Hi all,

after reading a lot of tutorials and threads here and at woodmann about the above mentioned packer I've decided to try to unpack one prog on my own (Resource Builder 2.1 that you can download at
hxxp://www.sicomponents.com) and failed completely.
It would be very nice if someone could check the steps I've taken so far:

1. When loading the prog with Olly, it becomes clear that two packed DLLs are used. To get to the entry point of the exe I've used arz's anti-debug+lastex script. I've ended up at address 401000.

2. After another go with that script I've got to
016139EC XOR DWORD PTR DS:[EAX],EAX
016139EE POP DWORD PTR FS:[0]
016139F5 POP EAX
016139F6 CMP DWORD PTR DS:[1617EB0],0
and put a BP on the next RETN; SHIFT-F9 got me there.

3. I've done a conditional trace with TC EIP<900000 and ended
at
004072DC JMP DWORD PTR DS:[62A31C]
004072E2 MOV EAX,EAX
F8 took me back to the ASPR code; after another TC EIP<900000 I've landed her:
004073B1 MOV DWORD PTR DS:[626668],EAX
004073B6 MOV EAX,DWORD PTR DS:[626668]
004073BB MOV DWORD PTR DS:[6140D0],EAX
004073C0 XOR EAX,EAX
004073C2 MOV DWORD PTR DS:[6140D4],EAX
004073C7 XOR EAX,EAX
004073C9 MOV DWORD PTR DS:[6140D8],EAX
004073CE CALL app.00407394
004073D3 MOV EDX,app.006140CC
004073D8 MOV EAX,EBX
004073DA CALL Resbldr2.00404A04
004073DF POP EBX
004073E0 RETN
According to Labba's tut the value of EAX after execution of 4073D8 is important to reconstruct the stolen bytes, because that's the value EAX needs (here it's 612D9C).
The RETN takes me to the fake OEP at 613664.

4. Now I've dumped the app with ProcDump.

5. I started ImpRec, selected the running app, did an IATAutoSearch, changed the resulting RVA size to 1000, got the imports and fixed some of them with AutoTrace. There were still a lot of invalid ones. I've fixed those that pointed to ASPR code manually and the rest (pointing to invalid code) were killed with cut thunks (the resulting tree is attached below). Now the dump from 4. was fixed.

6. Next hunting for stolen bytes: I've tried it the Labba way (at the end of 2. do a TC REP STOS BYTE PTR ES:[EDI] to get to the place where the stolen bytes are erased, replace the command with JMP EDI and F8/NOP violations till you get to something like
PUSH EBP; MOV EBP,ESP <- start of stolen bytes) but that didn't work, cause I always end up at a JMP that sends me to Nirvana.
What I did instead was logging the first trace in 3. The resulting run log ends with a lot of REP STOS BYTE PTR ES:[EDI], but just before those you can find the erased code, which is marked by Olly.
So I've ended up with
PUSH EBP
MOV EBP,ESP
SUB ESP,0x10
MOV EAX,app.612D9C (from 3.)
Those stolen bytes (all in all 11) were put just before the call at 61365F; the OEP should then be 613654.
I've fixed the OEP with LordPE's PE Editor and hoped everything was fine... but nada!
Evidently something went utterly wrong. But what??

Would be nice if someone of you experts could give me a hand on this one...

Thanks in advance
Wurstgote