#31
|
|||
|
|||
thanks ShaG for the improvement, much better!.
inlight of my post on this forum and the three steps I mentioned for unpacking asprotect , now this script will demonstrate this fact by locating the stolen bytes , to do that , do the following: 1-hide debugger 2- run this script below, and look for your stolen.(some time you may need to add to the stolen bytes the mov eax,xxxxxx), it is easy, I did clarify this some where in this forum) .[hint: F9 few times once script finshes, you will be at mov ebp,esp in programs that start: push ebp, mov ebp,esp] 3.- look for your oep as I noted in a thread in this forum. note: this script will work on most of the aspr. programs that have stolen bytes, in some it will not , so you need to trace once you are in the break point of the updated script "lastex", I will provide a script for such programs later on, if a need for it arises. scripts tested on registry cleaner expert. (this script is only to demonstrate steps I posted for unpacking asprotect. I didn't put any effort in it , I just added few codes to lastex script). Last edited by britedream; 01-26-2004 at 21:07. |
#32
|
|||
|
|||
@ britedream
wow your script is awesome, worked well on 2 of the programs i tested it on. (acopy, dezine) Thanks for sharing your work @ SHaG thanks for improving your plugin, it is truly usefull R@dier |
#33
|
|||
|
|||
Thought I would try my hand at scripting
this works for pecompact1.76 I dont know about any other versions R@dier |
#34
|
|||
|
|||
aspack, neolite
Rewrote te scripts for aspack and neolite for version 0.4
Neolite eob Break findop eip, #FFE0# bphws $RESULT, "x" run Break: bphwc $RESULT sti log eip ret aspack eob Break findop eip, #6175# bphws $RESULT, "x" run Break: bphwc $RESULT sto sto sto sto log eip ret |
#35
|
|||
|
|||
PE Pack 1.0
|
#36
|
|||
|
|||
This one should prove useful:
tElock 0.98 |
#37
|
|||
|
|||
Hi,
i'm testing your script on Target "Website-Watcher 3.60b" wich is protected with "ASProtect 1.22 - 1.23 Beta 21 -> Alexey Solodovnikov". hxxp://aignes.com/de/download.htm So i'm loading the wswatch.exe into OllyDbg and starting your Script. Then something happens and the Programm has started successful. Now, i'm at Offset 0075F002 where is a CALL wswatch.0075F00A Can you tell me what i have to do next for finding the OEP ? Thank's for your help. [Edit by JMI: dARWIN, you obviously did not look around here before you posted. You are NOT supposed to post clickable links here, espically to software venders. ALWAYS uncheck the "Automatically parse URLs" button and use "hxxp" or the like for the address.} |
#38
|
|||
|
|||
to darwin:
you are using the wrong script for this program "asprsto", this is for finding the solen bytes , but on most programs , for this one it willn't work, we have work around this , I will explain briefly , but before that you have two options: option one: hide debugger run" lastex" script this will stop on the last exception , set bp(F2) on the first retn you see, shit+F9 will stop on the bp. option two: hide debugger: run "asprbp" script i t will stop on bp as above now , view memory and set memory breakboint on access, on code section. set trace condition:esp==12ffa4(for clarification search the forum for what I posted about this one) control+F11 will encounter a loop, F12 to stop olly bp (F2) under jnz , F9, then control+F11 once stopped, look below you will see your stoln bytes : push ebp mov ebp,esp add esp,-0c push ebx mov eax, 65526c shift+f9 will stop below your oep copy your stolen above where you have stopped, set origin here on the push ebp, then dump. fix your iat. it should run. here is asprobp=lastex updated. Last edited by britedream; 02-02-2004 at 18:03. |
#39
|
|||
|
|||
@britedream
thank you very much for your explainations But both scripts don't stop on the bp/exception... so i used the unpacker ASPROTECTstripper 2.03 an it works fine Perhaps you could try it yourself with my Target and tell me how you did it thanks again |
#40
|
|||
|
|||
I did check your target and both stop as they should.
Last edited by britedream; 02-02-2004 at 10:49. |
#41
|
|||
|
|||
Works for me too!
but Im new on aspr... I cant get a working dump.exe Im sure im screwing it up in Import Rec 1.6 I need some help there I get to the OEP I dump the process... I add back in the stolen bytes...correct OEP to offset 00255A44 i load up imprec, with the program running.. attach enter 0025A44, click on IAT autosearch... i increased the size to 3000... i level1 them... i ran the rest with the aspro 2.12 plugin and then I cut the remaining bad inports and finnally patch into dump clearly im doing something wrong can someone step me though from the point of the dump thanks mitch |
#42
|
|||
|
|||
YEAH!!!
I got it unpacked I cracked out the Filesize check, that was easy but cracking out the trial stuff... im into it, but getting lost and i thought that would be the easy part did anyone try it, i dont give 2 sh**ts about the app infact i want to uninstall asap but i wanna crack it anyways, just because mitch |
#43
|
|||
|
|||
Program name and link Mitchjs?
|
#44
|
|||
|
|||
its mentioned a couple of posts up
I only picked it to practice unpacking aspr! "Website-Watcher 3.60b" hxxp://aignes.com/de/download.htm mitch |
#45
|
|||
|
|||
Ollyscript v0.5
Ollyscript v0.5 can now be downloaded at:
http://ollyscript.apsvans.com New features like API breakpoints, run-to-return, module info etc. are implemented. From readme.txt: + New commands: CMT, GMI, GPA, LBL, RTR, RTU + New example script - tElock 0.98 OEP finder. Comments please!!! =) |
Thread Tools | |
Display Modes | |
|
|