Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

hello all,

this is my first post about this unpackme

it's aspr i found oep by put membp on access on last exception

and i fix iat

but when i run it bug report appear :(

can someone help me?

:help

Edited by SuCkEr

If you upload your files somewhere it's easyer to see where you went wrong :^

The answer is easy, take a look at 0042A232... The VM call isn?t fixed. (ASProtect repaces API-Calls with its own calls to high-mem sections). Open another C++ 6.0 app and search for the same place to see which API it sould be and then fix it.

greetz

  • Author

somebody have a tutorial about that coz i try more times and i didn't find anything to help me

Try here, there are plenty of ASProtect tutorials:

http//:www.tuts4you.com

Ted.

  • Author
Try here, there are plenty of ASProtect tutorials:
http//:www.tuts4you.com

Ted.

i read all tuts that talk about asprotect before

and i reapet the action and nothing new

is there any idea :dunno:

As i told you:

Open your dump in Olly and go to all the places where call like CALL 0EF00000 is. Then open another app in olly that is coded in the same language (like C++ or Delphi) and for example binary search for the same place. then look which API call should be instead of this CALL 0EF00000. Click Ctrl+N, sort APIs by name and remember the VA of the API that you will patch. Then Edit the CALL 0EF00000 to, for example, CALL GetCurrentThreadID. There will most probably remain some nops after the call. Mark them and click "Undo Selection" and everything will be fine. Do this with all emulated calls (could be up to 60) and you?re done.

greetz

  • Author
As i told you:

Open your dump in Olly and go to all the places where call like CALL 0EF00000 is. Then open another app in olly that is coded in the same language (like C++ or Delphi) and for example binary search for the same place. then look which API call should be instead of this CALL 0EF00000. Click Ctrl+N, sort APIs by name and remember the VA of the API that you will patch. Then Edit the CALL 0EF00000 to, for example, CALL GetCurrentThreadID. There will most probably remain some nops after the call. Mark them and click "Undo Selection" and everything will be fine. Do this with all emulated calls (could be up to 60) and you?re done.

greetz

:( excuse me Sonny27,

because i'm still begginer

i use search binary string for this 0EF00000 and olly say item not found :dunno:

Not binary search ;)

Since Calls do not use absolute Offsets (Call 0ef00000) but relative ones, every Call 0ef00000 looks different. Not sure if you got that, however binary search wont help here.

Also it's not always 0ef00000, it can be a different offset, but mainly its an address with lots of zeros at the end (0c100000, 0c800000, ...), you'll easily recognize them.

Simply jump around in the code a little, follow some calls until you see one of these.

With binary search I didn?t meant that you search for the call but for the above and ahead code or only the code-region :)

Try KillBoy?s tips or move ASPr to later reversing exercises

greetz

I would say that you should use F8 to trace until u reach call that causes error then bp on that (restart) and f7 to go into that call then continue process until you find the exact place where it crashs. This usually helps in a lot of other situations as well.. :D

You also open the original target and your unpacked target, and use the original target to trace what goes and fix it in your unpacked target in the other olly... real time saver here if you catch my drift :)

Same idea as everyone else says, start tracing with f8 and find your broken calls, go into your original project and look what these calls do. If it's API redirection, it will be preety obvious :)

  • Author

i use f8 & f7 and i get where is bad calls i found what you mean Sonny27 more calls likes

0040110F	/75 32				 JNZ SHORT dump_8.00401143
00401111 |53 PUSH EBX
00401112 |E8 E9EE9F00 CALL 00E00000
00401117 |4C DEC ESP
00401118 |8945 F8 MOV DWORD PTR SS:[EBP-8],EAX ; RICHED32.732E3000

and i fix them and working prefect

thanks all :yahoo:

Edited by SuCkEr

  • Author

hello all,

after i fix last file i go to unpack another file but this time all protection enabled

i open it in olly then i use genral way to unpack it that count exception and at last exception set bp on code section

after that press shift+f9 once i think i'll land to oep but this time noway

oops...!

what is that?

004293A0	 6A 00				  PUSH 0
004293A2 68 00100000 PUSH 1000
004293A7 6A 00 PUSH 0
004293A9 FF15 A0094600 CALL DWORD PTR DS:[4609A0] ; kernel32.HeapCreate
004293AF 85C0 TEST EAX,EAX
004293B1 A3 C4EB4500 MOV DWORD PTR DS:[45EBC4],EAX
004293B6 75 01 JNZ SHORT UnPackMe.004293B9
004293B8 C3 RETN
004293B9 E8 22000000 CALL UnPackMe.004293E0
004293BE 85C0 TEST EAX,EAX
004293C0 75 0F JNZ SHORT UnPackMe.004293D1
004293C2 A1 C4EB4500 MOV EAX,DWORD PTR DS:[45EBC4]
004293C7 50 PUSH EAX
004293C8 FF15 9C094600 CALL DWORD PTR DS:[46099C] ; kernel32.HeapDestroy
004293CE 33C0 XOR EAX,EAX
004293D0 C3 RETN
004293D1 B8 01000000 MOV EAX,1
004293D6 C3 RETN

someone have any idea where is oep? :dunno:

and how i can get it? :(

UnPackMe_ASProtect1.33.f.zip

Edited by SuCkEr

  • Author

why no one reply me?!!

If ALL protection options are enabled there should be Stolen OEP and because you?ve already had problems with fixing VM the first time you should take off xour fingers of it. Besides that there is also Advanced Import Protection which edits the IAT itself, so no easy task...

Keep it up for later or try some ASProtect unpacking on common apps.

greetz

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.