Hi, All.
I have a software packed by "ASProtect 1.2x - 1.3x [Registered]" (reported by PEiD 0.92). with ~Hellsp@wN~'s script , i can find the OEP , but i can't get the stolen bytes and correct the IAT. anyone can help me ?

I am having the same problem

there are a lot of tuts od stolen bytes read it first and next ask your problems

Ricardo Narvaja

i read a lot ,but it's no use for me. usually, prog go to OEP by a retn, so analyze the code before retn , we can get back the stolen bytes. But ~Hellsp@wN~'s script find the OEP by Alt+M breakpoint, so i can't get the retn.
if with no "Alt+M" breakpoint, by 34 times Shift+F9, and F8 & F7 , i go into a close cycle , and Ctrl+F8 for 2 hours ,but can't go out. if F4 under the cycle, it'll fly at once. so i have no idea...

well this is no the unique method for stolen bytes, and is very unstable (little changes make this method donīt work)

if you read spanish there are in my web 40 or more tuts of asprotect of differents authors, me too, with differents methods.

i use the method of compare stack and registers with the initials and see the difference, or sirectly make an inject this inject copy the stack stored to the stack, the registers stored to the registers and next run the program , is automatic and work more quick
Ricardo narvaja

sorry, i can't read spanish, is there any tuts wiritten in English about the method u said ? many of your articles were translated into our language, but not include above.
the method of compare stack and registers, is called ESP rule in my country, that's mean the stack and registers maybe equal in EP and OEP. this method t needs more experience, i'm not really good at it. about inject , you mean wrtie code in memory or use tool to attach process ?
could u show me a sample ?
i put code on for you:

here is EP,
00401000 u>/$ 68 01606200 push unpackme.00626001
00401005 |. E8 01000000 call unpackme.0040100B
0040100A \. C3 retn
0040100B $ C3 retn

registers here,
EAX 00000000
ECX 0012FFB0
EDX 7C92EB94 ntdll.KiFastSystemCallRet
EBX 7FFDF000
ESP 0012FFC4
EBP 0012FFF0
ESI FFFFFFFF
EDI 7C930738 ntdll.7C930738
EIP 00401000 unpackme.<ModuleEntryPoint>

stack here,
0012FFC4 7C816D4F 返回到 kernel32.7C816D4F
0012FFC8 7C930738 ntdll.7C930738
0012FFCC FFFFFFFF
0012FFD0 7FFDF000
0012FFD4 8054C038
0012FFD8 0012FFC8

here is OEP, got with script by Alt+M
004B7555 |. /73 0E jnb short unpackme.004B7565 ; :::[OEP ]:::
004B7557 |. |F7D8 neg eax
004B7559 |. |03C4 add eax,esp
004B755B |. |83C0 04 add eax,4
004B755E |. |8500 test dword ptr ds:[eax],eax
004B7560 |. |94 xchg eax,esp
004B7561 |. |8B00 mov eax,dword ptr ds:[eax]
004B7563 |. |50 push eax
004B7564 |. |C3 retn
004B7565 |> &#92;51 push ecx
004B7566 |. 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
004B756A |> 81E9 00100000 sub ecx,1000
004B7570 |. 2D 00100000 sub eax,1000
004B7575 |. 8501 test dword ptr ds:[ecx],eax
004B7577 |. 3D 00100000 cmp eax,1000
004B757C |.^ 73 EC jnb short unpackme.004B756A
004B757E |. 2BC8 sub ecx,eax
004B7580 |. 8BC4 mov eax,esp
004B7582 |. 8501 test dword ptr ds:[ecx],eax
004B7584 |. 8BE1 mov esp,ecx
004B7586 |. 8B08 mov ecx,dword ptr ds:[eax]
004B7588 |. 8B40 04 mov eax,dword ptr ds:[eax+4]
004B758B |. 50 push eax
004B758C &#92;. C3 retn
004B758D CC int3
004B758E CC int3
004B758F CC int3

registers here,
EAX 00000094
ECX 0041F6F2 unpackme.0041F6F2
EDX 00F60285
EBX 3D83D8BF
ESP 0012FF14
EBP 0012FF94
ESI 00D95B28
EDI 00000094
EIP 004B7555 unpackme.004B7555

stack here,
0012FF14 00F61AF3
0012FF18 00626889 unpackme.00626889
0012FF1C 00D95B28
0012FF20 3D83D8BF
0012FF24 0012FFE0
0012FF28 0012FF60

part of memory here, i think is real IAT
00588000 77DCC41B advapi32.RegOpenKeyA
00588004 77DBA7B1 advapi32.CryptDecrypt
00588008 77DB8546 advapi32.CryptReleaseContext
0058800C 77DBA254 advapi32.CryptDestroyHash
00588010 77DBA685 advapi32.CryptDeriveKey
00588014 77DBA122 advapi32.CryptHashData
00588018 77DBA2F9 advapi32.CryptCreateHash
......

i believe u can get some from above.
if u need packed prog , i'll be gald to mail it to u.

i've forgot to tell you , it's written by Delphi 6.0-7.0

take the original stopped in the OEP and make binary copy of the section of the stack and bynary paste in a section of memory injected by you in the dumped:

next change the EP of the dumped to a blank part for write the inject

the inject mke this
1)copy all teh stack stored to the stack of the dumped
2)put the registers in teh same value of the original
3)jmp to the oep

