Unpackme_asprotect1.33.f

[SuCkEr]

hello all,

this is my first post about this unpackme

it's aspr i found oep by put membp on access on last exception

and i fix iat

but when i run it bug report appear

can someone help me?

Edited November 19, 2006 by SuCkEr

[Fungus]

If you upload your files somewhere it's easyer to see where you went wrong

[SuCkEr]

http://www.4shared.com/file/5796488/8da5b7...rotect_133.html

this a link for files

contain dump file

i hope to solve them

!! NO LIVE LINKS PLEASE !!

Edited November 12, 2006 by Teddy Rogers

[Sonny27]

The answer is easy, take a look at 0042A232... The VM call isn?t fixed. (ASProtect repaces API-Calls with its own calls to high-mem sections). Open another C++ 6.0 app and search for the same place to see which API it sould be and then fix it.

greetz

[SuCkEr]

somebody have a tutorial about that coz i try more times and i didn't find anything to help me

[Teddy Rogers]

Try here, there are plenty of ASProtect tutorials:

http//:www.tuts4you.com

Ted.

[SuCkEr]

Try here, there are plenty of ASProtect tutorials:

http//:www.tuts4you.com

Ted.

i read all tuts that talk about asprotect before

and i reapet the action and nothing new

is there any idea

[Sonny27]

As i told you:

Open your dump in Olly and go to all the places where call like CALL 0EF00000 is. Then open another app in olly that is coded in the same language (like C++ or Delphi) and for example binary search for the same place. then look which API call should be instead of this CALL 0EF00000. Click Ctrl+N, sort APIs by name and remember the VA of the API that you will patch. Then Edit the CALL 0EF00000 to, for example, CALL GetCurrentThreadID. There will most probably remain some nops after the call. Mark them and click "Undo Selection" and everything will be fine. Do this with all emulated calls (could be up to 60) and you?re done.

greetz

[SuCkEr]

As i told you:

Open your dump in Olly and go to all the places where call like CALL 0EF00000 is. Then open another app in olly that is coded in the same language (like C++ or Delphi) and for example binary search for the same place. then look which API call should be instead of this CALL 0EF00000. Click Ctrl+N, sort APIs by name and remember the VA of the API that you will patch. Then Edit the CALL 0EF00000 to, for example, CALL GetCurrentThreadID. There will most probably remain some nops after the call. Mark them and click "Undo Selection" and everything will be fine. Do this with all emulated calls (could be up to 60) and you?re done.

greetz

excuse me Sonny27,

because i'm still begginer

i use search binary string for this 0EF00000 and olly say item not found

[Killboy]

Not binary search

Since Calls do not use absolute Offsets (Call 0ef00000) but relative ones, every Call 0ef00000 looks different. Not sure if you got that, however binary search wont help here.

Also it's not always 0ef00000, it can be a different offset, but mainly its an address with lots of zeros at the end (0c100000, 0c800000, ...), you'll easily recognize them.

Simply jump around in the code a little, follow some calls until you see one of these.

[Sonny27]

With binary search I didn?t meant that you search for the call but for the above and ahead code or only the code-region

Try KillBoy?s tips or move ASPr to later reversing exercises

greetz

[syk071c]

I would say that you should use F8 to trace until u reach call that causes error then bp on that (restart) and f7 to go into that call then continue process until you find the exact place where it crashs. This usually helps in a lot of other situations as well..

[Fungus]

You also open the original target and your unpacked target, and use the original target to trace what goes and fix it in your unpacked target in the other olly... real time saver here if you catch my drift

Same idea as everyone else says, start tracing with f8 and find your broken calls, go into your original project and look what these calls do. If it's API redirection, it will be preety obvious

[SuCkEr]

i use f8 & f7 and i get where is bad calls i found what you mean Sonny27 more calls likes

0040110F	/75 32				 JNZ SHORT dump_8.00401143
00401111	|53					 PUSH EBX
00401112	|E8 E9EE9F00	  CALL 00E00000
00401117	|4C					 DEC ESP
00401118	|8945 F8			  MOV DWORD PTR SS:[EBP-8],EAX					 ; RICHED32.732E3000

and i fix them and working prefect

thanks all

Edited November 15, 2006 by SuCkEr

[SuCkEr]

hello all,

after i fix last file i go to unpack another file but this time all protection enabled

i open it in olly then i use genral way to unpack it that count exception and at last exception set bp on code section

after that press shift+f9 once i think i'll land to oep but this time noway

oops...!

what is that?

004293A0	 6A 00				  PUSH 0
004293A2	 68 00100000			PUSH 1000
004293A7	 6A 00				  PUSH 0
004293A9	 FF15 A0094600		  CALL DWORD PTR DS:[4609A0]										; kernel32.HeapCreate
004293AF	 85C0				   TEST EAX,EAX
004293B1	 A3 C4EB4500			MOV DWORD PTR DS:[45EBC4],EAX
004293B6	 75 01				  JNZ SHORT UnPackMe.004293B9
004293B8	 C3					 RETN
004293B9	 E8 22000000			CALL UnPackMe.004293E0
004293BE	 85C0				   TEST EAX,EAX
004293C0	 75 0F				  JNZ SHORT UnPackMe.004293D1
004293C2	 A1 C4EB4500			MOV EAX,DWORD PTR DS:[45EBC4]
004293C7	 50					 PUSH EAX
004293C8	 FF15 9C094600		  CALL DWORD PTR DS:[46099C]										; kernel32.HeapDestroy
004293CE	 33C0				   XOR EAX,EAX
004293D0	 C3					 RETN
004293D1	 B8 01000000			MOV EAX,1
004293D6	 C3					 RETN

someone have any idea where is oep?

and how i can get it?

UnPackMe_ASProtect1.33.f.zip

Edited November 19, 2006 by SuCkEr

[SuCkEr]

why no one reply me?!!

[Sonny27]

If ALL protection options are enabled there should be Stolen OEP and because you?ve already had problems with fixing VM the first time you should take off xour fingers of it. Besides that there is also Advanced Import Protection which edits the IAT itself, so no easy task...

Keep it up for later or try some ASProtect unpacking on common apps.

greetz