Asprotect 1.23 New Tutorial by LaBBa

[MaRKuS-DJM]

i saw LaBBa wrote a new tutorial for Asprotect 1.23, but he didn't post it @exetools...

so i'll attach it here.
many thanks to LaBBa!!!!

original post by LaBBa:

Quote:

This is it ..
the final tut..
i just hope that more ppl will start writing tuts in a good old : "Step by Step"

I just hope that ppl that wont appreciate this tut at least will appreciate the time it took me to write it..

Best Regard to all ,

LaBBa

[britedream]

Hi Markus
asprotect dosn't need that long tut, eventhough we appreciate the effort now and always that labba is doing, I think long tut tend to be hard to follow at least for me,here is the way that britedream might do it:
1- stack hard breakpoint on the first push, takes you to pushad, do the same for the pushad takes you to the stolen bytes.
2- memory breakpiont on code section, look at the stack for the oep.
3- fix your iat- done.

[MaRKuS-DJM]

yes, you are right, but it's interesting how many ways takes you to the finish

some question. which hardware-breakpoint do you use? the second one @the pushad doesn't work for me.

[MaRKuS-DJM]

no, got it handled already

thanks britedream

but i see stack-breakpoints won't work on ASProtect 1.22 - 1.23 Beta 21

[britedream]

may I ask which program?

I was wondering if you guys could please expand on

Quote:

1- stack hard breakpoint on the first push, takes you to pushad, do the same for the pushad takes you to the stolen bytes.

I dont quite understand it


Best Wishes
R@dier

[britedream]

f7 to pass the push, follow esp to dump,
right click on it in the dump, select : hardware on access dword.

[MaRKuS-DJM]

it's advanced im password recovery by elcomsoft, protected by the old asprotect, and the stack hardware-bp doesn't work

correction:
the first one works, the second one: no

@ britedream
Thanks :-)


@ MaRKuS
I have been playing with advanced im password recovery also,
after you posted it this mornin, found it quite easy to unpack using the differnt methods.



Best Wishes
R@dier

[MaRKuS-DJM]

and which method did you use R@dier?

to find OEP used
2- memory breakpiont on code section,

to find stolen bytes used kinda LaBBa's method

I still have not got the hang of

Quote:

1- stack hard breakpoint on the first push, takes you to pushad, do the same for the pushad takes you to the stolen

yet,

but looking into it :-)

R@dier

[britedream]

for the advance:
the method is correct, but somehow it
didn't catch the bp, it erased the breakpoint, but eventhough I brought it
back it still wouldn't catch it, you can work around it by the following:
you will notice when you passed the pushad
that esp = 12 ffa4 , it should have poped up
when it has been accessed, but it did not , so once you are at the last exception, set trace condition esp==
12ffa4, then control+f11 it will stop on top of the stolen byte as it should have, f7 little bit you should be at the first one.

[britedream]

to find the oep:
at the stolen bytes or the last exception,
set memory breakpoint on the code section,once stoped, look at the stack (K on the tool bar), if you see two addresses take the second one, if one, take it, if no address then oep is just above where you are.

[MaRKuS-DJM]

hm, i used trace, but the trace always hangs in an endless loop. i don't know why, but it happens only for this aspr-version (beta 21).
the code-bp is a method for OEP

[MaRKuS-DJM]

but no problem, i got it handled with F8 & F7 to skip the unpacking-routine (which is for some reason endless with tracing) and after this i ran trace. All stolen bytes are plain-text *lol*