Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-18-2004, 05:35
TheDutchJewel's Avatar
TheDutchJewel TheDutchJewel is offline
VIP
 
Join Date: Aug 2002
Posts: 671
Rept. Given: 26
Rept. Rcvd 462 Times in 265 Posts
Thanks Given: 19
Thanks Rcvd at 493 Times in 138 Posts
TheDutchJewel Reputation: 400-499 TheDutchJewel Reputation: 400-499 TheDutchJewel Reputation: 400-499 TheDutchJewel Reputation: 400-499 TheDutchJewel Reputation: 400-499
Probs with unpacked Aspack files

Normally I unpack Aspack protected files with AspackDie. But when I pack them
again with ASPack, some of them don't show there icon in the explorer anymore.
So I unpacked a few progs with Olly and lownoise' Aspack script, dumped them
with LordPE/ProcDump and rebuild the dumps with Import REConstructor (I used
OEP where Olly landed, and IAT AutoSearch).

When disassembling this fixed dumps in W32Dasm, I allways get this message:
Quote:
This PE File is not in Standard Windows Format.
All Data References will be terminated.
Programs run fine and disassembling with IDA works fine too, but I think this
could be better. Someone has an idea about what I did wrong?
__________________
thedutchjewel.freehostia.com
Reply With Quote
  #2  
Old 02-18-2004, 08:09
r3L4x
 
Posts: n/a
i unpacked my first aspacked file manually last night by folowing this tut by R@ider and it disassembles in w32dasm just fine...

check this out, it might help
/http://www.exetools.com/forum/showthread.php?s=&threadid=2728
Reply With Quote
  #3  
Old 02-18-2004, 13:53
TheDutchJewel's Avatar
TheDutchJewel TheDutchJewel is offline
VIP
 
Join Date: Aug 2002
Posts: 671
Rept. Given: 26
Rept. Rcvd 462 Times in 265 Posts
Thanks Given: 19
Thanks Rcvd at 493 Times in 138 Posts
TheDutchJewel Reputation: 400-499 TheDutchJewel Reputation: 400-499 TheDutchJewel Reputation: 400-499 TheDutchJewel Reputation: 400-499 TheDutchJewel Reputation: 400-499
Thanks for reply, r3L4x. I read R@dier's great tute, unpacked the Unpackme
Aspack 2.12 .exe
, dumped it, rebuild it and cleaned it up as written in the
tute. But I got still the same error in W32Dasm:
Quote:
This PE File is not in Standard Windows Format.
All Data References will be terminated.
It seems something gets wrong, but what and why?
__________________
thedutchjewel.freehostia.com
Reply With Quote
  #4  
Old 02-18-2004, 15:10
hobgoblin hobgoblin is offline
Friend
 
Join Date: Jan 2002
Posts: 124
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 5 Times in 5 Posts
hobgoblin Reputation: 0
well

hi there,
Try to set LordPE to only validate when you use the rebuild function. Sometimes when you tell LordPE to realign and do some other "fancy" rebuilding stuff, you will get errors. If this doesn't solve it, you should check oit the header of the file. Maybe you got some errors there.

regards,
hobgoblin
Reply With Quote
  #5  
Old 02-18-2004, 17:40
TheDutchJewel's Avatar
TheDutchJewel TheDutchJewel is offline
VIP
 
Join Date: Aug 2002
Posts: 671
Rept. Given: 26
Rept. Rcvd 462 Times in 265 Posts
Thanks Given: 19
Thanks Rcvd at 493 Times in 138 Posts
TheDutchJewel Reputation: 400-499 TheDutchJewel Reputation: 400-499 TheDutchJewel Reputation: 400-499 TheDutchJewel Reputation: 400-499 TheDutchJewel Reputation: 400-499
Hi hobgoblin.

Only validate didn't solve the prob. And in the file header I can't find some
errors.

It's strange, but when I unpack Unpackme Aspack 2.12.exe with AspackDie,
then I get no error in W32Dasm. It's only when dumping from Olly (both in Olly
1.09d and 1.10 step 1, and no matter if I use Ollydump/LordPE or ProcDump).
Maybe it are the ImpRec settings?
hxxp://thedutchjewel.netfirms.com/imprec.jpg

[Edit by JMI: I know it's your site, but we discourage ALL clickable links OUTSIDE the Forum because the noobies can't stop themselves from posting clickable links to software vendors..]
__________________
thedutchjewel.freehostia.com

Last edited by TheDutchJewel; 02-18-2004 at 17:48.
Reply With Quote
  #6  
Old 02-18-2004, 21:34
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
if you use the small patch from bratalarm (bratpatch 3), W32Dasm will disassemble it correct.
Reply With Quote
  #7  
Old 02-18-2004, 22:56
TheDutchJewel's Avatar
TheDutchJewel TheDutchJewel is offline
VIP
 
Join Date: Aug 2002
Posts: 671
Rept. Given: 26
Rept. Rcvd 462 Times in 265 Posts
Thanks Given: 19
Thanks Rcvd at 493 Times in 138 Posts
TheDutchJewel Reputation: 400-499 TheDutchJewel Reputation: 400-499 TheDutchJewel Reputation: 400-499 TheDutchJewel Reputation: 400-499 TheDutchJewel Reputation: 400-499
Thanks MaRKuS.

After using bratpatch 3, W32Dasm now shows Strings Date Reference. But a lot of them contains corrupted characters while IDA shows them right. So it's seems the dump isn't still as good as it should be...
__________________
thedutchjewel.freehostia.com
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unpacked Files under XP SP1 doesn't work on SP2 ivanov General Discussion 7 04-21-2005 21:51
Unpacked Aspack Prog + Smartcheck spikecura General Discussion 0 03-05-2004 08:58
Aspack unpacked dll relocations ignored djpaul General Discussion 0 08-05-2003 19:41
XP & SICE probs DooGie General Discussion 16 05-16-2002 06:51


All times are GMT +8. The time now is 12:29.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )