Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   ASProtect or UPX? (https://forum.exetools.com/showthread.php?t=10462)

int21h 12-13-2006 11:43
ASProtect or UPX?
 
I am trying to decompress a file and I am running into this:
When I check the signature of the file it is this:
Code:
signature: 68 01 80 71 01 E8 01 00 00 00 C3 C3 40 C9 F3 50
My signature log shows this:
ASProtect 1.33 - 2.1 Registered -> Alexey Solodovnikov
signature=68 01 ?? ?? ?? E8 01 00 00 00 C3 C3
Before I start the decompression I check the memory and find this:
Code:
00400000  00001000  aspmon                PE header    Imag  R        RWE
00401000  00221000  aspmon                code          Imag  R        RWE
00622000  00009000  aspmon                data          Imag  R        RWE
0062B000  00011000  aspmon                              Imag  R        RWE
0063C000  00005000  aspmon                              Imag  R        RWE
00641000  00001000  aspmon                exports      Imag  R        RWE
00642000  00001000  aspmon                              Imag  R        RWE
00643000  00001000  aspmon                              Imag  R        RWE
00644000  00024000  aspmon                              Imag  R        RWE
00668000  000B0000  aspmon    .rsrc      resources    Imag  R        RWE
00718000  0002E000  aspmon    .upx      imports,relo  Imag  R        RWE
00746000  00001000  aspmon    .adata                  Imag  R        RWE
So my question is this:
Has anyone seen this before?
My signature is saying it is compressed with ASProtect but when I check the memory it is showing upx. Are both correct? I have tried to decompress this using my methods for ASProtect and UPX but neither seems to work. Any information would be helpful.
int21h

deroko 12-13-2006 15:28
Section .adata is common for asprotect and aspack, and because you have push/call/retn/retn at ep, it seems like asprotect. But be carful it might be fake signature :)

b0yb4w4n9 12-14-2006 11:02
Check the section characteristics.

For UPX, there are either 2 to 3 sections found. The third section is the resource section. The first section characteristic has a flag 0xE0000080, the second flag 0xE0000040. The resource section characteristic 0xC0000040.

For Asprotect/Aspack, all the sections have the characteristic 0xE0000040. There are 3 to 5 sections found. Default compression with Asprotect, the first two sections usually have blank names.

In addition to deroko's reply, there are 5 sections where the first two sections have blank names. It is indeed packed by Asprotect.


All times are GMT +8. The time now is 17:10.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX