Thread: Help with ASProtect 1.23 RC4
View Single Post
  #6  
Old 06-08-2004, 20:26
Perdition
 
Posts: n/a
Thanks for your replies,

britedream :

You are absolutely correct, I followed the call and indeed it moves eax into ebx right at the beginning of the proc! I should have checked that but I know now for next time

SvensK :

I'm sure I have but perhaps missing something, will explain in a moment.

All :

I apologise if I'm missing something simple (still learning) but I'm still not getting it right and I think I'm not doing something properly with ImpRec. I will break down exactly what I've done so far so you can kick me where I've missed something!


In Olly 1.10 before inserting stolen bytes :

00575DFE 57 PUSH EDI
00575DFF 0000 ADD BYTE PTR DS:[EAX],AL <--- This is why I thought OEP = 575DFF
00575E01 0000 ADD BYTE PTR DS:[EAX],AL
00575E03 0000 ADD BYTE PTR DS:[EAX],AL
00575E05 0000 ADD BYTE PTR DS:[EAX],AL
00575E07 0000 ADD BYTE PTR DS:[EAX],AL
00575E09 0000 ADD BYTE PTR DS:[EAX],AL
00575E0B E8 5C11E9FF CALL AddressB.00406F6C

In Olly after stolen bytes :

00575DFE 57 PUSH EDI
00575DFF 90 NOP <--- This is the extra byte I was talking about
00575E00 55 PUSH EBP
00575E01 8BEC MOV EBP,ESP
00575E03 83EC 10 SUB ESP,10
00575E06 B8 70575700 MOV EAX,AddressB.00575770
00575E0B E8 5C11E9FF CALL AddressB.00406F6C

Ok at this point I right click on 00575E00 and select New Origin Here.
Then Plugins -> OllyDump -> Dump debugged process, uncheck "Rebuild Import" and dump.


In ImpRec 1.6F :

Attach to addressbookrecovery.exe
Click IAT AutoSearch
Set Size to 1000
Click Get Imports
Click Show Invalid
Right click -> Trace Level1
Click Show Invalid
Right click -> Plugin Tracers -> aspr2
Click Show Invalid
Check for any remaining functions in ASProtect address space (none that I can see)
Right click -> Cut thunk(s)
Click Fix Dump and select dumped file.

These are my ImpRec option settings :

New Imports - All unchecked.
Fix EP to OEP - unchecked.
Use PE Header From Disk - checked.

Add new section (main screen) - checked.


After all this I run the fixed dump but the program doesn't load. All it does is generate a file called Err.log with the contents "Error ppp.03".
btw I'm running Windows 2003 server, the original program runs fine so I assume it should run fine when unpacked.

Once again I appreciate all the help, I'm learning a lot
Reply With Quote