Unpacking ASProtect with OllyDbg???

Hi,

i just want to know if it is possible to unpack
an ASProtected file with OllyDbg, or is it only
possible by tracing with SoftIce?

If an anyone help an not so advanced reverser
it would be very nice!

Best regards

BoostMan

[_Servil_]

you can't OD is a app-level dbgr, have to use SI.

Thanx for the info!
BoostMan

Why not?

Unpacking Asprotect can be done with Olly surely? Aspr doesnt have any ring-0 trick as far as i am aware of?

[_Servil_]

why not?
i remember once i done this and got lost at int 2e which OD isn't able to trace. As I got info at OD phorum it might be implemented in version 2.
Beside this (IMO) clearing debug registers works nice on OD i think there's no superbpm for OD

1. Find OEP
2. Execute till OEP (OLLY - mem breakpoint to access on OEP)
3. PEDump - put all flags(rebuild options part), select REBUILD NEW IMPORT TABLE
4. PEDump - REBUILD PE (Check if you can load it in Olly debugger)
5. IMPREC - Find all api-s
6. IMPREC - Make fix dump
7. Eventually - Fix OEP in PE header if imprec didn't do already
8. Eventually - check on win 98 if all dll functions are exported

I try and success.

this metod work only with ASPROTECT ver 1.2, 1.2 new strain
and before.

You might consider using revirgin.

Find it at h++p://www.woodmann.com/fravia/index.htm
.

I´m not sure if you get it working, but it´s worth a try.
(I still must find the time to look closer at this thing).

menw

P.S.: If it turns out to be usefull, please post your experience.

Maybe our friend RNarvaja could be comments something about of that.

Ricardo, si ves esto quiz� puedas comentarlo.

[_Servil_]

nope, its cleared debug registers you can't stop it any way on OEP

[Squidge]

I find it's easier to dump the process whilst it's running, and then investigate that file to find the OEP.

Is easy dump with Olly, my problem is building IAT

You can see a tute here

hxxp://karpoff.redfutura.net/manuales/0catch/archivos_0catch/asprotect%201.23%20con%20ollydbg.doc

Sorry is spanish. But you can take the idea.