thanks ShaG for the improvement, much better!.

inlight of my post on this forum and the three steps I mentioned for unpacking asprotect , now this script
will demonstrate this fact by locating
the stolen bytes , to do that , do the following:

1-hide debugger

2- run this script below, and look for your
stolen.(some time you may need to add to
the stolen bytes the mov eax,xxxxxx), it is easy, I did clarify this some where in this forum) .[hint: F9 few times once script finshes, you will be at mov ebp,esp in programs that start: push ebp, mov ebp,esp]

3.- look for your oep as I noted in a thread in this forum.

note:
this script will work on most of the aspr. programs that have stolen bytes, in some it will not , so you need to trace once you are in the break point of the updated script "lastex", I will provide a script for such programs later on, if a need for it arises.

scripts tested on registry cleaner expert. (this script is only to demonstrate steps I posted for unpacking asprotect. I didn't put any effort in it , I just added few codes to lastex script).

@ britedream

wow your script is awesome, worked well on 2 of the programs i tested it on. (acopy, dezine)

Thanks for sharing your work




@ SHaG

thanks for improving your plugin, it is truly usefull



R@dier

Thought I would try my hand at scripting
this works for pecompact1.76
I dont know about any other versions




R@dier

aspack, neolite
 

Rewrote te scripts for aspack and neolite for version 0.4

Neolite

eob Break
findop eip, #FFE0#
bphws $RESULT, "x"
run

Break:
bphwc $RESULT
sti
log eip
ret


aspack

eob Break
findop eip, #6175#
bphws $RESULT, "x"
run

Break:
bphwc $RESULT
sto
sto
sto
sto
log eip

ret

This one should prove useful:

tElock 0.98

Hi,

i'm testing your script on Target "Website-Watcher 3.60b" wich is protected with "ASProtect 1.22 - 1.23 Beta 21 -> Alexey Solodovnikov".

hxxp://aignes.com/de/download.htm

So i'm loading the wswatch.exe into OllyDbg and starting your Script. Then something happens and the Programm has started successful.

Now, i'm at Offset 0075F002 where is a CALL wswatch.0075F00A

Can you tell me what i have to do next for finding the OEP ?

Thank's for your help.

[Edit by JMI: dARWIN, you obviously did not look around here before you posted. You are NOT supposed to post clickable links here, espically to software venders. ALWAYS uncheck the "Automatically parse URLs" button and use "hxxp" or the like for the address.}

to darwin:

you are using the wrong script for this program "asprsto", this is for finding the solen bytes , but on most programs , for this one it willn't work, we have work around this , I will explain briefly , but
before that you have two options:
option one:
hide debugger
run" lastex" script
this will stop on the last exception , set bp(F2) on the first retn you see, shit+F9
will stop on the bp.

option two:
hide debugger:
run "asprbp" script
i t will stop on bp as above

now , view memory and set memory breakboint on access, on code section.

set trace condition:esp==12ffa4(for clarification search the forum for what I posted about this one)
control+F11
will encounter a loop, F12 to stop olly
bp (F2) under jnz , F9, then control+F11
once stopped, look below you will see
your stoln bytes :
push ebp
mov ebp,esp
add esp,-0c
push ebx
mov eax, 65526c
shift+f9 will stop below your oep
copy your stolen above where you have stopped, set origin here on the push ebp, then dump. fix your iat.
it should run.
here is asprobp=lastex updated.

@britedream

thank you very much for your explainations :)

But both scripts don't stop on the bp/exception...

so i used the unpacker ASPROTECTstripper 2.03 an it works fine :cool:

Perhaps you could try it yourself with my Target and tell me how you did it :)

thanks again

I did check your target and both stop as they should.

Works for me too!

but Im new on aspr...

I cant get a working dump.exe

Im sure im screwing it up in Import Rec 1.6

I need some help there

I get to the OEP

I dump the process... I add back in the stolen bytes...correct OEP to offset 00255A44

i load up imprec, with the program running.. attach
enter 0025A44, click on IAT autosearch... i increased the size to 3000... i level1 them... i ran the rest with the aspro 2.12 plugin
and then I cut the remaining bad inports

and finnally patch into dump

clearly im doing something wrong

can someone step me though from the point of the dump

thanks
mitch

YEAH!!!

I got it unpacked

I cracked out the Filesize check, that was easy

but cracking out the trial stuff... im into it, but getting lost

and i thought that would be the easy part

did anyone try it, i dont give 2 sh**ts about the app
infact i want to uninstall asap

but i wanna crack it anyways, just because

mitch

Program name and link Mitchjs?

its mentioned a couple of posts up

I only picked it to practice unpacking aspr!



"Website-Watcher 3.60b"

hxxp://aignes.com/de/download.htm


mitch

Ollyscript v0.5
 

Ollyscript v0.5 can now be downloaded at:
http://ollyscript.apsvans.com

New features like API breakpoints, run-to-return, module info etc. are implemented.

From readme.txt:
+ New commands:
CMT, GMI, GPA, LBL, RTR, RTU
+ New example script - tElock 0.98 OEP finder.

Comments please!!! =)