Forgive me father cos i have sinned.
It's been 3 yr's since my last unpacking.
Peid said asprotect 1.22-1.23.
Dumped it at oep.
Fixed for stolen bts.
Fixed Iat.
No go.
Trace...
Call unpacks more...
and shuts the door with int 3.
Dumped after call and...
fixed the int 3 and did the above.
halelujah,see the stars.
Q:is this standard or exeptional behaviour?

first dump

004976B8 >/$ 55 PUSH EBP<<<<<<<<<<<from here....
004976B9 |. 8BEC MOV EBP,ESP
004976BB |. 6A FF PUSH -1
004976BD |. 68 90624C00 PUSH mod_van_.004C6290
004976C2 |. 68 B8794900 PUSH mod_van_.004979B8 ; SE handler installation
004976C7 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004976CD |. 50 PUSH EAX
004976CE |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
004976D5 |. 83EC 58 SUB ESP,58
004976D8 |. 53 PUSH EBX
004976D9 |. 56 PUSH ESI
004976DA |. 57 PUSH EDI
004976DB |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP<<<<<<<<<till here,stolen bytes
004976DE |. FF15 38314C00 CALL DWORD PTR DS:[<&kernel32.GetVersion>; kernel32.GetVersion
004976E4 |. 33D2 XOR EDX,EDX
004976E6 |. 8AD4 MOV DL,AH
004976E8 |. 8915 70255500 MOV DWORD PTR DS:[552570],EDX
004976EE |. 8BC8 MOV ECX,EAX
004976F0 |. 81E1 FF000000 AND ECX,0FF
004976F6 |. 890D 6C255500 MOV DWORD PTR DS:[55256C],ECX
004976FC |. C1E1 08 SHL ECX,8
004976FF |. 03CA ADD ECX,EDX
00497701 |. 890D 68255500 MOV DWORD PTR DS:[552568],ECX
00497707 |. C1E8 10 SHR EAX,10
0049770A |. A3 64255500 MOV DWORD PTR DS:[552564],EAX
0049770F |. 33F6 XOR ESI,ESI
00497711 |. 56 PUSH ESI
00497712 |. E8 A4510000 CALL mod_van_.0049C8BB
00497717 |. 59 POP ECX
00497718 |. 85C0 TEST EAX,EAX
0049771A |. 75 08 JNZ SHORT mod_van_.00497724
0049771C |. 6A 1C PUSH 1C
0049771E |. E8 B0000000 CALL mod_van_.004977D3
00497723 |. 59 POP ECX
00497724 |> 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
00497727 |. E8 6F4E0000 CALL mod_van_.0049C59B
0049772C |. FF15 B8314C00 CALL DWORD PTR DS:[<&kernel32.GetCommand>; [GetCommandLineA
00497732 |. A3 C42F6100 MOV DWORD PTR DS:[612FC4],EAX
00497737 |. E8 2D4D0000 CALL mod_van_.0049C469
0049773C |. A3 A4255500 MOV DWORD PTR DS:[5525A4],EAX
00497741 |. E8 D64A0000 CALL mod_van_.0049C21C
00497746 |. E8 184A0000 CALL mod_van_.0049C163
0049774B |. E8 12FAFFFF CALL mod_van_.00497162
00497750 |. 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
00497753 |. 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
00497756 |. 50 PUSH EAX ; /pStartupinfo
00497757 |. FF15 3C314C00 CALL DWORD PTR DS:[<&kernel32.GetStartup>; \GetStartupInfoA
0049775D |. E8 A9490000 CALL mod_van_.0049C10B
00497762 |. 8945 9C MOV DWORD PTR SS:[EBP-64],EAX
00497765 |. F645 D0 01 TEST BYTE PTR SS:[EBP-30],1
00497769 |. 74 06 JE SHORT mod_van_.00497771
0049776B |. 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C]
0049776F |. EB 03 JMP SHORT mod_van_.00497774
00497771 |> 6A 0A PUSH 0A
00497773 |. 58 POP EAX
00497774 |> 50 PUSH EAX
00497775 |. FF75 9C PUSH DWORD PTR SS:[EBP-64]
00497778 |. 56 PUSH ESI
00497779 |. 56 PUSH ESI ; /pModule
0049777A |. FF15 84314C00 CALL DWORD PTR DS:[<&kernel32.GetModuleH>; \GetModuleHandleA
00497780 |. 50 PUSH EAX
00497781 |. E8 9A2FFCFF CALL mod_van_.0045A720<<<<<<<<<<<<<<<<<<trace into
00497786 |. 8945 A0 MOV DWORD PTR SS:[EBP-60],EAX
00497789 |. 50 PUSH EAX
0049778A |. E8 00FAFFFF CALL mod_van_.0049718F
0049778F |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00497792 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00497794 |. 8B09 MOV ECX,DWORD PTR DS:[ECX]
00497796 |. 894D 98 MOV DWORD PTR SS:[EBP-68],ECX
00497799 |. 50 PUSH EAX
0049779A |. 51 PUSH ECX
0049779B |. E8 4D3A0000 CALL mod_van_.0049B1ED
004977A0 |. 59 POP ECX
004977A1 |. 59 POP ECX
004977A2 \. C3 RETN

