finding aspack routine

Hi, Im a newbie to this, but Im very interested and want to learn.

Im trying to make a patch for a program that is aspacked - that will jmp to my code from the end of the unpacking routine when the app is run.

I don't know where to start, and could only find some very outdated tutorials that don't outline this area (and the tutorials here - which I can't download yet!).


How do I go about finding the end of the unpacking routine?


(I have ollydbg, but im sure I can 'find' softIce somewhere if needed!)

I have messed around a little making one or two trainers for games, but this side of it is completely new to me.

Sorry if this post is a bit too newbie! (most questions here seem to be rather more.. precise/accurate? (not sure of the word) )

End of unpacking routine looks like this (popa is a good indicator):

Code:

;.....
                add     eax, [ebp+422h]
                pop     ecx
                or      ecx, ecx
                mov     [ebp+3A8h], eax ; fills the push 0 with
                                        ; OEP address below
                popa
                jnz     short goon
                mov     eax, 1
                retn    0Ch
goon:
                push    0
                retn

But.., why you don't want to unpack application entirely, add your code
and run?

[taos]

I suggest you that read info about "getting the OEP".
Try with packing a very simple ASM file and see the result in olly.
Make a "hello world", see how it runs in olly, pack this file, see how it runs in olly.
You will see how to get the OEP with this packer.
You must STUDY AND READ much before to understand.
And please, please, use GOOGLE to search tuts, there're a lot of.

[Michel]

An complementary way to learn how the unpacker routine works is to use some tool like AspackDie or Un-Aspack wich gives you a working dump (and the right OEP). Then, using the chart feature of IDA, it's easier to follow in Olly the rebuild of the original exe

[JMI]

I would also suggest that you need to understand just what the heck an "unpacking" process does and I mean on an assembly language level, since this is the form in which you are most likely going to see it in a debugger. First consider it conceptually. Something with a certain size, whether it is the entire program, exe, dll, whatever, has been "packed." So, in this process of analysis, we know that "size does matter."

Now, as a general concept, packed code (or, for that matter, crypted code)will not run. So, some part of the code has to run to "unpack" the "packed" parts. Now to be effective, it simply has to know "how much" to apply it's unpacking routine to, or it will start doing "something" with parts of the code which was not originally "packed" and that part will now not work.

So, again, conceptually, the "unpacking routine" is going to take a chunk of code of a certain size and work its magic on that chunk and now you have code that will run.

So this suggests that there has to be, somewhere, something which tells the "unpacking routine" how many times it is supposed to work its magic before it has to stop or wreck the rest of the program. So now there is something you have to find which has the "count" of how many times the routine needs to "cycle" through its steps before it is done.

This suggests that you are looking for a routine which takes a portion of the code located somewhere else in the program and "adds something to it" or does "some other mechanical" process to the "packed" code so that it has returned to its "original" form. Having worked its magic on a particular chunk of the packed code it needs to know whether it has "finished" its job. So you can assume that there has to be some form of a "compare" near the end of the routine, where it checks to see if it is "done" yet. This could take several forms, such as subtracting from a starting number and branching when "0" is reached, or maybe comparing to an "ending" address in the code where it knows it is done. The point being you will see that the code is going to "return" or "branch" or "jump" back to the "unpacking" part until it has reached whatever point that is and then it will go somewhere else, like maybe to the original OEP.

And just to keep things interesting, maybe before it jumps off to the OEP, it might actually "erase" the "unpacking code" so that if some evil cracker dumps the running program, the "unpacking code" isn't there to be seen.

Regards,

Thank you very much for the explanations guys (it was a very good explanation bu JMI). I tried to reply earlier, but I think an anti-spam system prevented me (It said I couldn't post again for 24hours).

taos - thanks for the tip with "getting OEP", I was previously googling for "unpacking aspack" and didn't make any ground with the tutorials I found, but adding OEP led to a nice tutorial here here.

ne_viens, I dont want to just unpack the file - as then I have to give my friends the complete file, rather then just a little patch. Thank you for the example code!

I have now finished the patch and all is working well, so im very happy.