Hello all,

Greetz to all you masters out there of unpacking as this is an art in my opinion.

As a general forum spider, I've already done research on this topic many times and have found that there are many articles out there. It's just that they fall a little short of explaining one thing that I can't seen to understand or grasp.

It may be though I'm doing something that hasn't been done or rather that is just a little different.

I'm trying to unpack a file that has been compressed with aspack 2.12 (as told to me by pied/PE_Tools) and it's not quite working. This file is like a dll.

The steps that I have taken so far is generally speaking:

I've run the file, using both my own dll loading program and another program. Set it to break on access violations. Then when it does, I check the memory, find the code area, and place a breakpoint. After I do that I do a dump and I get this massively large version of the same dll I assume. I can then repair the PE using LordPE but it returns the DLL to *about* the original thing. Of course the DLL knows that something is changed and fails when it is run. I assume something changed and the CRC's are different.

Back to a little before that, I am using Olly and have dumped sucessfully using OllyDump. I also have loaded the DLL using olly's internal loader and have come to the same problem.

The part I don't understand is the part about getting the start adress and the part about repairing the dump. I assume it needs to be repaired although all the tutorials I have found have conflicting advice.

I've done alot of research so please don't kill me for asking such an age old question. I'm a little confused and after many many many hours I have resorted to asking the masters here.

I have read many posts about this including:
hxxp://www.woodmann.net/forum/showthread.php?t=2707
hxxp://www.exetools.com/forum/showthread.php?t=4550

In both cases I must be too much of a noob to really follow or I may be dealing with something a bit different. Either way I can't seem to unpack this for the life of me. Would anyone mind helping?

[Edit - 2]



I did this, over and over again actually. After going and setting the breakpoint I hit a memory access error. [000...0] As shown below. Within 1 step from that I'm out of that module and in another. I return somewhere else. Doing this process over again leads me to more mem errors and nothing that looks like it's the OEP.

Using Lord_PE the OEP is: say 1084673 value. I notice that the start of the file, is indeed 1000000, so the Entry point was set at 84673, with the image base set at 10000000. The problem is after I hit: Rebuild PE, the file I rebuilt still has the protection on it.

Ah I forgot to mention:
The logfile I have is:

File 'PATH TO: A.ax'
New process with ID 000003B8 created
00410070 Main thread with ID 000009AC created
00400000 Module Z:\Crack\odbg110\LOADDLL.EXE
77D40000 Module C:\WINDOWS\system32\USER32.DLL
77DD0000 Module C:\WINDOWS\system32\ADVAPI32.dll
77E60000 Module C:\WINDOWS\system32\kernel32.dll
77F50000 Module C:\WINDOWS\System32\ntdll.dll
78000000 Module C:\WINDOWS\system32\RPCRT4.dll
7E090000 Module C:\WINDOWS\system32\GDI32.dll
10000000 Module 'PATH TO: A.ax'
77120000 Module C:\WINDOWS\system32\oleaut32.dll
77C10000 Module C:\WINDOWS\system32\MSVCRT.DLL
771B0000 Module C:\WINDOWS\system32\OLE32.DLL
77C00000 Module C:\WINDOWS\system32\version.dll
71AD0000 Module C:\WINDOWS\System32\wsock32.dll
71AB0000 Module C:\WINDOWS\System32\WS2_32.dll
003AA8ED Access violation when writing to [00000000]
IsDebugPresent hidden
00400000 Unload Z:\Lost\odbg110\LOADDLL.EXE
10000000 Unload 'PATH TO: A.ax'
71AB0000 Unload C:\WINDOWS\System32\WS2_32.dll
71AD0000 Unload C:\WINDOWS\System32\wsock32.dll
77120000 Unload C:\WINDOWS\system32\oleaut32.dll
771B0000 Unload C:\WINDOWS\system32\OLE32.DLL
77C00000 Unload C:\WINDOWS\system32\version.dll
77C10000 Unload C:\WINDOWS\system32\MSVCRT.DLL
77D40000 Unload C:\WINDOWS\system32\USER32.DLL
77DD0000 Unload C:\WINDOWS\system32\ADVAPI32.dll
77E60000 Unload C:\WINDOWS\system32\kernel32.dll
77F50000 Unload C:\WINDOWS\System32\ntdll.dll
78000000 Unload C:\WINDOWS\system32\RPCRT4.dll
7E090000 Unload C:\WINDOWS\system32\GDI32.dll
Process terminated


Also when I use a program that uses this file generally when I execute the program I go through 9-10:
XXXXXXXX Access violation when writing to [00000000]
(shift - f9)
and then finally the program executes with no problems.

Hi

You will always get a bigger file than the packed exe

The OEP should be around 3 to 5 instructions after you break on the word address. Dump it there, don't rebuild imports and don't forget you still have to fix the IAT

/hobferret

hobferret,

If you don't mind allow me to run through the process that I have done. When I load the program in Olly, I'm presented with this code:

10186001 <ModuleEntryPoint> 60 PUSHAD
10186002 E8 03000000 CALL SOURCE.1018600A
10186007 -E9 EB045D45 JMP 557564F7

The PUSHAD is indicated as the program's entry. The # 10186001 is also the # in Lord_PE. I then take a look at EST register an that has: 0006F8E8. I then hit Follow in dump, and choose th first two hex pairs and hit Breakpoint --> Hardware, On Access --> Word. Finally I hit shift f9.

After a few moments, the program stops moving. The memory address at the to of the screen is:
10001000 53 DB 53; CHAR 'S'

If I remove analysis:
10001000 53 PUSH EBX

The problem is that at the bottom it states: "Initialization of Debugged Dll Finished. " <---- Is that a problem?

Now, following what you said:
If I hit: F8 only once, I'm taken straight back into the LOADDLL modual. Which isn't what I want. If I continue hitting F8 after 20 or so times it crashes.


Did I pass the OEP? Where was the OEP?



****************
I'd also like to say that this package is a little different in the fact there is not .aspack there's a .apack. I assume that this = .aspack.

Howdy,

apack is not the same as aspack.

Woodmann

Woodmann,
Thanks for your post.

[Edit]

Actually I was a moron and typed apack instead of .adata.
I'm still not able to locate the OEP as I think there's some sort of fake one placed in here. Any other ideas?

Eskimobob.

at ASPACK2.12_section + 39Ah you will see instruction:
MOV EAX, Some_Value
that is OEP, which you need to set in LordPE;

at ASPACK2.12_section + 1C2h you will see instruction:
OR EBX, EBX
at this address you must dump target;

at ASPACK2.12_section + 278h you will see instruction:
MOV ESI, Some_Value
that is IT_address you need to set in LordPE;

RELOCS are at ASPACK2.12_section + 54Bh

what now? did it helps you? do you learn something??
inststead, trace in debugger..

Evaluator,

Thanks for the reply. My goal with this is to learn, rather than rely on quick fixes and the knowlege of people who know everything. Ie... you :-) I thank you wholeheartedly -- but have to ask another question.

Below is a *modified* memory dump of my running program.

10000000 00001000 Source PE header Imag R RWE
10001000 000D1000 Source code Imag R RWE
100D2000 00001000 Source code Imag R RWE
100D3000 00071000 Source data,exports Imag R RWE
10144000 00018000 Source Imag R RWE
1015C000 0000F000 Source .rsrc resources Imag R RWE
1016B000 0001B000 Source Imag R RWE
10186000 0001D000 Source .data SFX,imports, Imag R RWE
101A3000 00001000 Source .adata Imag R RWE

Following the many tutorials, one section should be named: .aspack, that as shown above is not present. According to what you said, should I be going with the .data section or the .adata section.

The .adata is completely empty and after checking what you siad, I can not find any MOV commands at (Section)+39A (I've treid them all.)

Furthermore, tracing the the debugger leads me to no real definition of raw code. The only time I get to a portion of memory that I think has unpacked code is at 1001000. This value isn't recognised as the OEP.

So I'm a bit lost...

i NOT said "Look in .adata". OK!?
so guess & look in section where is EIP..

Sorry late getting back to you

But agree with what our musical friend has said

Nothing more to add

/hobferret

Gentleman,

My apologies for this complete mess.
Stud_PE was reporting to me that it was aspack. This isn't the case.

It's
ASProtect 2.0x Registered -> Alexey Solodovnikov

Now, does anyone know of the *existance* of any good tutorials on this?

I'm looking now myself but I just wanted to know if there was any favorites.

Who's a stupid boy eh

Search for tutes by R@ider or Ferrari, both have done good tutes on this program

Don't run before you can walk

/hobferret

Hey now ,
I have 2 versions of PiED installed, and one version of Stud_PE. One version of PiED reports the same thing as Stud_PE which was Aspack 2.12. I wouldn't quite blame this all on me...

On the other hand, I agree. I should learn how to walk before I go running. I just think I chose a hard test subject to start with. You can be ambitious can't you?

Thanks for the heads up, hobferret. I will look for them. I found one in spanish by DeAtH HaS cOMe I believe. Unfor, my version of Asprotect does not quite fall under that category.

I thank you, evaluator, and Woodmann for the help though. Maybe I'll come back when I know a little more on the test subject.

well, in fact we give quite info about aspack-unpacking
& Thread's Title is not wrong.

as about asprotect, seems you will not able unpack it with
current state of your knowledge. Better start work with aspack
& learn it out.. then other packers.. then protectors..
if you really interesting in unpacking as hobbie..

in fact, why you need unpack some .AX file!?
for steal codec code!?
if u are tottaly freeware-iLLegaL, then you are welcome
if u are shareware-illegal, then you are not welcome

btw, SIZE of EIP-section?

No, I'd rather not steal code.
In the sense for reproduction rights.
It's about learning. How do things work, how does this do what it does.




I'm sorry but I do not understand a thing you're saying here.
What is "tottaly freeware-iLLegaL." Are you asking if I am unpacking something freeware?

Eskimobob

The majority of us on this board reverse targets for educational purposes

I can't speak for the rest but in the majority of cases I just make notes then delete the program. I only keep them active while someone else is asking sensible questions about the program

Aspr 2 is similar to it's forerunners except for the rediredted calls

As for evaluator, well we have always had problems with his English. I don't know if English is his mother language and he does it deliberately or if he is foreign

If we go back to the early days of tutorials they always stated "If you like the program then buy it!

Anyways, good luck with your project

/hobferret

I can assure anyone here, I work for no software company or I am not working for any commercial gains...

This project isn't to see how break into the software security, hell it's not even to crack, it's more to see what they did, how to improve and maybe make something that could function as a replacment of course, and *never* for any financial gains.

I, as a programmer, wouldn't want to copy code as having my own code stolen is terrible. Even some of my freeware programs that I've made which include source have had the code stolen and there all I ask for is due credit.

The reason I come here is because the community allows for questions. In a field like this there's few places that you can go that will help you start. Being a programmer does help but theres some aspects that really are underexplained, partly due to the aparent explaination that one gets from experiance. Learning how to unpack is / will be a bonus to me learning how things work.

What can I say... I'm curious.

Oh and BTW... the program I am working on... is fully liscnesed on my machine. I support them heavily (as in always buying upgrades... etc) because I think they're work is great. I'll always support them too, it's just when I see something amazing... I wonder why I can't think up of it and try to figure out what they did... Something like a magic trick.

ps.
thank you hobferret & evaluator for your kind words.

all points for start learning we gave you. (reread them)

thread done. unsubscribing..