Help Unpacking

[Nukacola]

Hey to all,

I have a target pack with ASProtect 1.23 RC4 - 1.3.08.24. I unpacked it and try to
run it but the application don't run. I fixed the imports and stolen bytes but it won't run
anymore. Now i take a deeper look in the Exe and see that it isn't a ASPr thing. The Exe has some
additional checks. There are no CRC32 or MD5 checks also no simple FileSize check.
Can someone point out for me please where i also take a look on.

Sincerly
Nukacola

I had never unpacked new aspr's, so my words my sound stupid, but here are some common ideas:
First of all, what you mean by 'application dont run'?
Do you get an error message or app just quits?
If you get a standart windows error, then maybe there is a problem with imports. You can try peverify (see attach) to find whats wrong in your exe. If app just ends sliently, try to break on ExitProcess or TerminateProcess funcs to find a code that executes them.
Then you can try to use a cryptocheck tool by Alephz (attached cc.rar), it 'll show you if program use control sum check.
If nothing helps try to trace packed prog and unpacked to find what differs. you can save trace log in SI (with SymbolLoader) if you disable Code Window first (with 'WC' command)
anyway, it seems to me, that program is trying to use some funcs that were in aspr body when the app was packed (aspr API?)

Seems to be that there are missing sections.

I had the same problems with a target and got a very good explanation at arteam forums. You should read the tutorial by Ferrari about adding a missing section to a pe (and rebuild it).

I have attached the tutorial, send your thanks to ferrari...

P.S. If you search for a real good 1.23 rc 4 1.3.08.24 tut read the tutorial by mephist0 ..

"the application don't run. I fixed the imports and stolen bytes but it won't run
anymore."
" Now i take a deeper look in the Exe and see that it isn't a ASPr thing"

Do you mean it crashes when it tries to read some memory place? are you sure it's not an antidump from aspro? Today it's strange to find somebody trying to protect his soft by himself and not leaving all the work to the packer. Anyway....if you give up you can always try the original method explain in this thread:
"ASPR2 & AudioDVDcreator "

[leosmi05]

What's your target program (maybe URL)?
How did you got to the conclusion that it's not related to ASPr and maybe some wrong IAT/stolen bytes?
What's the error that you get?

[Nukacola]

Ok thanks a lot for this information.

I'm working on this target. You can get it here http://phalcon.net/tryout/Setup.exe
But i'm so stupid it wasn't a missing section.
it was caused by some wrong imports.
I won't rely on ImpRec again..

After having fixed the imports by hand I noticed that this target has some other protections.
The target can't find any CD-Drives if it is unpacked.


I tried to fix this by bp GetDriveTypeA and checked if the drives
correctly initialize by the target. Get DriveTypeA returns a 5 for every CD-Rom drives in my computer.
But the programm told me that no CD-drives could be found.

What do you think might be the problem.???

PS: I can't tell you the target name here cos JMI wouldn't appreciate it.

Thanks
Nukacola

[leosmi05]

Well, one problem could be that is has a CRC. If the programmer also added some anti-SoftICE stuff, than probably he also added some CRC check.

And maybe he is CRC-checking only a part of the file (because it is now compressed and he should have written somewhere the CRC, but that's different when he recompiles).
Or maybe it's looking only for the lenght of the file.

Anyway, just put a BPM on the OEP and see if anything tries to access it.
And also check for the GetFileSize or CreateFileMapping.