Jump to OEP - Aspack 2.12
 

I've a question about inline patching RK-FileSplitter v2.2
(http://www.rksoft.at/download/rk-filesplitter.exe). It's packed by Aspack
2.12.
I found the OEP (4064B8), but how to find the jump to OEP? The Aspack plugin doesn't break. Should it be changed, or is there another method to find it?

in aspack is no jump to oep ,if i remember correctly.

load packed target into olly and try to find it in the code. search for a binary string (ctrl+b): HEX: B8 64 40
or was it without imagebase : B8 64 00 ?
or if you dont find in olly,search in hexeditor.
redirect this to your free space, make your inline patch and jmp to oep.


or if you want be lazy, you could do a search and replace patch with my patcher,which works also with aspack.
kickme.to/diablo2oo2 :rolleyes:

I searched for B8 64 00, redirected this to free space, made inline patch and jumped to oep. Got it working now. :D

Thanks for fast and good help, diablo2002.

jump to OEP is made by push "OEP", followed by ret. So just search for 68h 00 00 00 00 in after few carefull F7 and F8. Usually they are at the and of section, near a string Kernel32. Put a breakpoint at next instruction - 0C3h and you will see your OEP to emerge on the upper instruction

@ TheDutchJewel:

Hi,
A similar topic was posted long time before(search). Anyways, unpacking and Inline patching ASPACK is fun. But if you wanna have more fun :D then try inline patching this one ;)

http://runtime.org/gdbnt.zip

Here are the bytes to patch:
004F93A2 /74 0C JE SHORT gdbnt.004F93B0

Change To

004F93A2 /EB 24 JMP SHORT gdbnt.004F93C8

Let me know how you did it plz ;)

Regards,

Hi ferrari,

I found this info, posted by mEtAl (search ;) ):
I think this post is very clear about that there's a difference between v2.11 and 2.12 for the jump to OEP. Signature bytes couldn't be found.

Btw, when looking for the OEP, Olly says it's 0057AF44 while PEiD says it's 004D2574... :confused:

Hi,
I have seen this before. But I got pissed off trying inline patching 2.11c packed GetDataBack. I was able to successfully inline patch Captain Nemo by Runtime software and it's packed with this same version. The only problem is GetDataBack. I remember "hobgoblin" giving me some hints on inline patching this modified ASPack. But I was not able to do it. Then I used DZA patcher to patch it and it does patch it. But then the some buttons get corrupted and won't work. :rolleyes:

But then coolfires tip is interesting :)

Here are the topics posted earlier:
http://exetools.com/forum/showthread.php?t=4072&highlight=ASPACK

My tutorial on inline patching ASPACK 2.11:
http://exetools.com/forum/showthread.php?t=3909

Download Captain Nemo:
http://runtime.org/captain.htm

Here is my patch for Captain Nemo:
http://iribtv.net/CCC/ARTEAM/cracks/captain_nemo.rar

You can apply my patch to the exe and then check in Olly.

REgards,

Nice tut about finding the jump to OEP in aspack 2.11. This hardware breakpoint on ESP value method also works for v2.12. :)

The difference between v2.11 and v2.12 is that in v2.11 you can't find the signature bytes for the jump to OEP. It seems to me that the section for the signature bytes in v2.11 will be decrypted by the unpacking routine. (I see this is already explained here: http://exetools.com/forum/showthread.php?t=4072&highlight=ASPACK)

I downloaded GetDataBack for NTFS v2.25. When debugging I see this XOR code:But after I put a breakpoint on it, Olly didn't break. :(
So if possible, upload the exe you used in your previous section and I'll try to inline patch it. ;)
Or can someone explain how to break on the XOR code?

About inline patching..
 

To ferrari,
If you're still interested in inlinepatching of Aspack 2.12, take a look at the attached file. It's gdbnt from runtime.org. I have made an inline patch just to show how it can be done.( I made a patch that patches 3 bytes in the unpacked file. Don't pay too much attention to the patched program itself, it may not be properly cracked.). Just open the file in Olly and put a bpx at 0066B573. This is right after the xor-based decryption is done. Just singlestep from there and see what happens and where.. :)

regards,
hobgoblin

ferrari,

Use this unpatched exe for v2.25.

and add here your inline patch bytes:
I used your patch info at the address you used. The attached exe is different from the one you used, so you should correct the address and bytes at 0063D914. :)

A question
 

Hi Dutchjewel,
Are you sure your solution in the previous post works? If you follow your described method, the code written to
0063D914 C705 63874F00 EB230000 MOV DWORD PTR DS:[4F8763],23EB
0063D91E 68 CBC46300 PUSH gdbnt.0063C4CB
0063D923 C3 RETN
(after jumping from 0063C4B2) will be overwritten later on...

hobgoblin

Hi hobgoblin,

No I didn't check it. I simply used the patch bytes from ferrari in this example. I think the address 4F8763 should be changed for this version, but that's for ferrari. Anyway, the principle of inline patching should be good.

Agree
 

I agree that the basic idea you're outlining will work.(I have done a similar thing in my patch). :)
But I think using the address at 0063C4B2 is too early. When you arrive at that code (location) the program isn't properly unpacked yet, and that the unpacking process that follows this jump will overwrite what you previously have patched. In my patch I used the first jump after the decryption is done, and that works (as a starting point for further patching/redirection).

regards,

You've right. The first jump after decryption is done is 0063C55B? I checked now the jump to OEP, and it's decrypted well. Then ferrari should use that address instead of 0063C4B2, and push to 0063C467 instead of 0063C4CB.

regards

Hobgoblin,
A big thanks to you. I scanned the exe and well understood what you did :) I see that the author has updated the software and did not change the versiov no. i.e 2.31 The patch which I posted earlier is not applicable to this version. So I downloaded the program again and that matches the file you uploaded. I just did this to crack it fully ;)
Changes:
004FA95E /75 00 JNZ SHORT _gdbnt.004FA960

004FA976 /75 00 |JNZ SHORT _gdbnt.004FA978

Still I need to practice on more such modified ASPack. The standard one is easy to inline patch. Thanks once again mate.

@Dutchjewel
Thanks for your attention to my problem buddy. I'm aware of that method you posted. You can see it in my tutorial. This ASPACked Getdataback is different to that. Anyways thanks :)

Regards,