Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-06-2002, 16:15
R@dier
 
Posts: n/a
ASPack2.1 unpacking

Hi all,
I am having trouble unpacking ASPack2.1 and need some advice on repairing the dumped.exe
this is what I have done.

started softice and set Bpoint on GetProcAddress
then started the app, (Notepad.exe) which has been packed using ASPack2.1

when Sice break I F5 a few time before searching for the ASPack Sig,
after I have found the Aspack Sig I set a bpoint on that memory location.

pressed F5 and boom I break into the app just where i want.

I then step through

POPAD
JNZ 0040D4FE
MOV EAX, 1
RET 000C
PUSH OEiP
RET

after the last return I put the program into a loop at the OEiP and then Dump the exe.

then I edit the dumped EiP back to the original (Image Base - Entry point)

next I edit the dumped exe with Ultra Edit and change the code at the OEP back to what they were.

From what I understand the program should now run but I get errors instead.

I think I need to rebuild the Imports Table, but not sure how
any help appreciated?

I am running WinXP which may add to the problem.

I would like to write an Unpacker later and would appreciate any sigs for the various protector/ packers.


Many thanks

R@dier

Last edited by R@dier; 08-06-2002 at 20:37.
Reply With Quote
  #2  
Old 08-06-2002, 21:25
snaker
 
Posts: n/a
rebuild the imports

hi, you need to rebuild the imports....
Use ImpREC or ReVirgin.
Put the OEP and select get imports...
Then trace the invalid entries and write them to the PE file...

I think the readme of either will be more helpful

Anyways, just rebuild the imports
Reply With Quote
  #3  
Old 08-06-2002, 22:10
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 409
Rept. Given: 10
Rept. Rcvd 16 Times in 14 Posts
Thanks Given: 41
Thanks Rcvd at 155 Times in 61 Posts
WhoCares Reputation: 17
Just dump the IT/IAT from memory, paste it to your fully dumped exe, then fix PE header. done.
__________________
AKA Solomon/blowfish.
Reply With Quote
  #4  
Old 08-07-2002, 20:48
R@dier
 
Posts: n/a
Thanks for the info

Snaker:
I tried using revirgin, but it keeps causing my comp to reboot when i start tracing
I have not found ImpREC yet but i will give it a go.

I was wonder how to "write them to the PE file"

WhoCares:
Just dump the IT/IAT from memory, paste it to your fully dumped exe, then fix PE header. done.

Could you give me some more information please?


many Thanks

R@dier
Reply With Quote
  #5  
Old 08-14-2002, 22:49
Kalisto
 
Posts: n/a
Hi R@dier do you solve problem.
Reply With Quote
  #6  
Old 08-15-2002, 08:47
R@dier
 
Posts: n/a
Kalisto:
No not quite,
I can rebuild notepad.exe from win98 but the one on winXP I juzt can't seem to get it to work.

still tring to find a solution
Reply With Quote
  #7  
Old 08-15-2002, 14:26
Kalisto
 
Posts: n/a
Do you find imprec 1.42? I will try to unpack win 2000 notepad packed with aspack 2.12. This is probably same or similar on win xp.
Reply With Quote
  #8  
Old 08-15-2002, 16:40
R@dier
 
Posts: n/a
Yes I did, very nice, it is the first time I have used it.
also I am interested to see how you go with win2000 notepad
:-)

R@dier
Reply With Quote
  #9  
Old 08-15-2002, 22:29
Kalisto
 
Posts: n/a
I did it succesfully, it's easy. Do you need tute.
Reply With Quote
  #10  
Old 08-15-2002, 22:59
R@dier
 
Posts: n/a
Do you need tute

Yes it would be very handy

thanks
R@dier
Reply With Quote
  #11  
Old 08-16-2002, 16:28
Kalisto
 
Posts: n/a
OEP is 1006420 found with olly dbg. You know how to find OEP so this is not problem. You see line 0100644F. This is first import. Put 1160 (RVA) in imprec and 100 as size. Press get imports.
You see mscvrt.dll ... comdlg32.dll. Rest is junk. You must find kernel and other missing imports. Just put 1000 as RVA and all imports are here. Reduce size to 2F0 to get rid of junk and thats all. Fix dump with add new section, change OEP with LordPE to 6420 and run it. It should work.

01006420 . 55 PUSH EBP
01006421 . 8BEC MOV EBP,ESP
01006423 . 6A FF PUSH -1
01006425 . 68 88180001 PUSH NOTEPAD.01001888
0100642A . 68 D0650001 PUSH NOTEPAD.010065D0 ; JMP to msvcrt._except_handler3
0100642F . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
01006435 . 50 PUSH EAX
01006436 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0100643D . 83C4 98 ADD ESP,-68
01006440 . 53 PUSH EBX
01006441 . 56 PUSH ESI
01006442 . 57 PUSH EDI
01006443 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
01006446 . C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0
0100644D . 6A 02 PUSH 2
0100644F . FF15 60110001 CALL NEAR DWORD PTR DS:[1001160] ; msvcrt.__set_app_type
01006455 . 83C4 04 ADD ESP,4
01006458 . C705 38990001 >MOV DWORD PTR DS:[1009938],-1

Reply With Quote
  #12  
Old 08-16-2002, 20:13
R@dier
 
Posts: n/a
Kalisto:
Thanks for the Info
i will give it a try and let you know the results :-)

R@dier
Reply With Quote
  #13  
Old 08-17-2002, 00:47
R@dier
 
Posts: n/a
Kalisto:

Thanks again, it was a complete success.

Imprec has just become my favorite tool


Best Regards

R@dier

PS. my OEP was @ 6AE0
Reply With Quote
  #14  
Old 08-17-2002, 01:03
snyper
 
Posts: n/a
R@dier ::
another approach to fixing imports in a dumped file; move your unresolved import address straight into the IAT.
here's some notes i made when unpacking aspack2.1, maybe it could be useful for you in other versions ::

original import table :: pep + 0x2b
- this is a dword which holds the original ImportTable RVA.

dll name eraser :: pep + 0x4c6
- this replaces the first dword of a dll name (eg kernell32.dll) with 0. just nop it.

import resolves :: pep + 0x4b8
- the routine call to resolve an import-function address for the IAT. you can just move the unresolved address to the IAT.

oep write :: pep + 0x4ec
- this moves the oep to the oep jmp at ::

oep jmp :: pep + 0x4fd
- the oep jmp.

in the pe-scan unpacking routines i patched the loader and put a breakpoint at the oep jump, _then_ dumped the file and fixed the header. basically, the loader does all the work for you. =)
however it's not failsafe; it does rely on the asm opcodes being in a set offset. i'm working on a search-and-destroy patcher for the opcodes found at the above offsets.
Reply With Quote
  #15  
Old 08-17-2002, 09:38
R@dier
 
Posts: n/a
snyper:

Thanks for the extra info,
I appreciated it


I am very interested in writing an unpacker later, I still have so much to learn


R@dier

Last edited by R@dier; 08-17-2002 at 09:41.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 18:39.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )