Thread: Manually unpacking Asprotect
View Single Post
  #25  
Old 03-01-2004, 14:13
R@dier
 
Posts: n/a
you have to NOP quite a bit


all this must be nop-ed

00A5683D FF50 28 CALL DWORD PTR DS:[EAX+28]
00A56840 E8 4668A500 CALL 014AD08B
00A56845 0F58EB ADDPS XMM5,XMM3
00A56848 019A C1D8C5F2 ADD DWORD PTR DS:[EDX+F2C5D8C1],EBX
so it becomes:



00A56824 F3: PREFIX REP: ; Superfluous prefix
00A56825 334424 38 XOR EAX,DWORD PTR SS:[ESP+38]
00A56829 3E:EB 01 JMP SHORT 00A5682D ; Superfluous prefix
00A5682C 6981 D0CE9277 8A>IMUL EAX,DWORD PTR DS:[ECX+7792CED0],1EB>
00A56836 6968 0B D04A0158 IMUL EBP,DWORD PTR DS:[EAX+B],58014AD0
00A5683D 90 NOP
00A5683E 90 NOP
00A5683F 90 NOP
00A56840 90 NOP
00A56841 90 NOP
00A56842 90 NOP
00A56843 90 NOP
00A56844 90 NOP
00A56845 90 NOP
00A56846 90 NOP
00A56847 90 NOP
00A56848 90 NOP
00A56849 90 NOP
00A5684A 90 NOP
00A5684B 90 NOP
00A5684C 90 NOP
00A5684D 90 NOP
00A5684E EB 01 JMP SHORT 00A56851
00A56850 F2: PREFIX REPNE: ; Superfluous prefix

then continue the process,
eventually you will find

00A565C5 55 PUSH EBP ; start of stolen bytes
00A565C6 EB 01 JMP SHORT 00A565C9
00A565C8 E8 8F442400 CALL 00C9AA5C
00A565CD 8BEC MOV EBP,ESP
00A565CF 81EC 0C000000 SUB ESP,0C
Reply With Quote