Log in

View Full Version : ASPR Dumper is additon for ASPRDbgr!

FEUERRADER
March 22nd, 2004, 00:03
ASPR Dumper v0.1 Readme
====================

Description
-----------
This tool was written as auxiliary utility for unpacking ASProtect v1.23.
Designed to use with AsprDbgr v 1.06 or above.

Features
--------
- Dump active process (Asprotected target)
- Rebuild import table restored by AsprDbgr (uses ImpRec.dll)
- Dump polymorphic piece of code with OEP stolen bytes and save it to new section (idea is from AsprStripper, thx Syd)

Usage
-----
Run AsprDbgr and open your target. On question about import, choose Yes if you want to rebuild import through ASPR Dumper, this will allow AsprDbgr to restore it. In case of unresolved
entrys, better use ImpRec for this job. Questions about DIP-Table you must solve by yourself.
Stop trace at "Call + OEP-jump-setup at:" string. Just run ASPR Dumper, choose target process from list. At this moment you are possible:

1) Dump victim - dump active process. Aspr sections are NOT truncated.

2) Add import - if AsprDbgr resolved import table, you can fix dump. Enter IAT Start from AsprDbgr and press "Add Import".Name of fixed dump would be FileName_.exe

3) Get stolen bytes - restores polymorphic code. Enter Call + OEP-jump-setup value from AsprDbgr. Press "Get stolen bytes". Choose dump filename (it can be with restored IAT). ASPR Dumper would paste stolen block into new section .pseudo and correct Entrypoint.
That`s all.
..........
It's my new tool, designed for using with asprdbgr. It can help u get mutated stolen bytes.

Today or tomorrow it will be available for download from exetools.com forum ("Software Releases".

What u think about this tool? What u thinks, Manko?
cRk
March 22nd, 2004, 04:47
what about making all in one stuff .. i think you and Manko can work together ... let's way for Manko opinion .. btw if this is going to do same work as Aspr. stripper + works only under win2k/XP i don't see anything special on your "New ideas" so far i know aspr. stripper do gives stolen bytes very well on last section

Regards
Manko
March 22nd, 2004, 15:53
Hi!

I'd gladly give out my sources to almost anyone, though they are in a terrible state...
Yes, cRk, asprdbgr is w2k/xp only, so basing an unpacker on it might not do much good for you w9x guys... :P (And syds stripper does what most need anyway.)
I'm just too lazy to code w9x, since I never use it.

/Manko

Quote:
[Originally Posted by cRk]what about making all in one stuff .. i think you and Manko can work together ... let's way for Manko opinion .. btw if this is going to do same work as Aspr. stripper + works only under win2k/XP i don't see anything special on your "New ideas" so far i know aspr. stripper do gives stolen bytes very well on last section

Regards
FEUERRADER
March 24th, 2004, 06:58
To Manko:
I have some question to u:
1) What latest version of asprdbg? 1.06?
2) Where can I download sources of latest asprdbgr version? Maybe u can send it to me - feuerrader(at)ahteam(dot)org.
3) What u think about my ASPR Dumper ?
Manko
March 28th, 2004, 18:09
Hi!

Quote:
[Originally Posted by FEUERRADER]To Manko:
I have some question to u:
1) What latest version of asprdbg? 1.06?
2) Where can I download sources of latest asprdbgr version? Maybe u can send it to me - feuerrader(at)ahteam(dot)org.
3) What u think about my ASPR Dumper ?


Yea, I'm really lazy so 106 is latest. I ought to work on few targets where IAT still gets trashed... but...
I'll mail you the source, though it's awful... hrm...
I think your dumper is great!

/Manko