Tried unpacking DVDIdle Pro - AsProtect

Nice stuff, I followed the stolen bytes during execution with your method.
Still having problems with my dumped exe though. After the trace I end up at:

0041F013 FF15 68274200 CALL DWORD PTR DS:[422768] ; MSVCRT.__set_app_type

I insert the stolen bytes and change the origin to PUSH EBP at 41EFE6 and then dump the exe with OllyDump, unchecking Rebuild Import. I load your tree in ImpRec and press Fix Dump. I load the exe in LordPE and change OEP to 1EFE6. Problem is the exe still wont run.

It crashes at: 0041F115 |. E8 F6020000 CALL dumpLord.0041F410

[britedream]

I don't remeber what the addresses for the two exceptios are, but if u run xp I will be glad to send you the running target.

Yes, please do that. Maybe I can compare the two and figure it out.

[britedream]

please pm with your email

target has been sent, please check your e-mail. thanks

BriteDream,

I have the same problem as Svensk (I'm running Xp Pro).

I thought to use Imprec (using Raider's tutorial on Tag&Rename 3.06), to increase the IAT SIZE to 1000? Imprec v1.6f defaults to 918 when I load my patched DVDIdlePro 3.39 (stolen bytes entered and new oep set). Then I've dumped using OllyDump and unchecking: Rebuild Import.

If I load your tree file, then select fix dump, the exe is not executable. It comes up with an exception.

I know that with Tag & rename there was one section you ran across that had ??? and you had to NOP it.

How is it that you got yours to execute and we can't get ours? Is there more patching required?

-Malt

[britedream]

maltese,
don't load my iat, fix yours according to mine.

please pm with your email.

BriteDream....

Does this make sense?

removed DvdIdlePro.udd and DvdIdlePro.bak (cache if you will for Olly)

1) I loaded Olly 1.10beta
2) Answered NO to analyze
3) F9, SHIFT+F9 26 times
4) ALT M
5) Left Click - code line for DvdIdle Pro
6) CTRL + F11
7) VIEW->TRACE
8) Enter Stolen Bytes
9) @ PUSH EBX (start of Stolen Bytes), I set NEW ORIGIN
10) OllyDump: uncheck Rebuild Import (saved as dump.exe)

* Left Ollydbg running after dumping to dump.exe

11) Loaded Imprec v1.6f
12) Selected DVDIdle Pro as Active Process
13) Pressed IAT Auto Search
14) Pressed Get Imports (left all values at default)
15) Pressed Show Invalid
16) Right clicked on invalid and selected: Trace Level 1 (disasm)
17) Pressed Show Invalid again
18) Right clicked on invalid and selected: Plugin Tracers-> aspr2

* It said no more pointers...see if it works

19) Clicked fix dump.... and patched the dump.exe file from Olly.

Program does not work...

Maybe my options are incorrect on Imprec???

Above the Fix Dump button I have checked: add new section (default)
In options: The only thing checked is: Process Properties (enable debug privilege XP) & Use PE Header From Disk

Did I not do something right? I noticed that Raider had a byte that was invalid in his beginning execution code so he NOP'd it. This exception appears to be happening during a Windows call.

-Malt

[britedream]

TO Svensk


"[insert the stolen bytes and change the origin to PUSH EBP at 41EFE6 and then dump the exe with OllyDump, unchecking Rebuild Import. I load your tree in ImpRec and press Fix Dump. I load the exe in LordPE and change OEP to 1EFE6. Problem is the exe still wont run.

It crashes at: 0041F115 |. E8 F6020000 CALL dumpLord.0041F410]"


Please Note:
1- if you have changed origin to push ebp, there is no need to use lordpe.
2- please don't load my iat, fix yours according to mine.

Arrrgghh....

Britedream, thank you for the tutorials and I can confirm your version is working... at least the greet screen comes up.

Mine always has an exception error. Looking at your tree file your size is 918..mine turns out to be 91C

either way no luck.

I confirmed the bytes you entered as stolen are entered in right where the trace dumps at. (just above 45 bytes).

I noticed that Olly reports at least one different register upon initial load (no stepping) between our versions. The first time I compared the ESI turned out to be different.

In you tutorial you mention the stolen bytes.... thanks to you and lownoise we have that. I am starting to think that I am doing something wrong with Imprec. When I compared our startup code..it looked dead on.

Are there any different settings on Olly or Imprec that you think would make a difference?

Is it the way I am dumping it with ollydump? I used your script of asprbp. to help eliminate any possible errors by me.

Here is a pic of the stolen bytes entered.... the EIP (which is now the origin) and the dump window as I prepare to dump the DVDidle Code.

-Malt

Well for me it's a little bit early, and it seems i'm missing the link in the thread that the app crashes.
I dumped the app the same way as Malt.
The iat has been fixed with asprdbg from manko. It's a little tool which dumps asprotect targets from previous versions. When the asprdbg paused after he cleans the iat open imprec enther the values given by asprdbg en press fix dump.
After that open your dumped exe in olly and fix the check in dvdidle pro for the present of asprotect.
my quick and dirty fix is online 4043AA Mov eax, dword ptr ds:[eax] if you change this to xor eax,eax your app will run fine.

lownoise

[britedream]

To maltese:

default options for importrec work fine. now when you select the first line of your stolen , you should right click on it and choose origin here then dump.

Thanks lownoice, that actually made my program load.

Is "Import all by Ordinal", "Rebuild Original FT" and "Create New IAT" supposed to be checked in ImpRec's Options?

Fell free to take a screen shot of your settings, so we all know how it "should" look

[britedream]

To lonoise:

Yes this is the first error I mentioned, if you fix the address to points to an address where you coded your name then this will show that it is registered to you.

[britedream]

To svensk and maltese,

please discard the dump file I sent you , olly didn't write the patch as it should you will notice that to goes to an empty space.

some strange things happen with this program , I will check them and let you know.

Britedream,

Looks like i'm still learning everyday.
app works registered now

lownoise