Asprotect 1.23 New Tutorial by LaBBa
 

i saw LaBBa wrote a new tutorial for Asprotect 1.23, but he didn't post it @exetools...

so i'll attach it here.
many thanks to LaBBa!!!!

original post by LaBBa:

Hi Markus
asprotect dosn't need that long tut, eventhough we appreciate the effort now and always that labba is doing, I think long tut tend to be hard to follow at least for me,here is the way that britedream might do it:
1- stack hard breakpoint on the first push, takes you to pushad, do the same for the pushad takes you to the stolen bytes.
2- memory breakpiont on code section, look at the stack for the oep.
3- fix your iat- done.

yes, you are right, but it's interesting how many ways takes you to the finish ;)

some question. which hardware-breakpoint do you use? the second one @the pushad doesn't work for me.

no, got it handled already :)

thanks britedream :)

but i see stack-breakpoints won't work on ASProtect 1.22 - 1.23 Beta 21 ;)

may I ask which program?

I was wondering if you guys could please expand on

I dont quite understand it :(


Best Wishes
R@dier

f7 to pass the push, follow esp to dump,
right click on it in the dump, select : hardware on access dword.

it's advanced im password recovery by elcomsoft, protected by the old asprotect, and the stack hardware-bp doesn't work

correction:
the first one works, the second one: no

@ britedream
Thanks :-)


@ MaRKuS
I have been playing with advanced im password recovery also,
after you posted it this mornin, found it quite easy to unpack using the differnt methods.



Best Wishes
R@dier

and which method did you use R@dier?

to find OEP used
2- memory breakpiont on code section,

to find stolen bytes used kinda LaBBa's method

I still have not got the hang of

yet,

but looking into it :-)

R@dier

for the advance:
the method is correct, but somehow it
didn't catch the bp, it erased the breakpoint, but eventhough I brought it
back it still wouldn't catch it, you can work around it by the following:
you will notice when you passed the pushad
that esp = 12 ffa4 , it should have poped up
when it has been accessed, but it did not , so once you are at the last exception, set trace condition esp==
12ffa4, then control+f11 it will stop on top of the stolen byte as it should have, f7 little bit you should be at the first one.

to find the oep:
at the stolen bytes or the last exception,
set memory breakpoint on the code section,once stoped, look at the stack (K on the tool bar), if you see two addresses take the second one, if one, take it, if no address then oep is just above where you are.

hm, i used trace, but the trace always hangs in an endless loop. i don't know why, but it happens only for this aspr-version (beta 21).
the code-bp is a method for OEP :)

but no problem, i got it handled with F8 & F7 to skip the unpacking-routine (which is for some reason endless with tracing) and after this i ran trace. All stolen bytes are plain-text *lol*

to get out of the loop f12 stops olly, then
set bp(f2) below jnz, f9, then trace again

Hi MaRKuS-DJM


I trace, hit that loop, hit Esc key then set Bp Just below it and trace again, very similar to what britedream has mentioned.

I was wondering though, my working dump is about 200k larger then the file you posted with two extra sections.
(one is from Imprec).

yes, R@dier, i did not manually unpack it. i thought if aspr stripper works, why make it yourself? the filesize is smaller... i did it yesterday manually and my dump is 200 K larger, too!