ASPack2.1 unpacking
 

Hi all,
I am having trouble unpacking ASPack2.1 and need some advice on repairing the dumped.exe
this is what I have done.

started softice and set Bpoint on GetProcAddress
then started the app, (Notepad.exe) which has been packed using ASPack2.1

when Sice break I F5 a few time before searching for the ASPack Sig,
after I have found the Aspack Sig I set a bpoint on that memory location.

pressed F5 and boom I break into the app just where i want.

I then step through

POPAD
JNZ 0040D4FE
MOV EAX, 1
RET 000C
PUSH OEiP
RET

after the last return I put the program into a loop at the OEiP and then Dump the exe.

then I edit the dumped EiP back to the original (Image Base - Entry point)

next I edit the dumped exe with Ultra Edit and change the code at the OEP back to what they were.

From what I understand the program should now run but I get errors instead.

I think I need to rebuild the Imports Table, but not sure how
any help appreciated?

I am running WinXP which may add to the problem.

I would like to write an Unpacker later and would appreciate any sigs for the various protector/ packers.


Many thanks

R@dier

rebuild the imports
 

hi, you need to rebuild the imports....
Use ImpREC or ReVirgin.
Put the OEP and select get imports...
Then trace the invalid entries and write them to the PE file...

I think the readme of either will be more helpful :p

Anyways, just rebuild the imports

Just dump the IT/IAT from memory, paste it to your fully dumped exe, then fix PE header. done.

Thanks for the info

Snaker:
I tried using revirgin, but it keeps causing my comp to reboot when i start tracing
I have not found ImpREC yet but i will give it a go.

I was wonder how to "write them to the PE file"

WhoCares:
Just dump the IT/IAT from memory, paste it to your fully dumped exe, then fix PE header. done.

Could you give me some more information please?


many Thanks

R@dier

Hi R@dier do you solve problem.

Kalisto:
No not quite,
I can rebuild notepad.exe from win98 but the one on winXP I juzt can't seem to get it to work.

still tring to find a solution

Do you find imprec 1.42? I will try to unpack win 2000 notepad packed with aspack 2.12. This is probably same or similar on win xp.;)

Yes I did, very nice, it is the first time I have used it.
also I am interested to see how you go with win2000 notepad
:-)

R@dier

I did it succesfully, it's easy. Do you need tute.:D

Do you need tute

Yes it would be very handy

thanks
R@dier

OEP is 1006420 found with olly dbg. You know how to find OEP so this is not problem. You see line 0100644F. This is first import. Put 1160 (RVA) in imprec and 100 as size. Press get imports.
You see mscvrt.dll ... comdlg32.dll. Rest is junk. You must find kernel and other missing imports. Just put 1000 as RVA and all imports are here. Reduce size to 2F0 to get rid of junk and thats all. Fix dump with add new section, change OEP with LordPE to 6420 and run it. It should work.

01006420 . 55 PUSH EBP
01006421 . 8BEC MOV EBP,ESP
01006423 . 6A FF PUSH -1
01006425 . 68 88180001 PUSH NOTEPAD.01001888
0100642A . 68 D0650001 PUSH NOTEPAD.010065D0 ; JMP to msvcrt._except_handler3
0100642F . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
01006435 . 50 PUSH EAX
01006436 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0100643D . 83C4 98 ADD ESP,-68
01006440 . 53 PUSH EBX
01006441 . 56 PUSH ESI
01006442 . 57 PUSH EDI
01006443 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
01006446 . C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0
0100644D . 6A 02 PUSH 2
0100644F . FF15 60110001 CALL NEAR DWORD PTR DS:[1001160] ; msvcrt.__set_app_type
01006455 . 83C4 04 ADD ESP,4
01006458 . C705 38990001 >MOV DWORD PTR DS:[1009938],-1

:D

Kalisto:
Thanks for the Info :D
i will give it a try and let you know the results :-)

R@dier

Kalisto:

Thanks again, it was a complete success.

Imprec has just become my favorite tool :D


Best Regards

R@dier

PS. my OEP was @ 6AE0

R@dier ::
another approach to fixing imports in a dumped file; move your unresolved import address straight into the IAT.
here's some notes i made when unpacking aspack2.1, maybe it could be useful for you in other versions ::

original import table :: pep + 0x2b
- this is a dword which holds the original ImportTable RVA.

dll name eraser :: pep + 0x4c6
- this replaces the first dword of a dll name (eg kernell32.dll) with 0. just nop it.

import resolves :: pep + 0x4b8
- the routine call to resolve an import-function address for the IAT. you can just move the unresolved address to the IAT.

oep write :: pep + 0x4ec
- this moves the oep to the oep jmp at ::

oep jmp :: pep + 0x4fd
- the oep jmp.

in the pe-scan unpacking routines i patched the loader and put a breakpoint at the oep jump, _then_ dumped the file and fixed the header. basically, the loader does all the work for you. =)
however it's not failsafe; it does rely on the asm opcodes being in a set offset. i'm working on a search-and-destroy patcher for the opcodes found at the above offsets.

snyper:

Thanks for the extra info,
I appreciated it


I am very interested in writing an unpacker later, I still have so much to learn :p


R@dier