call 00497781==
0045A720 $ 55 PUSH EBP
0045A721 . 8BEC MOV EBP,ESP
0045A723 . 81EC 0C010000 SUB ESP,10C
0045A729 . 897D F8 MOV DWORD PTR SS:[EBP-8],EDI
0045A72C . 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
0045A72F . 895D F4 MOV DWORD PTR SS:[EBP-C],EBX
0045A732 . 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
0045A735 . 8935 C0315500 MOV DWORD PTR DS:[5531C0],ESI
0045A73B . 6A 00 PUSH 0
0045A73D . FF15 98334C00 CALL DWORD PTR DS:[<&ole32.CoInitialize>>; ole32.CoInitialize
0045A743 . FF15 1C304C00 CALL DWORD PTR DS:[<&comctl32.#17>] ; [InitCommonControls
0045A749 . B9 20186100 MOV ECX,_Prog.00611820
0045A74E . E8 8997FAFF CALL _Prog.00403EDC
0045A753 . 6A 40 PUSH 40
0045A755 . 50 PUSH EAX
0045A756 . FF15 94175500 CALL DWORD PTR DS:[551794]<<<<<<<unpacking routine
0045A75C . E9 1A010000 JMP _Prog.0045A87B<<<<<<<<<<<<place for second dump
0045A761 . C2 6C69 RETN 696C

.00497778: 56 push esi
.00497779: 56 push esi
.0049777A: FF1584314C00 call d,[0004C3184]
.00497780: 50 push eax
.00497781: CC int 3<<<<<<<<<<<<<<<<<closes door with int 3
.00497782: 9A2FFCFF8945A0 call 0A045:089FFFC2F
.00497789: 50 push eax
.0049778A: E800FAFFFF call .00049718F -------- (1)
.0049778F: 8B45EC mov eax,[ebp][-0014]


