Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-11-2006, 06:16
Fade
 
Posts: n/a
need help unpacking ASProtect

I am having problems unpacking a program again. The program that is protected which I am trying to unpack is aatools. AATools v5.92 Build 1610
homepage http://www.glocksoft.com/aatools.htm

The protector it uses is ASProtect, but the problem is I am not sure which version. I used PEiD and then based on what it told me, I went looking for a MUP tut or an auto unpacker. I spent a while playing around and following different guides. After messing around for a while I tried using the older version of PEiD just to make sure it is really ASProtect, but when I checked it, it was recognised as a different version.

So I checked it with some other tools aswell and this is what I saw

Quote:
PEiD v0.93
ASProtect 1.2x - 1.3x [Registered] -> Alexey Solodovnikov

PEiD v0.94
ASProtect 2.1x SKE -> Alexey Solodovnikov

pe-scan 3.31 (3.13 the writing is messed up)
no recognised packer/encryptor found

ProtectionID5.1f
ASProtect v2.2 detected

RDG Packer Detector v0.6.4 Beta R-1
ASProtect v2.xx

STUD_PE v2.3.0.1 (detects the same as v2.2.5.0)
ASProtect 1.2x [New Strain] -> Alexey Solodovnikov

Exeinfo PE version 0.0.1.4 a
ASprotect 2.1 ( www.aspack.com/asprotect.htm )

GT2 0.35
Not processed/created with any known program

PFS beta 0.11
ASProtect v1.2x (New Strain)

aPE.public.version_0.1.0beta_release
ASProtect 1.x - 2.x /SKE/

PE Tools v1.5 Build 400 (xmas edition)
ASProtect v1.2x (New Strain)
I also checked it with a few others which either recognised it incorrectly or couldn't recognise it at all. I don't know the exact version so it is hard finding a guide to unpack it.

The closest I have got is using a guide written in vietnamese. I can't remember where I got this guide originally. It might have even been from this forum, but I will upload it to this thread so that if anybody can help me, they don't have to go looking for it.

--------------------------
I think I explained enough so far to let you know my situation, I'll tell you where I currently am.

I open AATools in Olly with the 2 plugins and scripts in the same directory as Olly. I also have my exceptions configured like they are configured in the picture. I run the IAT fixer script and when that is finished and it tells me the import tables are fixed, I click ALT + M and then set a breakpoint on memory access on the line underneath "PE Header", I press F9 and dump the file.
(little note, you need to run the IAT fixing script with odbgscript not ollyscript, otherwise it will give an error about BPHWCALL)

I open the file in ImpREC and then click IAT autosearch, then get imports, it finds that most of them are correct, but 2 are wrong. so I choose "Show Invalid" and on the invalid thunks I right click and choose "Plugin Tracers" -> "ASPR2" which is the ASPR2 plugin that comes with the tutorial.

it says they are fixed but when I click fix dump and it saves the file, I run the file and the file doesn't work :P

So I don't know what to do, or what I am doing wrong

Please help me, if you want any more information just ask.
Attached Files
File Type: rar Unpacking_ASProtect_2.XX_SKE.rar (859.1 KB, 78 views)

Last edited by Fade; 10-11-2006 at 06:18.
Reply With Quote
  #2  
Old 10-11-2006, 23:10
Jupiter's Avatar
Jupiter Jupiter is offline
Lo*eXeTools*rd
 
Join Date: Jan 2005
Location: Moscow, Russia
Posts: 214
Rept. Given: 36
Rept. Rcvd 61 Times in 36 Posts
Thanks Given: 20
Thanks Rcvd at 149 Times in 42 Posts
Jupiter Reputation: 61
Use VerA plugin for PEiD to detect exact ASProtect version.

You can download it in my post:
ASProtect Version Detection
Direct link to archive:
VerA v0.15.rar

Last edited by Jupiter; 10-11-2006 at 23:13.
Reply With Quote
  #3  
Old 10-12-2006, 07:40
Fade
 
Posts: n/a
That tutorial I said I didn't know where it came from, well it came from here http://www.exetools.com/forum/showthread.php?t=9624

Jupiter thank you for the reply, I tried that program and it gave me this.
Version: ASProtect 2.xx (may be 2.11) Registered [1]

There are a lot of guides for the different versions, I think ASProtect 2.xx (IAT Rebuilding + Stolen Code) will work, I got it from http://www.tuts4you.com/blogs/download.php?view.279 , well the first few parts is working like it says in the tutorial, but then I get lost. Also there are a lot of scripts that come with it, which I don't know what to do with yet, they haven't said I need to use them, so maybe it covers that later.

