Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 12-13-2006, 11:43
int21h
 
Posts: n/a
ASProtect or UPX?

I am trying to decompress a file and I am running into this:
When I check the signature of the file it is this:
Code:
signature: 68 01 80 71 01 E8 01 00 00 00 C3 C3 40 C9 F3 50
My signature log shows this:
ASProtect 1.33 - 2.1 Registered -> Alexey Solodovnikov
signature=68 01 ?? ?? ?? E8 01 00 00 00 C3 C3
Before I start the decompression I check the memory and find this:
Code:
00400000   00001000   aspmon                PE header     Imag   R         RWE
00401000   00221000   aspmon                code          Imag   R         RWE
00622000   00009000   aspmon                data          Imag   R         RWE
0062B000   00011000   aspmon                              Imag   R         RWE
0063C000   00005000   aspmon                              Imag   R         RWE
00641000   00001000   aspmon                exports       Imag   R         RWE
00642000   00001000   aspmon                              Imag   R         RWE
00643000   00001000   aspmon                              Imag   R         RWE
00644000   00024000   aspmon                              Imag   R         RWE
00668000   000B0000   aspmon     .rsrc      resources     Imag   R         RWE
00718000   0002E000   aspmon     .upx       imports,relo  Imag   R         RWE
00746000   00001000   aspmon     .adata                   Imag   R         RWE
So my question is this:
Has anyone seen this before?
My signature is saying it is compressed with ASProtect but when I check the memory it is showing upx. Are both correct? I have tried to decompress this using my methods for ASProtect and UPX but neither seems to work. Any information would be helpful.
int21h
Reply With Quote
  #2  
Old 12-13-2006, 15:28
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 33 Times in 16 Posts
deroko Reputation: 30
Section .adata is common for asprotect and aspack, and because you have push/call/retn/retn at ep, it seems like asprotect. But be carful it might be fake signature
__________________
http://accessroot.com
Reply With Quote
  #3  
Old 12-14-2006, 11:02
b0yb4w4n9
 
Posts: n/a
Check the section characteristics.

For UPX, there are either 2 to 3 sections found. The third section is the resource section. The first section characteristic has a flag 0xE0000080, the second flag 0xE0000040. The resource section characteristic 0xC0000040.

For Asprotect/Aspack, all the sections have the characteristic 0xE0000040. There are 3 to 5 sections found. Default compression with Asprotect, the first two sections usually have blank names.

In addition to deroko's reply, there are 5 sections where the first two sections have blank names. It is indeed packed by Asprotect.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
The new asprotect 1.31 britedream General Discussion 48 06-03-2004 17:12
Anyone can help me with this one?? ASProtect loman General Discussion 0 12-31-2003 16:37


All times are GMT +8. The time now is 14:05.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )