Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Unpacking ASProtect with OllyDbg??? (https://forum.exetools.com/showthread.php?t=1709)

BoostMan 12-14-2002 03:40
Unpacking ASProtect with OllyDbg???
 
Hi,

i just want to know if it is possible to unpack
an ASProtected file with OllyDbg, or is it only
possible by tracing with SoftIce?

If an anyone help an not so advanced reverser
it would be very nice!

Best regards

BoostMan

_Servil_ 12-14-2002 17:19
you can't OD is a app-level dbgr, have to use SI.

BoostMan 12-15-2002 05:16
Thanx for the info!
BoostMan

crusader 12-15-2002 23:11
Why not?

Unpacking Asprotect can be done with Olly surely? Aspr doesnt have any ring-0 trick as far as i am aware of?

_Servil_ 12-15-2002 23:59
why not?
i remember once i done this and got lost at int 2e which OD isn't able to trace. As I got info at OD phorum it might be implemented in version 2.
Beside this (IMO) clearing debug registers works nice on OD i think there's no superbpm for OD

xxxxx 12-20-2002 17:49
well it actually work.
 
1. Find OEP
2. Execute till OEP (OLLY - mem breakpoint to access on OEP)
3. PEDump - put all flags(rebuild options part), select REBUILD NEW IMPORT TABLE
4. PEDump - REBUILD PE (Check if you can load it in Olly debugger)
5. IMPREC - Find all api-s
6. IMPREC - Make fix dump
7. Eventually - Fix OEP in PE header if imprec didn't do already
8. Eventually - check on win 98 if all dll functions are exported

I try and success.

xxxxx 12-20-2002 17:51
sorry forgot something
 
this metod work only with ASPROTECT ver 1.2, 1.2 new strain
and before.

menw 01-13-2003 17:43
You might consider using revirgin.

Find it at h++p://www.woodmann.com/fravia/index.htm
.

I´m not sure if you get it working, but it´s worth a try.
(I still must find the time to look closer at this thing).

menw

P.S.: If it turns out to be usefull, please post your experience.

ByTESCRK 01-18-2003 23:38
OllyDBG unpack ASPR
 
Maybe our friend RNarvaja could be comments something about of that.

Ricardo, si ves esto quiz� puedas comentarlo. :D

_Servil_ 01-18-2003 23:45
nope, its cleared debug registers you can't stop it any way on OEP

Squidge 01-19-2003 01:45
I find it's easier to dump the process whilst it's running, and then investigate that file to find the OEP.

ByTESCRK 01-21-2003 00:30
Is easy dump with Olly, my problem is building IAT :D

You can see a tute here

hxxp://karpoff.redfutura.net/manuales/0catch/archivos_0catch/asprotect%201.23%20con%20ollydbg.doc

Sorry is spanish. But you can take the idea. :p


All times are GMT +8. The time now is 03:21.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX