Jump to content
Tuts 4 You

[unpackme] Asprotect Ske 2.4 (build 09.11)


Teddy Rogers

Recommended Posts

  • 3 weeks later...
i just want to know how to unpack this step-by-step by using manual .

Your not the only one my friend. Call be dumb but I have reading up on this packer for the 2 weeks and still I have not got a clear understanding of it because most of the tuts use scripts like Sunbeam said. That's why I have been single-stepping through the Volx script to learn from. ;)

Edited by vinnie
Link to comment
i just want to know how to unpack this step-by-step by using manual .

Your not the only one my friend. Call be dumb but I have reading up on this packer for the 2 weeks and still I have not got a clear understanding of it because most of the tuts use scripts like Sunbeam said. That's why I have been single-stepping through the Volx script to learn from. ;)

:D

i never success unpacking ASPR SKE even i was read all tutorial.

i lost in middle of the tuts.

:wacko:

Link to comment
Nevertheless I'm thinking of writing a tutorial. Let's see when I'll find the time. :)

What is your point?, there's a difference between reversing a protection and writing a tutorial on it, to reading a tutorial and believing you are reversing.

Link to comment

I know there's a difference, but a tutorial may motivate the people to play around with the protection on their own. A tutorial in my opinion teaches how a reverser could handle a particular situation and after having read several tutorials, the reader may be able to find his own ways to break a protection (with some methods he learned in mind).

Just my opinion, I don't blame you for having an other one. :)

Link to comment

I always have troubles with ASProtect. I rely on scripts for it myself which I know is kinda n00bish but me and ASProtect just dont get along. Like vinnie, I'm studying the scripts and trying to see how they do it. It's working actually.

metr0 man, tuts are always appreciated on my end. :)

Link to comment
  • 2 weeks later...
  • 3 weeks later...

@GioTiN

can script unpack this version of ASPR ?

Version: ASProtect 2.3 SKE build 06.26 Beta [Extract]

i dont think so... :D

thats why i'm looking for tuts about completly unpacking using manual from begining. :D

@zako

most tuts write he's already have the clue, without know how do we find it and why.

thats why i lost.

Link to comment

I want to try and write a tutorial, but I have a lot of other things to do so it could be a while, so, I will just write some quick notes.

First off, as far as repairing the apis, I have been using LoadLibraryA as a marker, I think it uses stolen GetProcAddress, so cant breakpoint it. After you exit LoadLibraryA, you want to get 2 run tell returns, you will see it as one return then you step and it only goes a few opcodes down, then go through that ret. From there depending on whether it has advanced api protection or not, without its only a couple steps, watch the register, I think eax, the write code will api will show up after 4 or 5 steps. If it it advanced there is a couple ways it can go there is a couple different codes it can go through, not hard, you just have to watch the jumps there will be a bunch of push eax, followed by a mov eax to something, just watch the eax it will show up. Remeber its not always the same spot on advanced protection. For easy repair I suggest writing a script and setting a bp on where the eax show the right api, takes a little but works fine. Use find e8??????01 or something of the sort to find the bad calls. The stolen code isnt too bad either. If you want to repair it I suggest getting a template of the type of compiler so you know what code you will be looking for. The first couple bytes are completely stolen, so watch the stack, the others will show up in bunches just copy them and keep stepping. The next area is the way it returns to the code it calls a section and returns to its code. I suggest setting a memory breakpoint on a section and just clicking run, It sucks if you have a lot of sections, but for this unpackme it will work fine. I dont think I have ever typed so much. I dont have a generic way of finding the oep, well I do, but its dumb, here is the easiest way I have found in 2.4 unpackmes, set a hardware breakpoint on GetModuleFileNameA and run tell the address on the module, then set a breakpoint on the section where the oep would be located. Either it will land right there or you have stolen code. That was just some quick analysis.

Link to comment
Released the tutor finally, wanted to re-do it, anway, here it is. It's about 2.3 and no AIP yet, but just await version 2. :P
i'll wait next tuts... :wub:

@What

when what should i do that thing ?

after i found the oep or before ?

thx

Edited by Apakekdah
Link to comment
@What

when what should i do that thing ?

after i found the oep or before ?

Everything is after oep, or start of stolen code. Here is more info on stolen code. When in the stolen code there are three types of stolen code. 1.) the first one is the calls that go to module code, 2.) calls to different parts of code, simple version, they are like hidden jumps, 3.) hidden cmps followed by hidden jumps. They are easy to see because the code will return to a call. Actually they are easy to analyse to. All info can be found at a certain part of code. I wish I could show you but I not at home so no pictures. Its is close to when it returns it its start of stolen code, well lets say you have code that goes to 021c0000, then there is a call ecx, or edx, which takes you to something like 00b9000, it will be right before it exits this area of code a little before a jump esp-4. The code is a lot easier if you do some hardcore analysis.

Edited by What
Link to comment
  • 3 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...