corrected==
004976B8 >/$ 55 PUSH EBP<<<<<<<<<<<from here....
004976B9 |. 8BEC MOV EBP,ESP
004976BB |. 6A FF PUSH -1
004976BD |. 68 90624C00 PUSH dulat.004C6290
004976C2 |. 68 B8794900 PUSH dulat.004979B8 ; SE handler installation
004976C7 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004976CD |. 50 PUSH EAX
004976CE |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
004976D5 |. 83EC 58 SUB ESP,58
004976D8 |. 53 PUSH EBX
004976D9 |. 56 PUSH ESI
004976DA |. 57 PUSH EDI
004976DB |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP<<<<<<<<<till here,stolen bytes
004976DE |. FF15 38314C00 CALL DWORD PTR DS:[<&kernel32.GetVersion>; kernel32.GetVersion
004976E4 |. 33D2 XOR EDX,EDX
004976E6 |. 8AD4 MOV DL,AH
004976E8 |. 8915 70255500 MOV DWORD PTR DS:[552570],EDX
004976EE |. 8BC8 MOV ECX,EAX
004976F0 |. 81E1 FF000000 AND ECX,0FF
004976F6 |. 890D 6C255500 MOV DWORD PTR DS:[55256C],ECX
004976FC |. C1E1 08 SHL ECX,8
004976FF |. 03CA ADD ECX,EDX
00497701 |. 890D 68255500 MOV DWORD PTR DS:[552568],ECX
00497707 |. C1E8 10 SHR EAX,10
0049770A |. A3 64255500 MOV DWORD PTR DS:[552564],EAX
0049770F |. 33F6 XOR ESI,ESI
00497711 |. 56 PUSH ESI
00497712 |. E8 A4510000 CALL dulat.0049C8BB
00497717 |. 59 POP ECX
00497718 |. 85C0 TEST EAX,EAX
0049771A |. 75 08 JNZ SHORT dulat.00497724
0049771C |. 6A 1C PUSH 1C
0049771E |. E8 B0000000 CALL dulat.004977D3
00497723 |. 59 POP ECX
00497724 |> 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
00497727 |. E8 6F4E0000 CALL dulat.0049C59B
0049772C |. FF15 B8314C00 CALL DWORD PTR DS:[<&kernel32.GetCommand>; [GetCommandLineA
00497732 |. A3 C42F6100 MOV DWORD PTR DS:[612FC4],EAX
00497737 |. E8 2D4D0000 CALL dulat.0049C469
0049773C |. A3 A4255500 MOV DWORD PTR DS:[5525A4],EAX
00497741 |. E8 D64A0000 CALL dulat.0049C21C
00497746 |. E8 184A0000 CALL dulat.0049C163
0049774B |. E8 12FAFFFF CALL dulat.00497162
00497750 |. 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
00497753 |. 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
00497756 |. 50 PUSH EAX ; /pStartupinfo
00497757 |. FF15 3C314C00 CALL DWORD PTR DS:[<&kernel32.GetStartup>; \GetStartupInfoA
0049775D |. E8 A9490000 CALL dulat.0049C10B
00497762 |. 8945 9C MOV DWORD PTR SS:[EBP-64],EAX
00497765 |. F645 D0 01 TEST BYTE PTR SS:[EBP-30],1
00497769 |. 74 06 JE SHORT dulat.00497771
0049776B |. 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C]
0049776F |. EB 03 JMP SHORT dulat.00497774
00497771 |> 6A 0A PUSH 0A
00497773 |. 58 POP EAX
00497774 |> 50 PUSH EAX
00497775 |. FF75 9C PUSH DWORD PTR SS:[EBP-64]
00497778 |. 56 PUSH ESI
00497779 |. 56 PUSH ESI ; /pModule
0049777A |. FF15 84314C00 CALL DWORD PTR DS:[<&kernel32.GetModuleH>; \GetModuleHandleA
00497780 |. 50 PUSH EAX
00497781 |. E8 9A2FFCFF CALL dulat.0045A720 <<<<<<<<<removed int 3
00497786 |. 8945 A0 MOV DWORD PTR SS:[EBP-60],EAX
00497789 |. 50 PUSH EAX
0049778A |. E8 00FAFFFF CALL dulat.0049718F
0049778F |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00497792 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00497794 |. 8B09 MOV ECX,DWORD PTR DS:[ECX]
00497796 |. 894D 98 MOV DWORD PTR SS:[EBP-68],ECX
00497799 |. 50 PUSH EAX
0049779A |. 51 PUSH ECX
0049779B |. E8 4D3A0000 CALL dulat.0049B1ED
004977A0 |. 59 POP ECX
004977A1 |. 59 POP ECX
004977A2 \. C3 RETN

