I cant get the program to run with either value of EAX, 0043809C or 00437478, something is still wrong:( , I think we might need to see your whole tut, to backtrack where we have gone wrong, I've come up with the exact same problems as Ferrari all the way along.:confused:

you may want to check you have dumped in the correct place,
or that your IAT is correct.

another quick thing is have you reset the oep point to
00437578

the stolen bytes are
00437578 > $ 55 PUSH EBP ; real OEP
00437579 . 8BEC MOV EBP,ESP
0043757B . 83C4 F4 ADD ESP,-0C
0043757E . 53 PUSH EBX
0043757F . B8 78744300 MOV EAX,dumped_.00437478

if your IAT is correct and you have dumped in the right place
all should be working

Best Wishes

R@dier

R@dier i think u r right ...i'l do the imprec part again and check...i'l be back ;)

hurray!!! R@dier success...i wrongly fixed the IAT. Now it's unpacked successfully. Thank you very very much. Thank you LaBBA for a nice tut. Thank u pompeyfan for starting this topic. Thank u Markus-Djm, and my old friend...oops...Sir JMI and everyone else ;)


now i'l try practicing somemore apps. :D

I eagerly await your tutorial release R@dier, I suspect you have used LaBBa's method #1 for the stolen bytes or a modification of it.

Okay, I'll do the dumping again later today too, thanks for that.:)

@Nilrem
Hi,
No I don't really use LaBBa Method for stolen bytes
the tut will we posted tomorrrow after a couple of changes tonight


@ ferrari

Well done :-)


Best Wishes
R@dier

Pompeyfan if are unable to do it...then i'l upload some screenshots on the IAT part.
And also i think there is a mistake in the last part of LaBBa's tut....PE Editor

EP = OEP - BASE = 437578 - 400000 = 37578 <--- correct

EP = 437589 - 400000 = 37589 <--- wrong (fake OEP)

If u have done this right then most probably u've done wrong in the Imprec part like i did. I wud like to help u. Another tut by Labba...see the link... In this he has explained the IAT part. His english is bit poor :( but anywayz thank u LaBBa...atleast u have shared ur knowledge....u have tried to explain it in best possible way...Everyone is a noob at some stage. :D

Anyways even LaBBA has recieved criticism for his tuts ;)

http://www.woodmann.net/forum/showthread.php?t=4958

R@dier i m eagerly waiting for ur tut :) ...i wanna know that easy way of finding the Stolen bytes.

btw i got some Aspr targets
--> AIMPR 2.20- http://www.elcomsoft.com/

--> SIGuardian 1.71- http://www.siguardian.com<-- ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov

Thanks mate, actually I did manage to successfully complete the unpacking today, not sure what I did wrong last time, I thought I did it the way you said last time, anyway the main thing is I did it right this time, the problem was certainly with the dumping and fixing of the IAT table.
I'll have to try a couple more now, just to make sure I have fully learned this new skill, I'm pretty happy to have finnished my first anyway.;) :)

Hum, i'm eagerly waiting for this tut since i get an error while performing the tc eip<900000 trick. Anytime i do it on Asprotect last versions (1.23RC4) i get an
<target_exe> made a crash in "unknown" error...

Am i the only one having this bug or what, i'm using ollydebug 1.10 step2 on WinME... Plus i can't get the IsDebuggerPresent plugin to work, i use a tool called OllyGhost by Syn (Fool IsDebuggerPresent and can enable Kernel32 bps).

Anyone got a clue how to defeat this bug... or i just can't unpack the latest version of Aspr anymore. Thx

I don't get that error, I suggest reporting it to Oleh directly or indirectly on the OllyDbg forums, have you tried using OllyDbg v1.10 step 1? That's what I'm currently using and it is working fine for aspr and isdebuggerpresent dll.

hxxp://www.grinders.withernsea.com/tools/odbg110b1.rar

Where is your tutorial R@dier, any news?
I like your other tutorials very much, sry
my english sucks :D BTW this is my first
post in this Forum, hi to all who
read this ;)

Hi Phantom,

Its available here



http://www.exetools.com/forum/showthread.php?s=&threadid=3594

i used both v1.10step1 and step2... it didn't work so i switch back to version 1.09d and i still get the same stuff... quite strange...