ASPR not full tut

[LaBBa]

hi all

i have tried again and again so many time to unpack
this new version of ASPR but no luck all the time it crashes

so i made this tut about the new aspr ..

this tut is yet not fully working so if anyone else wishes to
finish this tut and fix my errors..

[LaBBa]

well i hope that some1 will come with a solotion why this app still crashes..

g00d luck

(plz post u'r answer here)

[LaBBa]

well all that i have found out more about the Crashes of the App
is this :

00402262 . 83C0 03 ADD EAX,3
00402265 > C1F8 02 SAR EAX,2
00402268 . 8B15 24E65600 MOV EDX,DWORD PTR DS:[56E624]
0040226E . 8B5482 F4 MOV EDX,DWORD PTR DS:[EDX+EAX*4-C]
00402272 . 85D2 TEST EDX,EDX
00402274 . 74 79 JE SHORT Dump_.004022EF
00402276 . 8BF2 MOV ESI,EDX
00402278 . 8BC6 MOV EAX,ESI

at : MOV EDX,DWORD PTR DS:[EDX+EAX*4-C]
with an error of Read Access Violation
and ther is more of those
some with an Error of Write Access Violation..

at the Packed file at Olly u can see that

DWORD PTR DS:[EDX+EAX*4-C] = 00000000

and at the unpacked file u can see that :

DWORD PTR DS:[EDX+EAX*4-C] = ?????????

realy wierd ! all other places are like that ..

well at ASPR Stripper i saw it doing somtimes those lines at some other unpacked apps : i.e :

ApiEntry RVA :0001e984 *esp = (00a738fd, 00a63861, 0012ffe0)
ApiEntry RVA :000181dc *esp = (00a739f1, 00000010, 00000010)
ApiEntry RVA :000012cc *esp = (00a73b2f, 004012c8, 0012ffe0)

what those lines are for ??? i think this could help to solve this thing...

try to write down the register values at the OEP when you debug the protected app.

then check them on the dump. some of them must be match. (eg: EBP,...)

[britedream]

Hi labba !
I unpacked it correctly, nothing new, just recheck your It.

Britedream

[britedream]

Hi
I also noticed strange thing , When I unpacked it , it took out
the time limit too.

britedream

I have got it correctly, there are something new !

[britedream]

Hi jingulong !
are you talking about the CryptHashPublicKeyInfo dll , I did not
notice any new stuff. will you please explain.Thanks

Britedream

[bunion]

Thanks Labba for tut

paul333

[LaBBa]

Well as i can see no one has post a real reply for why the app is crashing or posted a FIX for the TUT .. or Continued it..

TOO BAD.. that way no one will lern anything...

[britedream]

In my earlier post I indicated that the problem is in your IAT,
however, I don't have the version you refer to in my pc anymore,
but I did download the new version 4.92-147, so with the
following info. you should be able to see what was wrong,
and correct accordingly:
oep=00577b64
stolen bytes=55 8B EC 83 C4 F0 B8 04 74 57 00

IAT=

[britedream]

Hi labba !
I noticed in your tut. that you used: add esp,-10: as a pattern
but I would like to bring to your attention that isn't always true
,if you look at advanced registry tracer ,you would see
:add esp,-0C:,
So I thought you may want to make a note of it in your tut.

Regards!
britedream

[LaBBa]

hi .. yea i notice that long time ago.. but we need to findout how we can find those stolen bytes that are now emulate..

BTW ... i re-checked my IAT and all was just fine the app still crash..

BUT NOW i KNOW WHY .. the full tut is comming !

[britedream]

Great !
I am glad that you found out what was wrong. the reason
I suggested that the problem is with your IAT, is that there
are three variables: oep, stolen bytes, and IAT, two of those
are correct as I saw from your tut. so the only thing is left
is your IAT. of course there are other things that can go wrong
such as dumping, and oep correct positioning, but those have nothing to do with asprotect specific unpacking.

britedream

[LaBBa]

hi .

yea u where right .. the dumping was wrong..
here the tut and lil improved...