Teddy Rogers Posted October 19, 2007 Posted October 19, 2007 ASProtect SKE 2.4 (Build 09.11)http://tuts4you.com/download.php?view.1990Ted.
Keyvanriko0 Posted October 19, 2007 Posted October 19, 2007 Unpackedhttp://rapidshare.com/files/63722790/ASProtect_SKE_2.4_Build_09.11_Unpacked_By_Keyvanriko0.rar.html
SunBeam Posted November 16, 2007 Posted November 16, 2007 No, but there's scripts. That's why I don't bother. He prolly used one too Hehe..
Apakekdah Posted November 16, 2007 Posted November 16, 2007 i just want to know how to unpack this step-by-step by using manual .
vinnie Posted November 18, 2007 Posted November 18, 2007 (edited) i just want to know how to unpack this step-by-step by using manual . Your not the only one my friend. Call be dumb but I have reading up on this packer for the 2 weeks and still I have not got a clear understanding of it because most of the tuts use scripts like Sunbeam said. That's why I have been single-stepping through the Volx script to learn from. Edited November 18, 2007 by vinnie
Apakekdah Posted November 21, 2007 Posted November 21, 2007 i just want to know how to unpack this step-by-step by using manual . Your not the only one my friend. Call be dumb but I have reading up on this packer for the 2 weeks and still I have not got a clear understanding of it because most of the tuts use scripts like Sunbeam said. That's why I have been single-stepping through the Volx script to learn from. i never success unpacking ASPR SKE even i was read all tutorial. i lost in middle of the tuts.
zako Posted November 21, 2007 Posted November 21, 2007 i lost in middle of the tuts.Well there you have your answer, you can't actually reverse a protection by tutorial.
metr0 Posted November 21, 2007 Posted November 21, 2007 Nevertheless I'm thinking of writing a tutorial. Let's see when I'll find the time.
zako Posted November 21, 2007 Posted November 21, 2007 Nevertheless I'm thinking of writing a tutorial. Let's see when I'll find the time. What is your point?, there's a difference between reversing a protection and writing a tutorial on it, to reading a tutorial and believing you are reversing.
metr0 Posted November 21, 2007 Posted November 21, 2007 I know there's a difference, but a tutorial may motivate the people to play around with the protection on their own. A tutorial in my opinion teaches how a reverser could handle a particular situation and after having read several tutorials, the reader may be able to find his own ways to break a protection (with some methods he learned in mind). Just my opinion, I don't blame you for having an other one.
Pimp.exe Posted November 21, 2007 Posted November 21, 2007 I always have troubles with ASProtect. I rely on scripts for it myself which I know is kinda n00bish but me and ASProtect just dont get along. Like vinnie, I'm studying the scripts and trying to see how they do it. It's working actually. metr0 man, tuts are always appreciated on my end.
GioTiN Posted November 26, 2007 Posted November 26, 2007 With Script Can Unpacked This Packer EasyThanks- GioTiN
antrobs Posted December 5, 2007 Posted December 5, 2007 @metr0Looking forward for that tutorial!AnTrObS
Apakekdah Posted December 21, 2007 Posted December 21, 2007 @GioTiN can script unpack this version of ASPR ? Version: ASProtect 2.3 SKE build 06.26 Beta [Extract] i dont think so... thats why i'm looking for tuts about completly unpacking using manual from begining. @zako most tuts write he's already have the clue, without know how do we find it and why. thats why i lost.
metr0 Posted December 21, 2007 Posted December 21, 2007 Released the tutor finally, wanted to re-do it, anway, here it is. It's about 2.3 and no AIP yet, but just await version 2.
What Posted December 23, 2007 Posted December 23, 2007 I want to try and write a tutorial, but I have a lot of other things to do so it could be a while, so, I will just write some quick notes. First off, as far as repairing the apis, I have been using LoadLibraryA as a marker, I think it uses stolen GetProcAddress, so cant breakpoint it. After you exit LoadLibraryA, you want to get 2 run tell returns, you will see it as one return then you step and it only goes a few opcodes down, then go through that ret. From there depending on whether it has advanced api protection or not, without its only a couple steps, watch the register, I think eax, the write code will api will show up after 4 or 5 steps. If it it advanced there is a couple ways it can go there is a couple different codes it can go through, not hard, you just have to watch the jumps there will be a bunch of push eax, followed by a mov eax to something, just watch the eax it will show up. Remeber its not always the same spot on advanced protection. For easy repair I suggest writing a script and setting a bp on where the eax show the right api, takes a little but works fine. Use find e8??????01 or something of the sort to find the bad calls. The stolen code isnt too bad either. If you want to repair it I suggest getting a template of the type of compiler so you know what code you will be looking for. The first couple bytes are completely stolen, so watch the stack, the others will show up in bunches just copy them and keep stepping. The next area is the way it returns to the code it calls a section and returns to its code. I suggest setting a memory breakpoint on a section and just clicking run, It sucks if you have a lot of sections, but for this unpackme it will work fine. I dont think I have ever typed so much. I dont have a generic way of finding the oep, well I do, but its dumb, here is the easiest way I have found in 2.4 unpackmes, set a hardware breakpoint on GetModuleFileNameA and run tell the address on the module, then set a breakpoint on the section where the oep would be located. Either it will land right there or you have stolen code. That was just some quick analysis.
Apakekdah Posted December 24, 2007 Posted December 24, 2007 (edited) Released the tutor finally, wanted to re-do it, anway, here it is. It's about 2.3 and no AIP yet, but just await version 2. i'll wait next tuts... @What when what should i do that thing ? after i found the oep or before ? thx Edited December 24, 2007 by Apakekdah
What Posted December 26, 2007 Posted December 26, 2007 (edited) @Whatwhen what should i do that thing ?after i found the oep or before ?Everything is after oep, or start of stolen code. Here is more info on stolen code. When in the stolen code there are three types of stolen code. 1.) the first one is the calls that go to module code, 2.) calls to different parts of code, simple version, they are like hidden jumps, 3.) hidden cmps followed by hidden jumps. They are easy to see because the code will return to a call. Actually they are easy to analyse to. All info can be found at a certain part of code. I wish I could show you but I not at home so no pictures. Its is close to when it returns it its start of stolen code, well lets say you have code that goes to 021c0000, then there is a call ecx, or edx, which takes you to something like 00b9000, it will be right before it exits this area of code a little before a jump esp-4. The code is a lot easier if you do some hardcore analysis. Edited December 26, 2007 by What
GioTiN Posted January 16, 2008 Posted January 16, 2008 script for version 2.4 finding in REAOnline Team
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now