already wrote about that long time ago in some old tut.. just use the search and u will find about 3-4 more tuts i done... that includes old tricks and till now the new...

there is no way that i can put into 1 tut all the tricks of aspr... sorry.. just

Use the search about aspr and i can tell u this....

U WILL FIND ALL THERE IS TO KNOW ABOUT ASPR LAME PROTECTION

Regards ,

LaBBa .

LaBBa, I am not saying you are wrong and I have read your VERY GOOD tut over and over, however, there is something weird about this prog. I am not going to mention it's name or else JMI will flame me!.

I do understand what you are saying and have tried it on other progs to try and clarify what is going on. The others have been completed with complete success, but not this one!

Sorry about posting a NEW thread but I just thought that probably no one would read it if I stuck it on the end of your thread and I needed someone to read it - OK.

THIS WEIRD PROG
First part

00A51C64 55 PUSH EBP -> EAX==0
............
............
RETN 4

To here
004070F9 |. A3 68C64F00 MOV DWORD PTR DS:[4FC668],EAX ;
004070FE |. A1 68C64F00 MOV EAX,DWORD PTR DS:[4FC668]
00407103 |. A3 D8604F00 MOV DWORD PTR DS:[4F60D8],EAX
00407108 |. 33C0 XOR EAX,EAX
0040710A |. A3 DC604F00 MOV DWORD PTR DS:[4F60DC],EAX
0040710F |. 33C0 XOR EAX,EAX
00407111 |. A3 E0604F00 MOV DWORD PTR DS:[4F60E0],EAX
00407116 |. E8 C1FFFFFF CALL Prog.004070DC
0040711B |. BA D4604F00 MOV EDX,Prog.004F60D4
00407120 |. 8BC3 MOV EAX,EBX
00407122 |. E8 81D7FFFF CALL Prog.004048A8
00407127 |. 5B POP EBX
00407128 \. C3 RETN

Scrolling up I get this:-
004070E8 /$ 53 PUSH EBX
004070E9 |. 8BD8 MOV EBX,EAX
004070EB |. 33C0 XOR EAX,EAX
004070ED |. A3 CC604F00 MOV DWORD PTR DS:[4F60CC],EAX
004070F2 |. 6A 00 PUSH 0
004070F4 |. E8 2BFFFFFF CALL Prog.00407024

So I am assuming that it must be EBX that holds the info not EAX as there is no instruction PUSH EAX - only PUSH EBX followed by MOV EBX,EAX - but when EBX is popped the value is 7FFDF000

So things just do not follow and like I said there is nothing like MOV EAX,XXXXXXXX [B8XXXXXXXX] in the stolen bytes area!

Following the RETN @ 00407128 we get to the fake entry point so somewhere we are across purposes mate else I am just THICK!

Help would be appreciated - thanx

/hobferret

the early post about the fixing the AIT wasn't for u.. so ... i know u didn't say i was wrong... and even if i was.. it's ok..

the post i did gave u was about the EAX value who was with POP EAX ..
U ARE Right !! .. but in the tut befor this one i already said that some version of aspr uses like u said here :

004070F9 |. A3 68C64F00 MOV DWORD PTR DS:[4FC668],EAX ;
004070FE |. A1 68C64F00 MOV EAX,DWORD PTR DS:[4FC668]
00407103 |. A3 D8604F00 MOV DWORD PTR DS:[4F60D8],EAX
00407108 |. 33C0 XOR EAX,EAX
0040710A |. A3 DC604F00 MOV DWORD PTR DS:[4F60DC],EAX
0040710F |. 33C0 XOR EAX,EAX
00407111 |. A3 E0604F00 MOV DWORD PTR DS:[4F60E0],EAX
00407116 |. E8 C1FFFFFF CALL Prog.004070DC
0040711B |. BA D4604F00 MOV EDX,Prog.004F60D4
00407120 |. 8BC3 MOV EAX,EBX - > HERE EAX GET ITS VALUE BACK !!!
00407122 |. E8 81D7FFFF CALL Prog.004048A8
00407127 |. 5B POP EBX
00407128 \. C3 RETN

so :
00407120 |. 8BC3 MOV EAX,EBX - > HERE EAX GET ITS VALUE BACK !!!

is the value..

and its already was talked about .. please.. just use the search and u will find some of my tuts here.. and all of the tricks are over there.. and if not in my tuts.. there is many more that other ppl also have done..

