Jump to content
Tuts 4 You

Unpackme_asprotect1.33.f


SuCkEr

Recommended Posts

hello all,

this is my first post about this unpackme

it's aspr i found oep by put membp on access on last exception

and i fix iat

but when i run it bug report appear :(

can someone help me?

:help

Edited by SuCkEr
Link to comment

The answer is easy, take a look at 0042A232... The VM call isn?t fixed. (ASProtect repaces API-Calls with its own calls to high-mem sections). Open another C++ 6.0 app and search for the same place to see which API it sould be and then fix it.

greetz

Link to comment
Try here, there are plenty of ASProtect tutorials:
http//:www.tuts4you.com

Ted.

i read all tuts that talk about asprotect before

and i reapet the action and nothing new

is there any idea :dunno:

Link to comment

As i told you:

Open your dump in Olly and go to all the places where call like CALL 0EF00000 is. Then open another app in olly that is coded in the same language (like C++ or Delphi) and for example binary search for the same place. then look which API call should be instead of this CALL 0EF00000. Click Ctrl+N, sort APIs by name and remember the VA of the API that you will patch. Then Edit the CALL 0EF00000 to, for example, CALL GetCurrentThreadID. There will most probably remain some nops after the call. Mark them and click "Undo Selection" and everything will be fine. Do this with all emulated calls (could be up to 60) and you?re done.

greetz

Link to comment
As i told you:

Open your dump in Olly and go to all the places where call like CALL 0EF00000 is. Then open another app in olly that is coded in the same language (like C++ or Delphi) and for example binary search for the same place. then look which API call should be instead of this CALL 0EF00000. Click Ctrl+N, sort APIs by name and remember the VA of the API that you will patch. Then Edit the CALL 0EF00000 to, for example, CALL GetCurrentThreadID. There will most probably remain some nops after the call. Mark them and click "Undo Selection" and everything will be fine. Do this with all emulated calls (could be up to 60) and you?re done.

greetz

:( excuse me Sonny27,

because i'm still begginer

i use search binary string for this 0EF00000 and olly say item not found :dunno:

Link to comment

Not binary search ;)

Since Calls do not use absolute Offsets (Call 0ef00000) but relative ones, every Call 0ef00000 looks different. Not sure if you got that, however binary search wont help here.

Also it's not always 0ef00000, it can be a different offset, but mainly its an address with lots of zeros at the end (0c100000, 0c800000, ...), you'll easily recognize them.

Simply jump around in the code a little, follow some calls until you see one of these.

Link to comment

With binary search I didn?t meant that you search for the call but for the above and ahead code or only the code-region :)

Try KillBoy?s tips or move ASPr to later reversing exercises

greetz

Link to comment

I would say that you should use F8 to trace until u reach call that causes error then bp on that (restart) and f7 to go into that call then continue process until you find the exact place where it crashs. This usually helps in a lot of other situations as well.. :D

Link to comment

You also open the original target and your unpacked target, and use the original target to trace what goes and fix it in your unpacked target in the other olly... real time saver here if you catch my drift :)

Same idea as everyone else says, start tracing with f8 and find your broken calls, go into your original project and look what these calls do. If it's API redirection, it will be preety obvious :)

Link to comment

i use f8 & f7 and i get where is bad calls i found what you mean Sonny27 more calls likes

0040110F	/75 32				 JNZ SHORT dump_8.00401143
00401111 |53 PUSH EBX
00401112 |E8 E9EE9F00 CALL 00E00000
00401117 |4C DEC ESP
00401118 |8945 F8 MOV DWORD PTR SS:[EBP-8],EAX ; RICHED32.732E3000

and i fix them and working prefect

thanks all :yahoo:

Edited by SuCkEr
Link to comment

hello all,

after i fix last file i go to unpack another file but this time all protection enabled

i open it in olly then i use genral way to unpack it that count exception and at last exception set bp on code section

after that press shift+f9 once i think i'll land to oep but this time noway

oops...!

what is that?

004293A0	 6A 00				  PUSH 0
004293A2 68 00100000 PUSH 1000
004293A7 6A 00 PUSH 0
004293A9 FF15 A0094600 CALL DWORD PTR DS:[4609A0] ; kernel32.HeapCreate
004293AF 85C0 TEST EAX,EAX
004293B1 A3 C4EB4500 MOV DWORD PTR DS:[45EBC4],EAX
004293B6 75 01 JNZ SHORT UnPackMe.004293B9
004293B8 C3 RETN
004293B9 E8 22000000 CALL UnPackMe.004293E0
004293BE 85C0 TEST EAX,EAX
004293C0 75 0F JNZ SHORT UnPackMe.004293D1
004293C2 A1 C4EB4500 MOV EAX,DWORD PTR DS:[45EBC4]
004293C7 50 PUSH EAX
004293C8 FF15 9C094600 CALL DWORD PTR DS:[46099C] ; kernel32.HeapDestroy
004293CE 33C0 XOR EAX,EAX
004293D0 C3 RETN
004293D1 B8 01000000 MOV EAX,1
004293D6 C3 RETN

someone have any idea where is oep? :dunno:

and how i can get it? :(

UnPackMe_ASProtect1.33.f.zip

Edited by SuCkEr
Link to comment

If ALL protection options are enabled there should be Stolen OEP and because you?ve already had problems with fixing VM the first time you should take off xour fingers of it. Besides that there is also Advanced Import Protection which edits the IAT itself, so no easy task...

Keep it up for later or try some ASProtect unpacking on common apps.

greetz

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...