trace into 00497781:
0045A720 $ 55 PUSH EBP
0045A721 . 8BEC MOV EBP,ESP
0045A723 . 81EC 0C010000 SUB ESP,10C
0045A729 . 897D F8 MOV DWORD PTR SS:[EBP-8],EDI
0045A72C . 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
0045A72F . 895D F4 MOV DWORD PTR SS:[EBP-C],EBX
0045A732 . 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
0045A735 . 8935 C0315500 MOV DWORD PTR DS:[5531C0],ESI
0045A73B . 6A 00 PUSH 0
0045A73D . FF15 98334C00 CALL DWORD PTR DS:[<&ole32.CoInitialize>>; ole32.CoInitialize
0045A743 . FF15 1C304C00 CALL DWORD PTR DS:[<&comctl32.InitCommon>; [InitCommonControls
0045A749 . B9 20186100 MOV ECX,dulat.00611820
0045A74E . E8 8997FAFF CALL dulat.00403EDC
0045A753 . 6A 40 PUSH 40
0045A755 . 50 PUSH EAX
0045A756 . 90 NOP
0045A757 . 90 NOP
0045A758 . 90 NOP
0045A759 . 90 NOP
0045A75A . 90 NOP
0045A75B . 90 NOP<<<<<<<<<<<nopped out unpacking routine
0045A75C . E9 01000000 JMP dulat.0045A762
0045A761 1C DB 1C
0045A762 > E8 49FBFFFF CALL dulat.0045A2B0
0045A767 . 8BD8 MOV EBX,EAX
0045A769 . 0FB6D3 MOVZX EDX,BL
0045A76C . 85D2 TEST EDX,EDX
0045A76E . 75 28 JNZ SHORT dulat.0045A798
0045A770 . 33C0 XOR EAX,EAX
0045A772 . 50 PUSH EAX ; /lParam => NULL
0045A773 . 68 ACA34500 PUSH dulat.0045A3AC ; |DlgProc = dulat.0045A3AC
0045A778 . 50 PUSH EAX ; |hOwner => NULL
0045A779 . 68 2C010000 PUSH 12C ; |pTemplate = 12C
0045A77E . 56 PUSH ESI ; |hInst
0045A77F . FF15 A8324C00 CALL DWORD PTR DS:[<&user32.DialogBoxPar>; \DialogBoxParamA
0045A785 . 85C0 TEST EAX,EAX
0045A787 . 7D 08 JGE SHORT dulat.0045A791
0045A789 . 6A 00 PUSH 0 ; /ExitCode = 0
0045A78B . FF15 00324C00 CALL DWORD PTR DS:[<&kernel32.ExitProces>; \ExitProcess
0045A791 > E8 1AFBFFFF CALL dulat.0045A2B0

halelujah,see the stars.

Q:is this standard or exeptional behaviour?

Q: Did you wrote your post while drinking and smoking?

Q:Or got hit by lightning ?

What TF is your Question..

SpeKK.

I believe is wanting to know if the int3 use, is a common place anti-dbg?

SpeKKeL :
reply Q1=depends on the program,in this case it is a Program Name Removed because target specific code posted.

reply Q2=is that a problem?

reply Q3=For to rest both words and form
Seem lost in lightning and in storm,
While Saul, in wakeful trance,
See deep within that dazzling field
His persecuted Lord revealed
With keen yet pitying glance:
etc...

now now.. that is another level of reversing (perhaps admins need to move this thread to ADVANCED reversing)... are you trying to be the next +ORC with all these riddles ...

crUsAdEr:

It's not a riddle, it's part of a poem titled "The Conversion of St. Paul."

http://www.geocities.com/Heartland/Pines/7224/Rick/kbCnPaul.htm

Regards,

Question is simple:working dump is not at oep but at jump (0045A75C).
Is this an option from asprotect?
Can't find something similar in forumsearch and tuts.

regards,

yep it is a feature.. sometimes u need to dump before DIPs

crUsAdEr :
The dump is in my opinion way after any dip,and after OEP.
Excuse me if I'm wrong.

Greetings,

Well after a good night rest and thinking about poems... ,

Just unpacked some cd copy clone prog (is it obvious..???)

