Log in

View Full Version : another aspr question

Sturm
September 6th, 2004, 10:41
ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov is the version
i've used the search engine many times to find info on different things here (thus why this is one of my first posts), however there is a small problem i can't overcome with this program and it happened to me before on another program...and im wondering if someone could help me...

Following Labba and R@ider's tut, i get lost after doing the trace eip<900000 ( or the other technique used by R@ider )
in both their examples, they endup on a JMP that goes right back into the asprotection code...mine however ends up on a RET that doesn't go back to the protection code (which seems to be in the 00C000 range) but instead goes on to what seems to be the normal program code (in the 400000 range).
it might be the OEP but i doubt it'd be that easy..

has anyone encountered a similar problem...? if so..how did you bypass it?
my main interest is to learn how to unpack aspr correctly and not really unpack this specific target. however its really annoying me that i can't even find the OEP :|
tks
SvensK
September 7th, 2004, 03:06
PM me a link for the target.
Sturm
September 11th, 2004, 14:43
haven't had any luck?
i_registered
October 1st, 2004, 18:39
I've got the same problem, the code starts with:

00401000 68 01506600 PUSH xxxx.00665001
00401005 E8 01000000 CALL xxxx.0040100B
0040100A C3 RETN
0040100B C3 RETN

After skipping all warnings and a trace over, I end up at:

00C663A3 50 PUSH EAX ; xxxx.<ModuleEntryPoint>
00C663A4 C3 RETN

The entry point then is set to where we originally started, it now looks like:

00401000 EB 10 JMP SHORT xxxx.00401012

I've created a loader (using dUP) that works, but wanted to do an inline patch (which I can't get to work).
hobferret
October 11th, 2004, 15:33
You are in the right place only the real EP is further down

Keep tracing and you will find it

No more clues, there are plenty of posts on this version of ASPR so if you can't find the EP get searching and you will get the info you need

/hobferret
JMI
October 11th, 2004, 18:31
hobferret:

Always Reply without Quote unless it is really needed because of intervening posts of to highlight a particular part of the post. Saves room in the Server and the archive.

Regards,