Jump to OEP - Aspack 2.12

[TheDutchJewel]

I've a question about inline patching RK-FileSplitter v2.2
(http://www.rksoft.at/download/rk-filesplitter.exe). It's packed by Aspack
2.12.
I found the OEP (4064B8), but how to find the jump to OEP? The Aspack plugin doesn't break. Should it be changed, or is there another method to find it?

[diablo2oo2]

in aspack is no jump to oep ,if i remember correctly.

load packed target into olly and try to find it in the code. search for a binary string (ctrl+b): HEX: B8 64 40
or was it without imagebase : B8 64 00 ?
or if you dont find in olly,search in hexeditor.
redirect this to your free space, make your inline patch and jmp to oep.


or if you want be lazy, you could do a search and replace patch with my patcher,which works also with aspack.
kickme.to/diablo2oo2

[TheDutchJewel]

I searched for B8 64 00, redirected this to free space, made inline patch and jumped to oep. Got it working now.

Thanks for fast and good help, diablo2002.

jump to OEP is made by push "OEP", followed by ret. So just search for 68h 00 00 00 00 in after few carefull F7 and F8. Usually they are at the and of section, near a string Kernel32. Put a breakpoint at next instruction - 0C3h and you will see your OEP to emerge on the upper instruction

@ TheDutchJewel:

Hi,
A similar topic was posted long time before(search). Anyways, unpacking and Inline patching ASPACK is fun. But if you wanna have more fun then try inline patching this one

http://runtime.org/gdbnt.zip

Here are the bytes to patch:
004F93A2 /74 0C JE SHORT gdbnt.004F93B0

Change To

004F93A2 /EB 24 JMP SHORT gdbnt.004F93C8

Let me know how you did it plz

Regards,

[TheDutchJewel]

Hi ferrari,

I found this info, posted by mEtAl (search ):

Quote:

The program you have is packed with ASPack v2.11, this version is abit different then 2.12, but acually not...

And you won't find the signature bytes in version 2.11

Signature bytes:

Push 00000000 ; will push the OEP
Ret ; Will go to the OEP

I think you patch this to a JMP or so for version 2.12 and then you insert your inlinepatch where the JMP jumps to in the exe right?

ok, these bytes you won't find in the exe code of aspack 2.11.

I could write you a little tut, or else I could send you a program i coded togheter with a friend which is able to inlinepatch programs packed with ASPack.

I think this post is very clear about that there's a difference between v2.11 and 2.12 for the jump to OEP. Signature bytes couldn't be found.

Btw, when looking for the OEP, Olly says it's 0057AF44 while PEiD says it's 004D2574...

Quote:

Originally Posted by ferrari

@ TheDutchJewel:

Hi,
A similar topic was posted long time before(search). Anyways, unpacking and Inline patching ASPACK is fun. But if you wanna have more fun then try inline patching this one

http://runtime.org/gdbnt.zip

Here are the bytes to patch:
004F93A2 /74 0C JE SHORT gdbnt.004F93B0

Change To

004F93A2 /EB 24 JMP SHORT gdbnt.004F93C8

Let me know how you did it plz

Regards,

Hi,
I have seen this before. But I got pissed off trying inline patching 2.11c packed GetDataBack. I was able to successfully inline patch Captain Nemo by Runtime software and it's packed with this same version. The only problem is GetDataBack. I remember "hobgoblin" giving me some hints on inline patching this modified ASPack. But I was not able to do it. Then I used DZA patcher to patch it and it does patch it. But then the some buttons get corrupted and won't work.

But then coolfires tip is interesting

Here are the topics posted earlier:
http://exetools.com/forum/showthread.php?t=4072&highlight=ASPACK

My tutorial on inline patching ASPACK 2.11:
http://exetools.com/forum/showthread.php?t=3909

Download Captain Nemo:
http://runtime.org/captain.htm

Here is my patch for Captain Nemo:
http://iribtv.net/CCC/ARTEAM/cracks/captain_nemo.rar

You can apply my patch to the exe and then check in Olly.

REgards,

[TheDutchJewel]

Nice tut about finding the jump to OEP in aspack 2.11. This hardware breakpoint on ESP value method also works for v2.12.

The difference between v2.11 and v2.12 is that in v2.11 you can't find the signature bytes for the jump to OEP. It seems to me that the section for the signature bytes in v2.11 will be decrypted by the unpacking routine. (I see this is already explained here: http://exetools.com/forum/showthread.php?t=4072&highlight=ASPACK)

I downloaded GetDataBack for NTFS v2.25. When debugging I see this XOR code:

Quote:

0063C516 3C A9 CMP AL,0A9
0063C518 338F 0A4FC73A XOR ECX,DWORD PTR DS:[EDI+3AC74F0A]

But after I put a breakpoint on it, Olly didn't break.
So if possible, upload the exe you used in your previous section and I'll try to inline patch it.
Or can someone explain how to break on the XOR code?

[hobgoblin]

Here is another way of patching Aspack 2.12. This time I have utilized the decryption routine itself in order to avoid adding too much code.
Put a bp on 0066B3A0 and singlestep from there...

Just for fun from,
hobgoblin

[TheDutchJewel]

Quote:

Originally Posted by hobgoblin

Put a bp on 0066B3A0 and singlestep from there...

Are you sure about bp at 0066B3A0?

Quote:

0066B3A0 B9 B2030000 MOV ECX,3B2

After pressing F8 there I get this error:

Quote:

Breakpoint corrupted!
OllyDbg set byte at address 0066B3A0 to CC (code of command INT3, used as breakpoint). Now this byte contains
CB. Do you want to keep modified command? (If you answer 'No', old code B9 will be restored).

After I choose Yes or No, progress terminates.

BTW this happens also in the original EXE:

Quote:

0066B3A0 B9 ECB21700 MOV ECX,17B2EC

[hobgoblin]

Never mind putting a bp at 0066B3A0.
Check the code there before and after the decryption routine is done. Then singlestep through that code without bp's just to see what happens with the code from 0066B3A0 until OEP is reached. Usually the adress for the OEP is written into the address 0066B3C0. In this case the adress to the location for the patching code is written into 0066B3C0.

hobgoblin