Hi all, greetz,

Recently i have downloaded one program DELETED for windows v2.3 from Download Site Removed.

PEiD shows this program is packed with Aspack 2.1 and while viewing sections it has pec as well as aspack section. (Is it packed using two packer or what ).

I tried to manually unpack it and found its OEP at 42E9B8 (is it true). I dump it and using imprec i click on get import. Imprec says: "original iat rva found at 362a5 in section RVA:36000 Size: 5000"

Even after that dumped app. doesnt work. I tried with ASPACK Die, but application crashed. And one interesting thing is that when unpacked with ASPACKDIE, peditor shows it is not a valid PE file. .

Can someone help me with this? i will be learning new things from this discussion.

Dipesh

Hey Dipesh:

No download links to commercial software allowed and no target specific code may be posted if you identify a target.

That aside, it is not unheard of for a software vendor to use both a packer and a protector. Here's another possibly shocking thought:

Sometimes the protection system actually is programed to, gasp, LIE about what method was actually used. Oh the shame of it. They would actually attempt to decieve we honest crackers.

The identifier programs are fairly good, but sometimes the protectors write their programs to try to fool them into thinking some other protector has been used.

I know it is not the easy solution, but if you really want to learn things useful, you need to be studying manual unpacking which means searching for information and reading alot. Have you already reviewed threads here on "Aspack"? It would be a good term for a search.

Using "aspack sections" I got 13 threads which may have some information for your issue. When I used just "aspack" I got 103 threads, several of which have titles which should be of interest to your issue.

You may also need to review information on what makes a valid PE Header and what happens when protectors mess with that information. There is always something more to study and it is through study that most learning occurs.

You should do some of these things first and then ask a more specific question then "Can someone help me on this."

Regards,

Hi JMI,
Actually I have learned about aspack manually unpacking and i think i can unpack any aspacked program . But my question is that how to defeat the protection system that lie about what method was actually use. I extensively rely on PE identifier program to know which packer was used to pack that program. How to defeat the spoofing of protection scheme.

dipesh

Tried it myself... AsPackDie and manual unpacking fails.

Have an eye on the Import section. It seems to me as if there's
a fake import section to fool ImpRec (original: 2832 imported functions, unpacked/imprec shows less)

You should not rely on PE identifier program at all. Just keep practising on targets that you know FOR SURE is from one particular packer. Over time, your "zen" will tell you what a new target is packed with.

i tried this one before.. has encrypted parts of the code.. also some Imports calls are encrypted... it has a crc check.. after the exe has been modified it won't decrypt parts pf the code needed to run fine.. that's the reason why crash ..you most defeat crc check after unpacking it ... crc check has anti-loader tricks as well .... you can check this by just modifing a byte in memory with a loader or just modifing the last Aspack section where the 000 data is ... write anything there ... and you'll note what i mean .. if program runs... later it will quit with an Exitprocess call which is also encrypted.

Regards

Hi! I also tried tu unpack this app (version 3.6) but with no sucess. Did u managed tu unpack it, or do you have some information how to find correct IAT and rebuild dump? TNX

MiKoRiZa:

Obviously YOU also did not read the FAQ about Target references and paid no attention to the fact that this is a two year old Thread. NOT a good start for you. This Thread is now closed.

Regards,