[unpackme] ASmbc

[by:70]

VB+ASPACK+mbox2w

unpakme.rar

Edited December 8, 2008 by by:70

[LCF-AT]

Hello,

try this.

greetz

unpakme_unpacked_icon.rar

[pavka]

dumpaspack+ puredump

unpakme.rar

[aztecx]

Ok so i thought this was the OEP.

66003575	 FF15 98100066			 CALL DWORD PTR DS:[66001098]					; ntdll.RtlLeaveCriticalSection
6600357B	 C3						RETN
6600357C	 55						PUSH EBP										; unpakme.00405013   - OEP
6600357D	 8BEC					  MOV EBP,ESP
6600357F	 6A FF					 PUSH -1

When i dump the file I get an error when opening it. Am I missing something?

[aztecx]

Ok well i've unpacked it. I sort of cheated and had a look at pavka's unpacked .exe. I don't understand why the starting address has to be placed there.

Also how do we remove extra sections that arn't needed to minimise the file size?

http://rapidshare.com/files/171648398/dump.rar

[by:70]

Hello,

try this.

greetz

Perfect

[nosconf]

Ok well i've unpacked it. I sort of cheated and had a look at pavka's unpacked .exe. I don't understand why the starting address has to be placed there.

Also how do we remove extra sections that arn't needed to minimise the file size?

http://rapidshare.com/files/171648398/dump.rar

when you reach the moleboxed oep (esp trick and go inside call eax) run the program and search for intermodular calls. You'll see one call:

msvbvm60.ThunRTMain<==== It's always placed before the oep in vb programs

The OEP is this:

00401128 68 4C1B4000 PUSH 00401B4C ; ASCII "VB5!6&vb6chs.dll"

0040112D E8 F0FFFFFF CALL 00401122 ; JMP to msvbvm60.ThunRTMain

Fix the iat is easy.... for remove extra section I have used DIE becuse it scans the sections...

example ( section a:code,section b:imports,section c:resource,section d:none... maybe it is an "extra section"....). Then you can wipe those sections and rebuild the exe with LordPe.

Regards

NoScONf

Edited December 10, 2008 by nosconf