|
#1
|
|||
|
|||
ASPR not full tut
hi all
i have tried again and again so many time to unpack this new version of ASPR but no luck all the time it crashes so i made this tut about the new aspr .. this tut is yet not fully working so if anyone else wishes to finish this tut and fix my errors.. |
#2
|
|||
|
|||
no replay ??
well i hope that some1 will come with a solotion why this app still crashes..
g00d luck (plz post u'r answer here) |
#3
|
|||
|
|||
more info about the crash
well all that i have found out more about the Crashes of the App
is this : 00402262 . 83C0 03 ADD EAX,3 00402265 > C1F8 02 SAR EAX,2 00402268 . 8B15 24E65600 MOV EDX,DWORD PTR DS:[56E624] 0040226E . 8B5482 F4 MOV EDX,DWORD PTR DS:[EDX+EAX*4-C] 00402272 . 85D2 TEST EDX,EDX 00402274 . 74 79 JE SHORT Dump_.004022EF 00402276 . 8BF2 MOV ESI,EDX 00402278 . 8BC6 MOV EAX,ESI at : MOV EDX,DWORD PTR DS:[EDX+EAX*4-C] with an error of Read Access Violation and ther is more of those some with an Error of Write Access Violation.. at the Packed file at Olly u can see that DWORD PTR DS:[EDX+EAX*4-C] = 00000000 and at the unpacked file u can see that : DWORD PTR DS:[EDX+EAX*4-C] = ????????? realy wierd ! all other places are like that .. well at ASPR Stripper i saw it doing somtimes those lines at some other unpacked apps : i.e : ApiEntry RVA :0001e984 *esp = (00a738fd, 00a63861, 0012ffe0) ApiEntry RVA :000181dc *esp = (00a739f1, 00000010, 00000010) ApiEntry RVA :000012cc *esp = (00a73b2f, 004012c8, 0012ffe0) what those lines are for ??? i think this could help to solve this thing... Last edited by LaBBa; 08-03-2003 at 04:26. |
#4
|
|||
|
|||
try to write down the register values at the OEP when you debug the protected app.
then check them on the dump. some of them must be match. (eg: EBP,...) |
#5
|
|||
|
|||
Hi labba !
I unpacked it correctly, nothing new, just recheck your It. Britedream |
#6
|
|||
|
|||
Hi
I also noticed strange thing , When I unpacked it , it took out the time limit too. britedream Last edited by britedream; 08-16-2003 at 00:17. |
#7
|
|||
|
|||
I have got it correctly, there are something new !
|
#8
|
|||
|
|||
Hi jingulong !
are you talking about the CryptHashPublicKeyInfo dll , I did not notice any new stuff. will you please explain.Thanks Britedream Last edited by britedream; 08-17-2003 at 19:02. |
#9
|
|||
|
|||
Thanks Labba for tut
paul333 |
#10
|
|||
|
|||
HMMM...
Well as i can see no one has post a real reply for why the app is crashing or posted a FIX for the TUT .. or Continued it..
TOO BAD.. that way no one will lern anything... |
#11
|
|||
|
|||
In my earlier post I indicated that the problem is in your IAT,
however, I don't have the version you refer to in my pc anymore, but I did download the new version 4.92-147, so with the following info. you should be able to see what was wrong, and correct accordingly: oep=00577b64 stolen bytes=55 8B EC 83 C4 F0 B8 04 74 57 00 IAT= Last edited by britedream; 08-16-2003 at 00:16. |
#12
|
|||
|
|||
Hi labba !
I noticed in your tut. that you used: add esp,-10: as a pattern but I would like to bring to your attention that isn't always true ,if you look at advanced registry tracer ,you would see :add esp,-0C:, So I thought you may want to make a note of it in your tut. Regards! britedream |
#13
|
|||
|
|||
hi .. yea i notice that long time ago.. but we need to findout how we can find those stolen bytes that are now emulate..
BTW ... i re-checked my IAT and all was just fine the app still crash.. BUT NOW i KNOW WHY .. the full tut is comming ! Last edited by LaBBa; 08-18-2003 at 09:22. |
#14
|
|||
|
|||
Great !
I am glad that you found out what was wrong. the reason I suggested that the problem is with your IAT, is that there are three variables: oep, stolen bytes, and IAT, two of those are correct as I saw from your tut. so the only thing is left is your IAT. of course there are other things that can go wrong such as dumping, and oep correct positioning, but those have nothing to do with asprotect specific unpacking. britedream Last edited by britedream; 08-18-2003 at 21:52. |
#15
|
|||
|
|||
Full Tut Is Finished
hi .
yea u where right .. the dumping was wrong.. here the tut and lil improved... |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Aspr anyone know this one? | hobferret | General Discussion | 16 | 05-13-2015 22:54 |
More Aspr 1.31 | SvensK | General Discussion | 0 | 06-09-2004 22:52 |