Exetools - need help unpacking ASProtect

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - need help unpacking ASProtect (https://forum.exetools.com/showthread.php?t=10261)

need help unpacking ASProtect

I am having problems unpacking a program again. The program that is protected which I am trying to unpack is aatools. AATools v5.92 Build 1610
homepage http://www.glocksoft.com/aatools.htm

The protector it uses is ASProtect, but the problem is I am not sure which version. I used PEiD and then based on what it told me, I went looking for a MUP tut or an auto unpacker. I spent a while playing around and following different guides. After messing around for a while I tried using the older version of PEiD just to make sure it is really ASProtect, but when I checked it, it was recognised as a different version.

So I checked it with some other tools aswell and this is what I saw

Quote:

PEiD v0.93
ASProtect 1.2x - 1.3x [Registered] -> Alexey Solodovnikov

PEiD v0.94
ASProtect 2.1x SKE -> Alexey Solodovnikov

pe-scan 3.31 (3.13 the writing is messed up)
no recognised packer/encryptor found

ProtectionID5.1f
ASProtect v2.2 detected

RDG Packer Detector v0.6.4 Beta R-1
ASProtect v2.xx

STUD_PE v2.3.0.1 (detects the same as v2.2.5.0)
ASProtect 1.2x [New Strain] -> Alexey Solodovnikov

Exeinfo PE version 0.0.1.4 a
ASprotect 2.1 ( www.aspack.com/asprotect.htm )

GT2 0.35
Not processed/created with any known program

PFS beta 0.11
ASProtect v1.2x (New Strain)

aPE.public.version_0.1.0beta_release
ASProtect 1.x - 2.x /SKE/

PE Tools v1.5 Build 400 (xmas edition)
ASProtect v1.2x (New Strain)

I also checked it with a few others which either recognised it incorrectly or couldn't recognise it at all. I don't know the exact version so it is hard finding a guide to unpack it.

The closest I have got is using a guide written in vietnamese. I can't remember where I got this guide originally. It might have even been from this forum, but I will upload it to this thread so that if anybody can help me, they don't have to go looking for it.

--------------------------
I think I explained enough so far to let you know my situation, I'll tell you where I currently am.

I open AATools in Olly with the 2 plugins and scripts in the same directory as Olly. I also have my exceptions configured like they are configured in the picture. I run the IAT fixer script and when that is finished and it tells me the import tables are fixed, I click ALT + M and then set a breakpoint on memory access on the line underneath "PE Header", I press F9 and dump the file.
(little note, you need to run the IAT fixing script with odbgscript not ollyscript, otherwise it will give an error about BPHWCALL)

I open the file in ImpREC and then click IAT autosearch, then get imports, it finds that most of them are correct, but 2 are wrong. so I choose "Show Invalid" and on the invalid thunks I right click and choose "Plugin Tracers" -> "ASPR2" which is the ASPR2 plugin that comes with the tutorial.

it says they are fixed but when I click fix dump and it saves the file, I run the file and the file doesn't work :P

So I don't know what to do, or what I am doing wrong :(

Please help me, if you want any more information just ask.

Use VerA plugin for PEiD to detect exact ASProtect version.

You can download it in my post:
ASProtect Version Detection
Direct link to archive:
VerA v0.15.rar

That tutorial I said I didn't know where it came from, well it came from here http://www.exetools.com/forum/showthread.php?t=9624

Jupiter thank you for the reply, I tried that program and it gave me this.
Version: ASProtect 2.xx (may be 2.11) Registered [1]

There are a lot of guides for the different versions, I think ASProtect 2.xx (IAT Rebuilding + Stolen Code) will work, I got it from http://www.tuts4you.com/blogs/download.php?view.279 , well the first few parts is working like it says in the tutorial, but then I get lost. Also there are a lot of scripts that come with it, which I don't know what to do with yet, they haven't said I need to use them, so maybe it covers that later.

I get to

Quote:

F9, stops in the common Bp, we removed is and we put memory BP again on Write, F9 and for here.

I remove the memory BP (I think that is right) then I toggle a breakpoint on "PUSH EBX" like in the picture, but I don't understand what I do next, it says

Quote:

Again he himself method to pass the curl.
Let us be paying attention to the registries when for every time.
If we followed the registries we will see that in this zone asprotect writes the jumps to
its sections we go to dump.

But I don't know what to do :p

Did you check this tut --> http://forum.exetools.com/showthread.php?t=9912 ...
you may download it at tutorials.accessroot.com

ASProtect V2.X Registered -> Alexey Solodovnikov *

Quote:

Originally Posted by selambebegim (Post 61736)

sağolasın kardeş

Pls help

I don not know what's the real version of ASProtect
When I used Exeinfo PE v0.0.2.2 I'm getting
ASprotect ver 2.1 / 2.^ ( www.aspack.com/asprotect.htm )

but by using DiE6.4 I'm getting :
ASProtect V2.X Registered -> Alexey Solodovnikov *

and by PEiD 0.95 I'm getting :
ASProtect 1.33 - 2.1 Registered -> Alexey Solodovnikov

How I can know the exact version.

Pls help.

Quote:

Originally Posted by hkn225 (Post 73078)

Why can not download the file, do not understand.

Read rules - this and this
If you need ASprotect version detectors - here they are...
ASPrINFO 1.6 beta
VerA 2.03

It's a useful tool but i have one requirement...

Quote:

Originally Posted by Jupiter (Post 65183)

Please post a english translated version of ASPriNF.txt from the archive.
Thank you!

there`s also one from PE KIll, i think.

afaik the readme just states it should work on all1.x/2.x versions except for aspro itself.

(btw, this thread is from 2006/09...)