ASProtect v1.3x [Archive] - RCE Messageboard's Regroupment

trnc

January 22nd, 2006, 02:22

Hi all, well, y downloaded AD Pic Viewer, its packed wit ASProtect 1.3x, well PEiD tell me this:

ASProtect 1.2x - 1.3x [Registered] -> Alexey Solodovnikov

my problem is, i cant find the OEP with the exceptions method, just like Ricardo Narvaja did in a tutorial, well my question is, does anybodie know how to unpack this ASProtect version?

Ricardo Narvaja

January 22nd, 2006, 05:43

in the new versions, there are some asprotects than hide the oep in the asprotect code, for avoid the exceptions trick.

Ricardo Narvaja

miniC

January 22nd, 2006, 17:48

Try this one!!
http://intechhosting.com/~access/ARTeam/tutorials/file_info/download1. php?file=Unpacking_And_Dumping_ExeCryptor_and_Coding_Loader_by_deroko. rar
("http://intechhosting.com/~access/ARTeam/tutorials/file_info/download1.php?file=Unpacking_And_Dumping_ExeCryptor_and_Coding_Loader_by_deroko.rar
")

In that tutorial you have OEP FINDER by deroko!!! Veeeeeeeeeeery good progy!!!

scherzo

February 6th, 2006, 13:53

I don't know, but the link is broken!
The exceptions method to find the oep don't work if there is stolen code in new versions of Aspr.
Anyway, this script is perfect and very simple!!! (except for Asprotect 2.2 SKE and 1.35 too):

// ASProtect 1.32 and greater (except ASProtect 2.0 alpha) OEP finder by sanniassin::REVENGE Crew

// Ignore all exceptions

// Clear all breakpoints

// Tested on WinXP only
var x

var y

var is_DLL
mov x,esp

sub x,48

bphws x,"r"

mov y,[eip]

and y,000000FF

cmp y,60

jne zzz

mov is_DLL,1
zzz:

run

mov y,[eip]

cmp y,01B80875

jne zzz

bphwc x

find edi,#83C404010424C3#

mov x,$RESULT

add x,6

bp x

run

bc x

sto

mov x,eip
findcall:

dec x

mov y,[x]

cmp y,5B5E5F5D

jne findcall

sub x,8

go x

sti

rtr

sto

mov x,eip

and x,0000FFFF

cmp x,0

je no_VM_on_OEP
VM_on_OEP:

msg "OEP found! OEP stolen."

jmp pause
no_VM_on_OEP:

mov x,esp

cmp is_DLL,1

jne is_exe

add x,10

jmp label_9

is_exe:

add x,8

label_9:

bphws x,"r"

run

mov y,eip

dec y

mov y,[y]

and y,000000FF

cmp y,5C

jne label_9

bphwc x

cmp is_DLL,1

jne is_exe2

find eip,#8944241C61FFE0#

add $RESULT,5

bp $RESULT

run

bc $RESULT

sto

jmp msg

is_exe2:

mov x,eax

go x

msg:

msg "OEP found! OEP not stolen."
pause:

pause

scherzo

miniC

February 7th, 2006, 10:25

http://omega.intechhosting.com/~access/ARTeam/tutorials/file_info/down load1.php?file=Unpacking_And_Dumping_ExeCryptor_and_Coding_Loader_by_d eroko.rar
("http://omega.intechhosting.com/~access/ARTeam/tutorials/file_info/download1.php?file=Unpacking_And_Dumping_ExeCryptor_and_Coding_Loader_by_deroko.rar
")

Try now!!
miniC