Jump to OEP - Aspack 2.12
 

I've a question about inline patching RK-FileSplitter v2.2
(http://www.rksoft.at/download/rk-filesplitter.exe). It's packed by Aspack
2.12.
I found the OEP (4064B8), but how to find the jump to OEP? The Aspack plugin doesn't break. Should it be changed, or is there another method to find it?

in aspack is no jump to oep ,if i remember correctly.

load packed target into olly and try to find it in the code. search for a binary string (ctrl+b): HEX: B8 64 40
or was it without imagebase : B8 64 00 ?
or if you dont find in olly,search in hexeditor.
redirect this to your free space, make your inline patch and jmp to oep.


or if you want be lazy, you could do a search and replace patch with my patcher,which works also with aspack.
kickme.to/diablo2oo2 :rolleyes:

I searched for B8 64 00, redirected this to free space, made inline patch and jumped to oep. Got it working now. :D

Thanks for fast and good help, diablo2002.

jump to OEP is made by push "OEP", followed by ret. So just search for 68h 00 00 00 00 in after few carefull F7 and F8. Usually they are at the and of section, near a string Kernel32. Put a breakpoint at next instruction - 0C3h and you will see your OEP to emerge on the upper instruction

@ TheDutchJewel:

Hi,
A similar topic was posted long time before(search). Anyways, unpacking and Inline patching ASPACK is fun. But if you wanna have more fun :D then try inline patching this one ;)

http://runtime.org/gdbnt.zip

Here are the bytes to patch:
004F93A2 /74 0C JE SHORT gdbnt.004F93B0

Change To

004F93A2 /EB 24 JMP SHORT gdbnt.004F93C8

Let me know how you did it plz ;)

Regards,

Hi ferrari,

I found this info, posted by mEtAl (search ;) ):
I think this post is very clear about that there's a difference between v2.11 and 2.12 for the jump to OEP. Signature bytes couldn't be found.

Btw, when looking for the OEP, Olly says it's 0057AF44 while PEiD says it's 004D2574... :confused:

Hi,
I have seen this before. But I got pissed off trying inline patching 2.11c packed GetDataBack. I was able to successfully inline patch Captain Nemo by Runtime software and it's packed with this same version. The only problem is GetDataBack. I remember "hobgoblin" giving me some hints on inline patching this modified ASPack. But I was not able to do it. Then I used DZA patcher to patch it and it does patch it. But then the some buttons get corrupted and won't work. :rolleyes:

But then coolfires tip is interesting :)

Here are the topics posted earlier:
http://exetools.com/forum/showthread.php?t=4072&highlight=ASPACK

My tutorial on inline patching ASPACK 2.11:
http://exetools.com/forum/showthread.php?t=3909

Download Captain Nemo:
http://runtime.org/captain.htm

Here is my patch for Captain Nemo:
http://iribtv.net/CCC/ARTEAM/cracks/captain_nemo.rar

You can apply my patch to the exe and then check in Olly.

REgards,

Nice tut about finding the jump to OEP in aspack 2.11. This hardware breakpoint on ESP value method also works for v2.12. :)

The difference between v2.11 and v2.12 is that in v2.11 you can't find the signature bytes for the jump to OEP. It seems to me that the section for the signature bytes in v2.11 will be decrypted by the unpacking routine. (I see this is already explained here: http://exetools.com/forum/showthread.php?t=4072&highlight=ASPACK)

I downloaded GetDataBack for NTFS v2.25. When debugging I see this XOR code:But after I put a breakpoint on it, Olly didn't break. :(
So if possible, upload the exe you used in your previous section and I'll try to inline patch it. ;)
Or can someone explain how to break on the XOR code?

About inline patching..
 

To ferrari,
If you're still interested in inlinepatching of Aspack 2.12, take a look at the attached file. It's gdbnt from runtime.org. I have made an inline patch just to show how it can be done.( I made a patch that patches 3 bytes in the unpacked file. Don't pay too much attention to the patched program itself, it may not be properly cracked.). Just open the file in Olly and put a bpx at 0066B573. This is right after the xor-based decryption is done. Just singlestep from there and see what happens and where.. :)

regards,
hobgoblin

ferrari,

Use this unpatched exe for v2.25.

and add here your inline patch bytes:
I used your patch info at the address you used. The attached exe is different from the one you used, so you should correct the address and bytes at 0063D914. :)

A question
 

Hi Dutchjewel,
Are you sure your solution in the previous post works? If you follow your described method, the code written to
0063D914 C705 63874F00 EB230000 MOV DWORD PTR DS:[4F8763],23EB
0063D91E 68 CBC46300 PUSH gdbnt.0063C4CB
0063D923 C3 RETN
(after jumping from 0063C4B2) will be overwritten later on...

hobgoblin

Hi hobgoblin,

No I didn't check it. I simply used the patch bytes from ferrari in this example. I think the address 4F8763 should be changed for this version, but that's for ferrari. Anyway, the principle of inline patching should be good.