I get to
Quote:
F9, stops in the common Bp, we removed is and we put memory BP again on Write, F9 and for here.
I remove the memory BP (I think that is right) then I toggle a breakpoint on "PUSH EBX" like in the picture, but I don't understand what I do next, it says

Quote:
Again he himself method to pass the curl.
Let us be paying attention to the registries when for every time.
If we followed the registries we will see that in this zone asprotect writes the jumps to
its sections we go to dump.
But I don't know what to do
Reply With Quote
  #4  
Old 10-13-2006, 01:01
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 33 Times in 16 Posts
deroko Reputation: 30
Did you check this tut --> http://forum.exetools.com/showthread.php?t=9912 ...
you may download it at tutorials.accessroot.com
__________________
http://accessroot.com
Reply With Quote
  #5  
Old 09-19-2009, 12:58
barmarwan
 
Posts: n/a
ASProtect V2.X Registered -> Alexey Solodovnikov *

Quote:
Originally Posted by selambebegim View Post
sağolasın kardeş
Pls help

I don not know what's the real version of ASProtect
When I used Exeinfo PE v0.0.2.2 I'm getting
ASprotect ver 2.1 / 2.^ ( www.aspack.com/asprotect.htm )

but by using DiE6.4 I'm getting :
ASProtect V2.X Registered -> Alexey Solodovnikov *

and by PEiD 0.95 I'm getting :
ASProtect 1.33 - 2.1 Registered -> Alexey Solodovnikov

How I can know the exact version.

Pls help.
Reply With Quote
  #6  
Old 09-20-2009, 02:07
Jupiter's Avatar
Jupiter Jupiter is offline
Lo*eXeTools*rd
 
Join Date: Jan 2005
Location: Moscow, Russia
Posts: 214
Rept. Given: 36
Rept. Rcvd 61 Times in 36 Posts
Thanks Given: 20
Thanks Rcvd at 149 Times in 42 Posts
Jupiter Reputation: 61
Lightbulb ASPrINFO

ASPrINFO v 1.6 Beta
100% detector version of ASProtect > v1.23

© nik0g0r 2oo7
Attached Files
File Type: rar ASPriNF.v1.6.rar (27.5 KB, 46 views)
__________________
EnJoy!
Reply With Quote
The Following 2 Users Say Thank You to Jupiter For This Useful Post:
semthex (11-18-2019), WorldCrackersUnited (08-02-2015)
  #7  
Old 05-23-2011, 14:49
XQuader XQuader is offline
Friend
 
Join Date: May 2011
Location: Belarus
Posts: 12
Rept. Given: 6
Rept. Rcvd 20 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
XQuader Reputation: 20
Quote:
Originally Posted by hkn225 View Post
Why can not download the file, do not understand.
Read rules - this and this
If you need ASprotect version detectors - here they are...
ASPrINFO 1.6 beta
VerA 2.03

Last edited by XQuader; 05-23-2011 at 14:57.
Reply With Quote
  #8  
Old 05-23-2011, 16:11
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,657
Rept. Given: 801
Rept. Rcvd 1,283 Times in 561 Posts
Thanks Given: 226
Thanks Rcvd at 562 Times in 240 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
It's a useful tool but i have one requirement...

Quote:
Originally Posted by Jupiter View Post
ASPrINFO v 1.6 Beta
100% detector version of ASProtect > v1.23

© nik0g0r 2oo7
Please post a english translated version of ASPriNF.txt from the archive.
Thank you!
Reply With Quote
  #9  
Old 05-25-2011, 22:12
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 300
Rept. Given: 111
Rept. Rcvd 64 Times in 42 Posts
Thanks Given: 178
Thanks Rcvd at 215 Times in 92 Posts
deepzero Reputation: 64
there`s also one from PE KIll, i think.

afaik the readme just states it should work on all1.x/2.x versions except for aspro itself.

(btw, this thread is from 2006/09...)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASProtect SKE unpacking TempoMat General Discussion 10 08-24-2016 17:48
Unpacking asprotect britedream General Discussion 7 09-01-2004 01:46


All times are GMT +8. The time now is 18:09.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )