Exetools - New ASPACK 2.12 Skinning

Ok, I got text editor software to mess with tonight and saw that it was packed with Aspack 2.12 according to PEID. Well, it takes all of about 3 seconds to find the POPAD and RET to get your OEP. It's real nice especially when the OEP goes to 410000 :) BUT ImpRec would not work so I had to do a lot of head banging and finally figured it out. I will try and put a short tutorial together but generally you want to set a breakpoint for memory access to original .idata rva When it breaks initially leave the bp and keep running and breaking and you can watch it build the import table. The first time it goes all the way through, the RVA values will be the correct ones. The second time it breaks on writing, The IDT gets different offsets but looks ok and at the same time it writes the Resolved Functions addresses. So it was a matter of dumping the .idata section 1 time, Go To OEP, dump the process, Then redump .idata section 2nd time and cut and paste proper idata code from 1st to 2nd and paste into dumped exe. Change OEP, Flags, Directories, try it out!

By The Way I have unpacked ASPACK 2.12 software itself too but no imports yet which is NOTHING LIKE WHAT IT DOES FOR OTHERS. It is actually quite intense but I have to do the same thing with the imports I guess. When I get some more time tomorrow I will take a look at it some more.

Wackyass :cool: