FEUERRADER
March 22nd, 2004, 00:03
ASPR Dumper v0.1 Readme
====================
Description
-----------
This tool was written as auxiliary utility for unpacking ASProtect v1.23.
Designed to use with AsprDbgr v 1.06 or above.
Features
--------
- Dump active process (Asprotected target)
- Rebuild import table restored by AsprDbgr (uses ImpRec.dll)
- Dump polymorphic piece of code with OEP stolen bytes and save it to new section (idea is from AsprStripper, thx Syd)
Usage
-----
Run AsprDbgr and open your target. On question about import, choose Yes if you want to rebuild import through ASPR Dumper, this will allow AsprDbgr to restore it. In case of unresolved
entrys, better use ImpRec for this job. Questions about DIP-Table you must solve by yourself.
Stop trace at "Call + OEP-jump-setup at:" string. Just run ASPR Dumper, choose target process from list. At this moment you are possible:
1) Dump victim - dump active process. Aspr sections are NOT truncated.
2) Add import - if AsprDbgr resolved import table, you can fix dump. Enter IAT Start from AsprDbgr and press "Add Import".Name of fixed dump would be FileName_.exe
3) Get stolen bytes - restores polymorphic code. Enter Call + OEP-jump-setup value from AsprDbgr. Press "Get stolen bytes". Choose dump filename (it can be with restored IAT). ASPR Dumper would paste stolen block into new section .pseudo and correct Entrypoint.
That`s all.
..........
It's my new tool, designed for using with asprdbgr. It can help u get mutated stolen bytes.
Today or tomorrow it will be available for download from exetools.com forum ("Software Releases"
.
What u think about this tool? What u thinks, Manko?
====================
Description
-----------
This tool was written as auxiliary utility for unpacking ASProtect v1.23.
Designed to use with AsprDbgr v 1.06 or above.
Features
--------
- Dump active process (Asprotected target)
- Rebuild import table restored by AsprDbgr (uses ImpRec.dll)
- Dump polymorphic piece of code with OEP stolen bytes and save it to new section (idea is from AsprStripper, thx Syd)
Usage
-----
Run AsprDbgr and open your target. On question about import, choose Yes if you want to rebuild import through ASPR Dumper, this will allow AsprDbgr to restore it. In case of unresolved
entrys, better use ImpRec for this job. Questions about DIP-Table you must solve by yourself.
Stop trace at "Call + OEP-jump-setup at:" string. Just run ASPR Dumper, choose target process from list. At this moment you are possible:
1) Dump victim - dump active process. Aspr sections are NOT truncated.
2) Add import - if AsprDbgr resolved import table, you can fix dump. Enter IAT Start from AsprDbgr and press "Add Import".Name of fixed dump would be FileName_.exe
3) Get stolen bytes - restores polymorphic code. Enter Call + OEP-jump-setup value from AsprDbgr. Press "Get stolen bytes". Choose dump filename (it can be with restored IAT). ASPR Dumper would paste stolen block into new section .pseudo and correct Entrypoint.
That`s all.
..........
It's my new tool, designed for using with asprdbgr. It can help u get mutated stolen bytes.
Today or tomorrow it will be available for download from exetools.com forum ("Software Releases"

What u think about this tool? What u thinks, Manko?