Unpacking asprotect

[britedream]

I have been asked by a gentleman and good friend from this forum to give some tips on iat , but since asprotect has different varieties , it is worth it to show you one that you have not seen yet, so you will have another concept of asprotect[easy one] . I will pick a target that I think it is very useful for many pc user and has the recent asprotect, this target is registry clean expert , the new version 3.51 is released this month.

let us scan the target first, load it and use my script to go to oep, will notice two things a- no stolen b- look at the dump pane , it suggests that our imports might be here , let us see how close is that to reality.

steps:
1- restart the target and shift+ f9 till you see in the dump pane definite pattern such as:
00476000 82 D3 08 00 64 D2 08 00 ‚Ó.dÒ.
00476008 78 D2 08 00 88 D2 08 00 xÒ.ˆÒ.
00476010 9A D2 08 00 AA D2 08 00 šÒ.ªÒ.
00476018 BA D2 08 00 CC D2 08 00 ºÒ.ÌÒ.
00476020 DE D2 08 00 EC D2 08 00 ÞÒ.¨¬Ò.
00476028 00 D3 08 00 10 D3 08 00 .Ó.Ó.
00476030 1E D3 08 00 CC D3 08 00 Ó.ÌÓ.
00476038 BC D3 08 00 A8 D3 08 00 ¼Ó.¡§Ó.
00476040 94 D3 08 00 56 D2 08 00 ¡±Ó.VÒ.
00476048 6E D3 08 00 56 D3 08 00 nÓ.VÓ.

select all patterns , that is about till address xxx840, and set memory break point on write.

2- shift+f9 tell you see eax with an api entered in [edx], F9,continue in doing so, tell you see a bad entry[ you may hit the bad entry first], change eax to the good register , ebx, you can do few more f9s to make sure No more bad entries,but I can assure you, there aren't any, so remove the bp , f9, you will be at exception, hit the "-" key, undo change you have made.

3- use my script to go to oep, impotrec will fix the one item left, dump and attach the import. all done

note:
there are few things to fix , but are normal, if you have hard time , I will show how to fix them as well as how to register the target.
[note2]
script asplasltex_oepnewall2 has been corrected to work well.


regards.

Hi britedream,


Thanks for your valuable advice, it worked perfect

Best Wishes

R@dier

[JMI]

Don't know if it makes any difference to the process, because I have not had time to try your technique, but the vendor did release a 3.52 verson on August 27th. The 3.51 version is still available on the net with minimal searching.

Thanks for the information.

Regards,

[britedream]

I did check it, and there is no difference between the two versions as far as asprotect concern.

Regards.

Hi,

I used version 3.52, no probs at all


Best Wishes
R@dier

[britedream]

Script asplastex_oepnewall2 has been corrected to work as good as alplastex_oepnewall.


Regards.

[JMI]

Britedream

Entirely too much good work coming from you lately. No, wait, you always do good work. Keep it coming.

Regards,

[britedream]

Pleasure to participate in your forum.