Ricardo Narvaja

i see, u mean simulate a same environment as the original run from the OEP. ok, i think it's available and realizable.

but, another problem occurs, look here and above
004B7555 |. /73 0E jnb short unpackme.004B7565 ; :::[OEP ]:::
......
......
004B7564 |. |C3 retn ; this retn will goto 00F61AF3

here,with call GetVersionExA and GetModuleFileNameA,it prove OEP's right
00F61AF3 8965 E8 mov dword ptr ss:[ebp-18],esp
00F61AF6 F2: prefix repne:
00F61AF7 EB 01 jmp short 00F61AFA
00F61AF9 F0:BE DA364800 lock mov esi,4836DA 00F61AFF 337424 08 xor esi,dword ptr ss:[esp+8]
00F61B03 8BF4 mov esi,esp
00F61B05 893E mov dword ptr ds:[esi],edi
00F61B07 56 push esi
00F61B08 FF15 88805800 call dword ptr ds:[588088] ; this call is kernel32.GetVersionExA
00F61B0E 8B4E 10 mov ecx,dword ptr ds:[esi+10]
00F61B11 890D D4C56100 mov dword ptr ds:[61C5D4],ecx
00F61B17 8B46 04 mov eax,dword ptr ds:[esi+4]
00F61B1A A3 E0C56100 mov dword ptr ds:[61C5E0],eax
00F61B1F 8B56 08 mov edx,dword ptr ds:[esi+8]
00F61B22 8915 E4C56100 mov dword ptr ds:[61C5E4],edx
00F61B28 8B76 0C mov esi,dword ptr ds:[esi+C]
00F61B2B 81E6 FF7F0000 and esi,7FFF
00F61B31 8935 D8C56100 mov dword ptr ds:[61C5D8],esi
00F61B37 83F9 02 cmp ecx,2
00F61B3A E8 C1E40500 call 00FC0000
00F61B3F 5D pop ebp
00F61B40 E9 D70E0000 jmp 00F62A1C
00F61B45 85C0 test eax,eax
00F61B47 0F85 B0030000 jnz 00F61EFD
00F61B4D ^ E9 83F1FFFF jmp 00F60CD5
00F61B52 8975 FC mov dword ptr ss:[ebp-4],esi
00F61B55 68 032AF600 push 0F62A03
00F61B5A E8 A1E40500 call 00FC0000
00F61B5F 8365 FC 00 and dword ptr ss:[ebp-4],0
00F61B63 ^ E9 DAECFFFF jmp 00F60842
00F61B68 FF15 80805800 call dword ptr ds:[588080] ; this call is kernel32.GetModuleFileNameA

of course, the section 00F60000 is not the PE's section , so it won't be dumped, and the dumped PE go here with wrong, what should i do ?

on the other hand, i read some articles about ESP balance rule, and get it.
but for this case, it doesn't work. the ESP value is different every time at OEP. the only unaltered is [ESP-4], it's always equal to OEP, because shell retn from it to OEP.

you ask me for stolen bytes this are tuts of asprotect 1.2 for asprotect 1.3 or 2 the method are completely different and there are no stolen bytes are stolen code hehe.

Ricardo Narvaja

oh, stolen code, so how to get back it ? what's the usual method ?

well you need add all the missed sections to the exe, itīs no so easy

Ricardo Narvaja

for stloen bytes, we dump stack and resume it at OEP, included get registers back.
for stolen code, we dump all the sections of shell which are used by prog,
then realloc it.
is it OK ?
btw about OD:
1.how to modify code by assemble and save it in OD ?
2.can we use like "tc [ESP]==4b7550" in OD ?

stolen bytes == stolen code

tc ESP==4b7550

for me stolen bytes are 10 or 15 bytes executes out of the original adress, and stolen code (asprotect 2) are sections 2000 or 3000 bytes out of the original address.

Ricardo Narvaja

every times i break at OEP by Alt+M, the ESP value is different, but the [ESP-4] value is same, because it goto OEP by retn. so i want to break on the retn, of course "tc ESP==4b7550" is wrong ,so "tc [ESP]==4b7550" is right ?

well is needed view each particular case but the general method is provide the program all sectyion missed and environment of the start, if you have problems in this point look for other start, a little before (can be in other section no problem while the program are unpacked and RUN and let you make changes in the code)

Ricardo Narvaja

I'm having problems too with an aspr protected target. In my case, hellspawn's script cannot find the OEP at all. I've posted some details on woodmann's forum and the thread itself has some great olly material as I am learning to use olly too. If anyone interested in said target, please PM me I'll send the link to download the target. It's written by a hacker and has proven to be very tough to crack.

for your information there is no pm facility in this board
and please no offtopic crack requests there are lot of boards that deal with them explicitly so lets keep this board for ollydbg and its usage
and its quirks and whims actually if you look around you can find sHaG the author of this plugin
and i dont think even he likes to have this forum polluted with requests
also his site contains a lot of other scripts may be you could spend some time and find a combination of them
reversing and debugging is an art not some double click thingy
hope i have wrapped my wordings in a nice chocolate wrapper

thanks and regards

thanks oh me anon. topic closed.