Posted November 12, 200618 yr hello all, this is my first post about this unpackme it's aspr i found oep by put membp on access on last exception and i fix iat but when i run it bug report appear can someone help me? Edited November 19, 200618 yr by SuCkEr
November 12, 200618 yr Author http://www.4shared.com/file/5796488/8da5b7...rotect_133.htmlthis a link for filescontain dump filei hope to solve them!! NO LIVE LINKS PLEASE !! Edited November 12, 200618 yr by Teddy Rogers
November 12, 200618 yr The answer is easy, take a look at 0042A232... The VM call isn?t fixed. (ASProtect repaces API-Calls with its own calls to high-mem sections). Open another C++ 6.0 app and search for the same place to see which API it sould be and then fix it.greetz
November 13, 200618 yr Author somebody have a tutorial about that coz i try more times and i didn't find anything to help me
November 13, 200618 yr Author Try here, there are plenty of ASProtect tutorials: http//:www.tuts4you.com Ted. i read all tuts that talk about asprotect before and i reapet the action and nothing new is there any idea
November 13, 200618 yr As i told you:Open your dump in Olly and go to all the places where call like CALL 0EF00000 is. Then open another app in olly that is coded in the same language (like C++ or Delphi) and for example binary search for the same place. then look which API call should be instead of this CALL 0EF00000. Click Ctrl+N, sort APIs by name and remember the VA of the API that you will patch. Then Edit the CALL 0EF00000 to, for example, CALL GetCurrentThreadID. There will most probably remain some nops after the call. Mark them and click "Undo Selection" and everything will be fine. Do this with all emulated calls (could be up to 60) and you?re done.greetz
November 14, 200618 yr Author As i told you:Open your dump in Olly and go to all the places where call like CALL 0EF00000 is. Then open another app in olly that is coded in the same language (like C++ or Delphi) and for example binary search for the same place. then look which API call should be instead of this CALL 0EF00000. Click Ctrl+N, sort APIs by name and remember the VA of the API that you will patch. Then Edit the CALL 0EF00000 to, for example, CALL GetCurrentThreadID. There will most probably remain some nops after the call. Mark them and click "Undo Selection" and everything will be fine. Do this with all emulated calls (could be up to 60) and you?re done. greetz excuse me Sonny27, because i'm still begginer i use search binary string for this 0EF00000 and olly say item not found
November 14, 200618 yr Not binary search Since Calls do not use absolute Offsets (Call 0ef00000) but relative ones, every Call 0ef00000 looks different. Not sure if you got that, however binary search wont help here. Also it's not always 0ef00000, it can be a different offset, but mainly its an address with lots of zeros at the end (0c100000, 0c800000, ...), you'll easily recognize them. Simply jump around in the code a little, follow some calls until you see one of these.
November 14, 200618 yr With binary search I didn?t meant that you search for the call but for the above and ahead code or only the code-region Try KillBoy?s tips or move ASPr to later reversing exercises greetz
November 14, 200618 yr I would say that you should use F8 to trace until u reach call that causes error then bp on that (restart) and f7 to go into that call then continue process until you find the exact place where it crashs. This usually helps in a lot of other situations as well..
November 14, 200618 yr You also open the original target and your unpacked target, and use the original target to trace what goes and fix it in your unpacked target in the other olly... real time saver here if you catch my drift Same idea as everyone else says, start tracing with f8 and find your broken calls, go into your original project and look what these calls do. If it's API redirection, it will be preety obvious
November 15, 200618 yr Author i use f8 & f7 and i get where is bad calls i found what you mean Sonny27 more calls likes 0040110F /75 32 JNZ SHORT dump_8.0040114300401111 |53 PUSH EBX00401112 |E8 E9EE9F00 CALL 00E0000000401117 |4C DEC ESP00401118 |8945 F8 MOV DWORD PTR SS:[EBP-8],EAX ; RICHED32.732E3000 and i fix them and working prefect thanks all Edited November 15, 200618 yr by SuCkEr
November 15, 200618 yr Author hello all, after i fix last file i go to unpack another file but this time all protection enabled i open it in olly then i use genral way to unpack it that count exception and at last exception set bp on code section after that press shift+f9 once i think i'll land to oep but this time noway oops...! what is that? 004293A0 6A 00 PUSH 0004293A2 68 00100000 PUSH 1000004293A7 6A 00 PUSH 0004293A9 FF15 A0094600 CALL DWORD PTR DS:[4609A0] ; kernel32.HeapCreate004293AF 85C0 TEST EAX,EAX004293B1 A3 C4EB4500 MOV DWORD PTR DS:[45EBC4],EAX004293B6 75 01 JNZ SHORT UnPackMe.004293B9004293B8 C3 RETN004293B9 E8 22000000 CALL UnPackMe.004293E0004293BE 85C0 TEST EAX,EAX004293C0 75 0F JNZ SHORT UnPackMe.004293D1004293C2 A1 C4EB4500 MOV EAX,DWORD PTR DS:[45EBC4]004293C7 50 PUSH EAX004293C8 FF15 9C094600 CALL DWORD PTR DS:[46099C] ; kernel32.HeapDestroy004293CE 33C0 XOR EAX,EAX004293D0 C3 RETN004293D1 B8 01000000 MOV EAX,1004293D6 C3 RETN someone have any idea where is oep? and how i can get it? UnPackMe_ASProtect1.33.f.zip Edited November 19, 200618 yr by SuCkEr
November 20, 200618 yr If ALL protection options are enabled there should be Stolen OEP and because you?ve already had problems with fixing VM the first time you should take off xour fingers of it. Besides that there is also Advanced Import Protection which edits the IAT itself, so no easy task...Keep it up for later or try some ASProtect unpacking on common apps.greetz
Create an account or sign in to comment