Oep begins with a jmp! Maybe a missed those stolen bytes but that's not a problem...Look at the oep (in the packed prog)> to the stack and the values stored in the registers
now you can see if you missed something important in you unpacked prog.
Dumping can take place before or after dips is mine opinion but i always dump as soon i see the prog is loaded in memory.

BTW i gave aspr debugger a try (version 1.06 is latest???) but it has cutted some thunks and erased some imports... .

BTW2 a good manner for reaching the oep or just before in aspr code is using bpm's on esp!

Uhhhh.... To be or not to be (is the only one i know..sorry)


Spekk.

Greetings

" One must do everything one can and then say 'God have Mercy!' "

First I made a dump at the fake oep,fixed the dump for the stolen bytes,fixed IAT and tried to run it.
The dump crashed and after examining the dump,i saw there was still some code packed and that the app. crashed at line 0045A756 . FF15 94175500 CALL DWORD PTR DS:[551794].
So i made e second dump at 0045A75C . E9 01000000 JMP dulat.0045A762 just after the unpacking routine.
First i planned to cut and paste all the unpacked code to the half-unpacked dump but i saw it was a big boring job,and you can easily overlook something.
So i treated the second dump the same as the first(stolen bytes,iat),nopped out the unpacking call and tried to run it.
It crashed.
Examined the dump and found that the call that you should trace for getting at the unpacking routine and the rest of the code
(00497781 |. E8 9A2FFCFF CALL mod_van_.0045A720)was changed in .00497781: CC int 3.
By replacing the int3 bytes in to the original i got a working dump.

Question:is this asprotects or the programmers doings.

klier:

Reversing your greeting, the answer is: G. I. Gurdjieff, "The Fourth Way."

Regards,

JMI

your right again

happy birthday,

Thanks, but I'm getting so old I can't remember what I'm thanking you for.

Regards,

JMI,you being a musician should find this without google.

"The railings of the bridge
Were moving by the glass
The opportunity to leave
Was coming up fast

The situation passed across my
Mind once more,
And I decided that I needed
Less not more
Less not more
Less not more"

Bye,(thread closed)

And the next stanza is:

I counted three fewer today
That is less
In any business the idea is not to get less
but to get more
And to sacrifice one's self
in the name of someone else
would be much more, not less, than you deserve
because it would be like dying
every single minute.

Regards,

this is ASpr. with xxx days trial???

your exe could crash due aspr checks /calls that looks for places that maybe are not longer present.... check if your Dumped is OK..

ASPR usually write a Call that is somewhere near after OEP this call start with FF15

and most be fixed.. also check if your Stoled bytes are OK .. for delphi app's these Stolen bytes , most times , are important for the app. to run properly

cRk :

Yest it is a 30 days trial.
The call i nopped might be indeed that one.
Dump works perfect.

Thanks for info

Regards,

Hiya all

The thing most likely to cause INT3's in the dump is that you have "dumped" it with breakpoints still active

Had this happen on a few occasions then realized that if I cleared all the breakpoints before tracing into the final part prior to dumping all was well

Hope this helps, I'm going to take time off coz all I seem to be doing of late is reversing and life is just flying by

But most likely will be back here B4 I know it!!!!!!

/hobferret 03/03/04

mission accomplished.

hobferret:
"The thing most likely to cause INT3's in the dump is that you have "dumped" it with breakpoints still active "
I had indeed a breakpoint at that call.

Nice of getting to know you all.

By the way JMI,you reversed it wrong.
On 'the commercial album' there's only one stanza.

Regards,

By the way klier:

The commercial album "reversed it wrong".

Check out:

http://blather.newdream.net/l/less.html

Regards,

JMI

you used google

See you

Why would you assume that just because I have an interest in music, I would know every lyric ever written without use of a reference? Consider how much of "today's" music you will remember 30 or more years from today. I'm not the least bit embarassed to say I've never heard of "The Residents" or heard these lyrics performed, let alone, on "The Residents Commercial Album."

It's not like this group made a big splash in America and certainly not among my demographic group.

Regards,

JMI

apologies accepted

Regards