Agree
 

I agree that the basic idea you're outlining will work.(I have done a similar thing in my patch). :)
But I think using the address at 0063C4B2 is too early. When you arrive at that code (location) the program isn't properly unpacked yet, and that the unpacking process that follows this jump will overwrite what you previously have patched. In my patch I used the first jump after the decryption is done, and that works (as a starting point for further patching/redirection).

regards,

You've right. The first jump after decryption is done is 0063C55B? I checked now the jump to OEP, and it's decrypted well. Then ferrari should use that address instead of 0063C4B2, and push to 0063C467 instead of 0063C4CB.

regards

Hobgoblin,
A big thanks to you. I scanned the exe and well understood what you did :) I see that the author has updated the software and did not change the versiov no. i.e 2.31 The patch which I posted earlier is not applicable to this version. So I downloaded the program again and that matches the file you uploaded. I just did this to crack it fully ;)
Changes:
004FA95E /75 00 JNZ SHORT _gdbnt.004FA960

004FA976 /75 00 |JNZ SHORT _gdbnt.004FA978

Still I need to practice on more such modified ASPack. The standard one is easy to inline patch. Thanks once again mate.

@Dutchjewel
Thanks for your attention to my problem buddy. I'm aware of that method you posted. You can see it in my tutorial. This ASPACked Getdataback is different to that. Anyways thanks :)

Regards,

Hobgoblin & Dutchjewel:

I was able to do it on my own. Thanks Hobgoblin :)


Changes:

1) 0066B573 - E9 284ED9FF JMP gdbnt.004003A0


2)
004003A0 66:C705 B6B36600 E916 MOV WORD PTR DS:[66B3B6],16E9
004003A9 66:C705 B8B36600 50D9 MOV WORD PTR DS:[66B3B8],0D950
004003B2 66:C705 BAB36600 FF90 MOV WORD PTR DS:[66B3BA],90FF
004003BB 66:C705 BCB36600 9000 MOV BYTE PTR DS:[66B3BC],90
004003C4 - E9 9EB02600 JMP gdbnt.0066B467
004003C9 0000 ADD BYTE PTR DS:[EAX],AL
004003CB 0000 ADD BYTE PTR DS:[EAX],AL
004003CD 0000 ADD BYTE PTR DS:[EAX],AL
004003CF 0000 ADD BYTE PTR DS:[EAX],AL
004003D1 C605 5FA94F00 00 MOV BYTE PTR DS:[4FA95F],0
004003D8 C605 77A94F00 00 MOV BYTE PTR DS:[4FA977],0
004003DF - E9 08AF1700 JMP gdbnt.0057B2EC<------------Jump to OEP

It works perfect :)

Regards,

Hobgoblin,

Just want to let you know that your way of jumping to free space at the beginning of the file, add bytes to modify the jnz to jump to the patch bytes, and then jumping back to jump to OEP works great.

Thanks for this very helpfull way of teaching. :)

Regards,

Hi guys,
 

Nice to be able to help. :)
I use this method quite often when I crack some packed proggies for fun. I prefer this method because often you have to patch more than 1 or 2 bytes, and then you need more space than you get when you utilize code that's not executed. Although, sometimes the hunt for finding code that's not executed which can be overwritten without risk can be quite entertaining. And even more: if you start using this method on upx packed proggies, you have to take into account what space are protected and what space are not.
Well, enough said.....

regards,
hobgoblin

For those who are interested...
 

Here is another way of patching Aspack 2.12. This time I have utilized the decryption routine itself in order to avoid adding too much code. :)
Put a bp on 0066B3A0 and singlestep from there...

Just for fun from,
hobgoblin

Are you sure about bp at 0066B3A0?
After pressing F8 there I get this error:
After I choose Yes or No, progress terminates.

BTW this happens also in the original EXE:

Well, yes...
 

Never mind putting a bp at 0066B3A0.
Check the code there before and after the decryption routine is done. Then singlestep through that code without bp's just to see what happens with the code from 0066B3A0 until OEP is reached. Usually the adress for the OEP is written into the address 0066B3C0. In this case the adress to the location for the patching code is written into 0066B3C0.

hobgoblin