Regurds ,

LaBBa .

I will not give a target name but while attempting to unpack this target Protected by Asprotect 1.2x, target crashes at this instruction, while being Debugged by Olly 1.9d

LEA ESP, DWORD PTR SS:[ESP+EBP+D] (I have no idea what 'D' is.)

Here is a screen dump of the crash...

hxxp://d-jester1.tripod.com/ThisError.png

I am guessing that Olly is crashing the target, but I am not sure.
Or that Olly has been detected, and the program is crashing itself.

I have ended up at this error a dozen times even when I 'TC EIP<900000'
as suggested by LaBBa.

My Kernel32.dll is patched so I know IsDebuggerPresent is not giving me away.

That still leaves FS:[20](Debug Context), I may have missed that instruction.

I make it to where LaBBa said to trace, and instead of tracing (which crashes) I single step, and I still crash...the prog runs fine without Olly.

Any suggestions?

Well.. it's going to be hard to help u like this.. so i will ask a few Q first..
1. What OS u use ?
i use winXP pro...

2. Olly and u'r computer are not alwes working well ... did u try restarting the computer and then try again ?
i found that very helpful somtimes..

if all u'r answers are still the same.. please.. PM me.. with app name..
and i will try to help..

Regards ,

LaBBa .

Thanx LaBBa for your reply

Will give it a go b4 I go to the land of nod

BTW did not read your other tuts have been rather busy of late - good nite

/hobferret

does helping someone and guiding him trought the right trails/steps mean flaming to you?

also you should think before that exist what's called Private MEssage or Email to tell the target!

Currently WinME
I was using Win2k had to replace that install after a bad SICE install made it un bootable, so I reverted.
Thinking of Dual booting XP Pro/ ME



Yeah its a Clean install. Less Than 2 months old.



Sorry had a brain fart, too much caffeine not enough sleep.

I think I will try something different, my resume only has UPX and UPX Scrambler on it, thought I would try to ride with big dogs, but think I need to get back on the porch anc bark for awhile.

cRk remember that hobferret added a smilie face at the end of the comment which generally signals an attempt at humor. And I believe the difference between a "flame" and an "constructive criticism" is that a "flame" is directed at an individual on a personal level. A "constructive criticism" is aimed at a behavior.

I do not direct my comments as criticism of a person, but as an effort to teach what I view as a better approach to issues of learning and helping oneself. Failing to search or to help oneself does not make a person "bad" or "lesser" but it does tend to reduce the value of the lesson. It simply means they have settled for a way that provides less rewards and fewer chance of meaningful learning. I view my role as attempting to steer people back to a path not only called for by our rules, but one which is truely the path to greater learning.

hobferret clearly was demonstrating that he was following the rules, and for that no other "guidance" is really needed.

Regards,

@hobferret
when you execute
MOV EAX,EBX ; EAX = 004F57C0
this is the value you need to fix your stolen bytes


here are your stolen bytes
OEP :004F5DB8

004F5DB8 55 PUSH EBP
004F5DB9 8BEC MOV EBP,ESP
004F5DBB 83EC 14 SUB ESP,14
004F5DBE 33C0 XOR EAX,EAX
004F5DC0 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
004F5DC3 B8 C0574F00 MOV EAX,dumped_.004F57C0


Best Wishes

R@dier

program runs fine

Cheers R@dier

Managed to smell the coffee last nite but still have a small prob, have sent a PM

Cheers and thanx for your help

/hobferret

Just tried to send you an email to yr address but it failed

@hobferret.
Hi,

email is up and running again

R@dier

PM sent

Hi R@dier

Sorry about being a pain in the a**e but I just got up and decided to have a go at V2 of prog - and did the whole lot in a few minutes, running perfectly. So basically I am "stunned", god only knows what was going wrong with V1.5.

Off 2 work soon - thanks 4 your help - much appreciated

/hobferret

hobferret all it is, is experience You're just getting better.

-niko

Hiya nt

I could not understand it, it's the first aspr'd prog I ever had trouble with although these are the first with the "stolen" bytes erased - all the oldies had them in high memory

It must have been something with the way it was being dumped because it was trying to move addresses that did not exist into registers

But you are right everything is experience one never stops learning

/hobferret