Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Asnpack and Opera? (https://forum.exetools.com/showthread.php?t=7248)

thomasantony 03-30-2005 23:35
Asnpack and Opera?
 
Hi,
I had been practising unpacking on all packed files I could find on my system. I tried on Opera 8.00 Build 7401. The original packed exe is 7kB in size and packed with AsPack 2.12.I unpacked it like a piece of cake and got an exe of 168kB. Now I wanted to make it smaller. The following sections were there in the exe:
.text .rdata .data .rsrc .aspack .adata .mackt

Now the rsrc and aspack sections were 12000 in size. So I deleted the aspack and adata sections and rebuilt the exe. Now I have a working Executable of .... get this, 6kB. BUT the resources are missing. The PE directory lists the base of resources as 4000 (.rsrc). But the exe has no icon and its resrouces cannot be accessed with any res editor. The exe size is not surprising as it loads the main things from opera.dll. I think there is some problem with the rebuild function. There seems to be some prob with the attachment function in this board. :(
I get the error:
Warning: mkdir() has been disabled for security reasons in \includes\functions_file.php on line 112
followed by some junk .
Thomas Antony

evaluator 03-31-2005 01:02
firstly you need learn unpack aspack without IMPREC;
just dump in debugger @ good moment & locate original IT;
(btw, also there are dumpers for aspack..)

then,
join last 3 section (.rsrc .aspack .adata) under .rsrc section,
open in PExplorer & save as new file;

PExplorer will optimize joined .rsrc section..
(but sometimes bad~`)

thomasantony 03-31-2005 10:52
Quote:
Originally Posted by evaluator
firstly you need learn unpack aspack without IMPREC;
just dump in debugger @ good moment & locate original IT;
(btw, also there are dumpers for aspack..)
Well I can find the OEP. I don't want to use any dumper as I want to learn unpacking. Its was only when I read a very badly translated softwrap tut of Morales did I understand how much I have to learn more. I know program pretty well in win32asm, and also plain ASM(OS Dev). But I have never really looked at what all that unpacking code actually do. So can you give me some pointers to finding the IAT? Only Direct DWORD pointers allowed ;) :D

Thomas Antony :)

Dr.Golova 03-31-2005 22:59
Code:
resolve_import:
                mov    esi, 2054h    [bold] ;; import tbl rva[/bold]
                mov    edx, ss:(h_instance - unk_406013)[ebp]
                add    esi, edx

process_library:
                mov    eax, [esi+_IMAGE_IMPORT_DESCRIPTOR.Name]
                test    eax, eax
                jz      imp_tbl_done
                add    eax, edx
Here You can dump unpacked program before aspack's loader fill original import table with functions.

pluscontrol 03-31-2005 23:09
Well, to complement your knoledge you can take a look at pe structure, is always useful to understand how the code is structured and also how is determined the IAT.

here you have a link:
http://www.yates2k.net/peinfo.html

good luck

evaluator 04-01-2005 01:54
well, that is NEW question~:)

but main question about optimizing dump done..


All times are GMT +8. The time now is 09:17.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX